Reading 1: Controlling Access

Not everyone gets a key.

The OS as Security System

Security is not a feature that gets bolted onto an operating system after the fact. It is woven into the OS's fundamental responsibilities. The OS controls access to files, memory, devices, and CPU time. It decides which processes can do what. It mediates every interaction between software and hardware. That central position makes it both the natural first line of defense and, when it fails, the most dangerous point of failure.

OS security threats come from two directions: outside the system (unauthorized users trying to gain access) and inside it (authorized users — or processes running under their accounts — trying to exceed their permitted privileges). This reading focuses on outside threats. Reading 2 addresses what happens once someone is inside.

Three Things Worth Protecting: The CIA Triad

Before diving into the specific mechanisms the OS uses, it helps to have a framework for thinking about what security is actually trying to protect. Information security professionals organize this around three properties, collectively called the CIA triad:

In a school context: Consider a district's student information system. Confidentiality means only authorized staff can view student records — not other students, not the general public. Integrity means grades and attendance data cannot be altered by anyone who shouldn't be changing them — including a student trying to improve their own record. Availability means the system is actually up and working when a teacher needs to take attendance or a counselor needs to pull a transcript. All three matter; protecting one while neglecting the others is not real security.

The mechanisms described in this reading — accounts, passwords, administrator privileges, auditing software, and MFA — are primarily confidentiality controls: they determine who gets in. Reading 2's discussion of privilege levels and memory bounds enforcement addresses integrity: it limits what an authorized (or malicious) process can do once inside. Availability becomes especially relevant in Week 4 when we examine denial of service attacks, which aim specifically at making systems unreachable.

Keeping the CIA triad in mind as you work through these two readings will help you see each security mechanism not just as a technical detail, but as a response to a specific kind of threat.

Accounts and the Login Procedure

On any computer used by more than one person — a school lab, a shared family computer, a university server — the OS maintains a set of accounts. Each account is a record that stores, at minimum:

When a user starts a session, they go through the login procedure: a sequence of transactions in which they establish contact with the OS by providing their credentials. The OS checks the supplied username and password against its account records. If they match, the session begins and the user gains access to whatever privileges their account specifies. If they do not match, access is denied.

This sounds straightforward. In practice, the security of the entire system rests on the integrity of this process. If an attacker can get past the login procedure — by guessing a password, exploiting a flaw in the login software, or tricking a user into handing over their credentials — everything the system is protecting becomes accessible.

The Administrator: Special Privileges, Special Responsibility

Not all accounts are equal. One account — the administrator (also called the super user on Unix-based systems) — has elevated privileges that ordinary user accounts do not. An administrator can:

The administrator account exists because someone has to be able to manage the system. But it also represents the highest-value target for an attacker. Gaining access to the administrator account means gaining unrestricted access to everything. This is why the administrator password is treated as especially sensitive, and why most security guidance recommends that everyday computing be done from a standard (non-administrator) account — limiting the damage that can be done if the account is compromised.

In a school context: When your school's IT department sets up classroom computers so that students cannot install software, change system settings, or access other students' files, they are configuring account privileges. The IT staff hold administrator accounts. Student accounts have restricted privileges. This is the OS's account system doing exactly what it was designed to do.

Auditing Software: Watching for Trouble

The OS can be augmented with auditing software — utilities that record and analyze system activity to detect suspicious behavior. Auditing software can flag:

A classic sniffing attack involves a program that mimics the OS's own login screen. A user sits down at a terminal, sees what looks like the normal login prompt, types their username and password — and hands them directly to an attacker. The fake login then displays an error message and quits, leaving the real login screen to appear. The user assumes they mistyped something and logs in normally. They never know their credentials were stolen.

The Human Problem: Passwords

Despite the sophistication of OS security features, one of the most persistent vulnerabilities is human behavior around passwords. The technical complexity of a system can be completely undermined by a user who chooses password123 as their password or writes their credentials on a sticky note attached to their monitor.

Common password mistakes include:

What Makes a Password Strong?

A strong password is one that resists two attack strategies: guessing (trying likely passwords based on knowledge of the user) and brute force (systematically trying every possible combination). Modern automated attack software can try billions of password combinations per second, which means short passwords — even "random-looking" ones — can be cracked quickly.

The most effective defense against brute force is length. A longer password exponentially increases the number of combinations an attacker must try. A password made of four random common words (a "passphrase") can be both easier to remember and harder to crack than a short string of random characters.

Beyond length, strong passwords avoid dictionary words used alone, use a mix of character types (uppercase, lowercase, digits, symbols), and are unique to each account. The challenge, of course, is that humans are not good at generating or remembering many such passwords — which is why password managers (software that generates and securely stores complex passwords) are now widely recommended.

A memorable example: One computer science textbook describes a house-sitting scenario involving feeding dog biscuits to feral raccoons and applying mayonnaise to houseplant leaves to make them shiny. The resulting password Racc00nTreat&May0Sh1n3 was easy to remember (it told a story) but hard to guess. The principle: a password derived from a vivid, specific, personal narrative can be both memorable and secure.

Password Policies in Institutions

Most organizations with significant computer infrastructure enforce password policies: minimum length requirements, complexity rules, mandatory periodic changes, and prohibition of password reuse. Schools are no exception — if your district has a policy requiring you to change your password every 90 days and forbidding you from reusing your last five passwords, that policy exists because human nature, left to itself, tends toward convenience over security.

Multi-Factor Authentication

A password alone is a single point of failure. If it is guessed, stolen, or leaked, the account is compromised. Multi-factor authentication (MFA) addresses this by requiring more than one piece of evidence before granting access.

Authentication factors fall into three categories:

Factor Type What It Is Examples
Something you know Knowledge that only the legitimate user should have Password, PIN, security question answer
Something you have A physical object in the user's possession Smartphone (for a texted code), hardware security key, ATM card
Something you are A biometric characteristic unique to the user Fingerprint, face recognition, retinal scan, voice pattern

The most common form of MFA in everyday use is two-factor authentication (2FA): a password (something you know) plus a one-time code sent to a smartphone (something you have). Even if an attacker obtains the password, they cannot log in without also having physical access to the user's phone.

MFA is not foolproof. Attackers have found ways to intercept texted codes, trick users into approving fraudulent login attempts, or social-engineer customer service representatives into changing account phone numbers. But MFA dramatically raises the difficulty of unauthorized access, and its adoption has significantly reduced account compromise rates even when passwords are leaked.

For K–12 teachers: If your school or district uses Google Workspace or Microsoft 365, you may already use MFA every time you log in from a new device. The "check your phone for an approval request" step is exactly the "something you have" factor in action. It is worth explaining this to students — many use it daily without knowing what it is or why it exists.

What Comes Next

Controlling who gets into the system is essential, but it is not sufficient. Once someone is inside — whether a legitimate user, a compromised account, or a malicious process — the OS must still enforce boundaries on what they can do. Reading 2 examines how the OS and CPU work together to contain processes within their permitted boundaries, and what happens when those boundaries are breached.