Chapter 2 - Understanding Identity and Access Management
Kerberos
Kerberos is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms. Kerberos provides mutual authentication that can help prevent man-in-the-middle attacks and uses tickets to help prevent replay attacks. Kerberos includes several requirements for it to work properly. They are: • *A method of issuing tickets used for authentication.* The Key Distribution Center (*KDC*) uses a complex process of issuing ticketgranting tickets (*TGTs*) and other tickets. The KDC (or TGT server) packages user credentials within a ticket. Tickets provide authentication for users when they access resources such as files on a file server. These tickets are sometimes referred to as tokens, but they are logical tokens, not a key fob type of token. • *Time synchronization.* Kerberos version 5 requires all systems to be synchronized and within five minutes of each other. The clock that provides the time synchronization is used to timestamp tickets, ensuring they expire correctly. This helps prevent replay attacks. In a replay attack, a third party attempts to impersonate a client after intercepting data captured in a session. However, if an attacker intercepts a ticket, the timestamp limits the amount of time an attacker can use the ticket. • *A database of subjects or users.* In a Microsoft environment, this is Active Directory, but it could be any database of users. When a user logs on with Kerberos, the KDC issues the user a ticketgranting ticket, which typically has a lifetime of 10 hours to be useful for a single workday. When the user tries to access a resource, the ticket-granting ticket is presented as authentication, and the user is issued a ticket for the resource. However, the ticket expires if users stay logged on for an extended period, such as longer than 10 hours. This prevents them from accessing network resources. In this case, users may be prompted to provide a password to renew the ticket-granting ticket, or they might need to log off and back on to generate a new ticket-granting ticket. Additionally, Kerberos uses symmetric-key cryptography to prevent unauthorized disclosure and to ensure confidentiality.
Remember This - Kerberos
Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (or TGT server) to issue timestamped tickets that expire after a certain time period.
Disablement Policy
Many organizations have a disablement policy that specifies how to manage accounts in different situations. For example, most organizations require administrators to disable user accounts as soon as possible when employees leave the organization. Additionally, it's common to disable default accounts (such as the Guest account mentioned previously) to prevent them from being used. Some contents of an account disablement policy include: • Terminated employee. An account disablement policy specifies that accounts for ex-employees are disabled as soon as possible. This ensures a terminated employee doesn't become a disgruntled exemployee who wreaks havoc on the network. Note that "terminated" refers to both employees who resign and employees who are fired. • Leave of absence. If an employee will be absent for an extended period, the account should be disabled while the employee is away. Organizations define extended period differently, with some organizations defining it as only two weeks, whereas other organizations extend it out to as long as two months. • Delete account. When the organization determines the account is no longer needed, administrators delete it. For example, the policy may direct administrators to delete accounts that have been inactive for 60 or 90 days.
Remember This - Password Policy
Password policies include several elements. The password history is used with the minimum password age to prevent users from changing their password to a previously used password. Maximum password age causes passwords to expire and requires users to change their passwords periodically. Minimum password length specifies the minimum number of characters in the password. Password complexity increases the key space, or complexity, of a password by requiring more character types.
Credentials
Refer to both a claimed identity and an authentication mechanism.
Something you have authentication factor
Refers to something you can physically hold. This section covers many of the common items in this factor, including smart cards, Common Access Cards (CAC), and hardware tokens. It also covers two open source protocols used with both hardware and software tokens.
Personal Identity Verification
Specialized type of smart card used by U.S. federal agencies. It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does.
Mandatory Access Control
The mandatory access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access.
Dual-Factor and Multifactor Authentication
*Dual-factor authentication* (sometimes called two-factor authentication) uses two different factors of authentication, such as something you have and something you know. Dual-factor authentication often uses a smart card and a PIN, a USB token and a PIN, or combines a smart card or hardware token with a password. *Multifactor authentication* uses two or more factors of authentication. It's worth noting that using two methods of authentication in the same factor is not dual- factor authentication. For example, requiring users to enter a password and a PIN (both in the something you know factor) is singlefactor authentication, not dual-factor authentication. Similarly, using a thumbprint and a retina scan is not dual-factor authentication because both methods are in the something you are factor. (Note that technically you can call an authentication system using two different factors either dual-factor authentication or multifactor authentication. Multifactor authentication indicates multiple factors and multiple is simply more than one.)
SSO and Transitive Trusts
A *transitive trust* creates an indirect trust relationship. Within an LDAPbased network, domains use transitive trusts for SSO. Within an LDAP-based network, domains use transitive trusts for SSO.
Password Complexity
A strong password is of sufficient length, doesn't include words found in a dictionary or any part of a user's name, and combines at least three of the four following character types: • Uppercase characters (26 letters A-Z) • Lowercase characters (26 letters a-z) • Numbers (10 numbers 0-9) • Special characters (32 printable characters, such as !, $, and *)
token (or key fob)
A token or key fob (sometimes simply called a fob) is an electronic device about the size of a remote key for a car. You can easily carry them in a pocket or purse, or connect them to a key chain. They include a liquid crystal display (LCD) that displays a number, and this number changes periodically, such as every 60 seconds. They are sometimes called hardware tokens to differentiate them from logical, or software tokens.
Access Control Models
Access control ensures that only authenticated and authorized entities can access resources. • *Subjects.* Subjects are typically users or groups that access an object. Occasionally, the subject may be a service that is using a service account to access an object. • *Objects.* Objects are items such as files, folders, shares, and printers that subjects access. For example, users access files and printers. The access control helps determine how a system grants authorization to objects. Or, said another way, the access control model determines how a system grants users access to files and other resources.
Authorization
Access resources based on their proven identity.
Account management
Account management is concerned with the creation, management, disablement, and termination of accounts. When the account is active, access control methods are used to control what the user can do. Additionally, administrators use access controls to control when and where users can log on.
Accounting
Accounting methods track user activity and record the activity in logs. As an example, audit logs track activity and administrators use these to create an audit trail.
Account Maintenance
Administrators routinely perform account maintenance. This is often done with scripts to automate the processes.
Audit Trail
Allows security professionals to re-create the events that preceded a security incident.
Attribute-Based Access Control
An attribute-based access control (ABAC) evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy.
HMAC-based One-Time Password (HOTP)
An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. The algorithm combines a secret key and an incrementing counter, and uses HMAC to create a hash of the result. It then converts the result into an HOTP value of six to eight digits.
Authentication Factors
Authentication is often simplified as types, or factors, of authentication. the factors are: • Something you know, such as a password or personal identification number (PIN) • Something you have, such as a smart card or USB token • Something you are, such as a fingerprint or other biometric identification • Somewhere you are, such as your location using geolocation technologies • Something you do, such as gestures on a touch screen
Remember This - Resetting Passwords
Before resetting passwords for users, it's important to verify the user's identity. When resetting passwords manually, it's best to create a temporary password that expires upon first use.
Remember This - Complex passwords
Complex passwords use a mix of character types. Strong passwords use a mix of character types and have a minimum password length of at least 14 characters.
Smart cards
Credit card-sized cards that have an embedded microchip and a certificate. Requirements for a smart card are: • Embedded certificate. The embedded certificate holds a user's private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others). The private key is used each time the user logs on to a network. • Public Key Infrastructure (PKI). Chapter 10 covers PKI in more depth, but in short, the PKI supports issuing and managing certificates.
Group Policy
Group Policy allows an administrator to configure a setting once in a Group Policy Object (GPO) and apply this setting to many users and computers within the domain.
Remember This - Group Policy
Group Policy is implemented on a domain controller within a domain. Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more.
Remember This - HOTP and TOTP
HOTP and TOTP are both open source standards used to create one-time use passwords. HOTP creates a one-time use password that does not expire. TOTP creates a one-time password that expires after 30 seconds. Both can be used as software tokens for authentication.
Hash-based Message Authentication Code (HMAC)
Hash-based Message Authentication Code (HMAC) uses a hash function and cryptographic key for many different cryptographic functions.
Discretionary Access Control (DAC)
In the discretionary access control (DAC) model, every object (such as files and folders) has an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most Unix-based systems, use the DAC model.
Biometric Errors
It is possible for a biometric manufacturer to take shortcuts and not implement it correctly, resulting in false readings. Two biometric false readings are: • *False acceptance.* This is when a biometric system incorrectly identifies an unauthorized user as an authorized user. The false acceptance rate (FAR, also known as a false match rate) identifies the percentage of times false acceptance occurs. • *False rejection.* This is when a biometric system incorrectly rejects an authorized user. The false rejection rate (FRR, also known as a false nonmatch rate) identifies the percentage of times false rejections occur.
SAML and Authorization
It's important to realize that the primary purpose of SSO is for identification and authentication of users. Users claim an identity and prove that identity with credentials. SSO does not provide authorization. However, many federation SSO systems, including SAML, include the ability to transfer authorization data between their systems. In other words, it's possible to use SAML for single sign-on authentication and for authorization.
Expiring Accounts and Recertification
It's possible to set user accounts to expire automatically. When the account expires, the system disables it, and the user is no longer able to log on using the account. It's common to configure temporary accounts to expire. For example, an organization may hire contractors for a 90-day period to perform a specific job. An administrator creates accounts for the contractors and sets them to expire in 90 days. This automatically disables the accounts at the end of the contract.
LDAPS
LDAP Secure (LDAPS) uses encryption to protect LDAP transmissions. When a client connects with a server using LDAPS , the two systems establish a Transport Layer Security (TLS) session before transmitting any data. TLS encrypts the data before transmission.
Remember This - LDAP and LDAPS
LDAP is based on an earlier version of X.500. Windows Active Directory domains and Unix realms use LDAP to identify objects in query strings with codes such as CN=Users and DC=GetCertifiedGetAhead. LDAPS encrypts transmissions with TLS.
Remember this - Least Privilege
Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions. The principle of need to know is similar to the principle of least privilege in that users are granted access only to the data and information that they need to know for their job. Notice that need to know is focused on data and information, which is typically protected with permissions. In contrast, the principle of least privilege includes both rights and permissions. Rights refer to actions and include actions such as the right to change the system time, the right to install an application, or the right to join a computer to a domain. Permissions typically refer to permissions on files, such as read, write, modify, read & execute, and full control.
LDAP
Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories. Windows domains use Active Directory, which is based on LDAP. Active Directory is a directory of objects (such as users, computers, and groups), and it provides a single location for object management. Queries to Active Directory use the LDAP format. Similarly, Unix realms use LDAP to identify objects.
Location-based policies
Location-based policies restrict access based on the location of the user. For example, geolocation technologies can often detect a location using the IP address, and block any traffic from unacceptable addresses, such as from foreign countries.
NTLM
New Technology LAN Manager (NTLM) is a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems. At their most basic, they use a Message Digest hashing algorithm to challenge users and check their credentials. There are three versions of NTLM: • *NTLM* is a simple MD4 hash of a user's password. MD4 has been cracked and neither NTLM nor MD4 are recommended for use today. • *NTLMv2* is a challenge-response authentication protocol. When a user attempts to log on, NTMLv2 creates an HMAC-MD5 hash composed of a combination of the username, the logon domain name (or computer name), the user's password, the current time, and more. To create an HMAC-MD5 message, authentication code starts as the MD5 hash of a user's password, which is then encrypted. • *NTLM2* Session improves NTLMv2 by adding in mutual authentication. In other words, the client authenticates with the server, and the server also authenticates with the client. Developers should use the Negotiate security package within their applications. This security package selects the most secure security protocols available between the systems. It first tries to use Kerberos if it is available. If not, it uses either NTLMv2 or NLTM2 Session depending on the capabilities of the systems involved in the session.
OAuth
OAuth is an open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each web site you access, you can often use the same account that you've created with Google, Facebook, PayPal, Microsoft, or Twitter. Example: Developers configure their web site to exchange application programming interface (API) calls between it and PayPal servers. Now, when customers make a purchase, they log on with their PayPal account and make their purchase through PayPal. OAuth transfers data between PayPal and the Try-N-Save site so that the department store receives the money and knows what to ship to the customer. A benefit for the customers is that they don't have to create another account for Try-N-Save.
Identification
Occurs when users claim (or profess) their identity with identifiers such as usernames or email addresses.
OpenID Connect
OpenID Connect works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials. In this context, the client is typically a web site or application that needs to authenticate users. OpenID Connect provides identification services, without requiring the application to handle the credentials. It also streamlines the user experience for users. For example, Skyscanner is an application for finding flights, hotels, and car rentals. It allows users to sign in using their Facebook credentials. After doing so, Skyscanner provides a more personalized experience for the users.
Role-Based Access Control (Role-BAC)
Role-based access control (role-BAC) uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions. An administrator creates the roles and then assigns specific rights and permissions to the roles (instead of to the users). When an administrator adds a user to a role, the user has all the rights and permissions of that role. Example of the role-BAC model is Microsoft Project Server.
Rule-Based Access Control (rule-BAC)
Rule-based access control (rule-BAC) uses rules. The most common example is with rules in routers or firewalls. However, more advanced implementations cause rules to trigger within applications, too.
Remember This - SAML
SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.
SSO and SAML
Security Assertion Markup Language (*SAML*) is an Extensible Markup Language (*XML*)-based data format used for SSO on web browsers. Imagine two web sites hosted by two different organizations. Users authenticate with one web site and are not required to authenticate again when accessing the second web site. Many web-based portals use SAML for SSO. The user logs on to the portal once, and the portal then passes proof of the user's authentication to back-end systems. SAML defines three roles: • *Principal.* This is typically a user. The user logs on once. If necessary, the principal requests an identity from the identity provider. • *Identity provider.* An identity provider creates, maintains, and manages identity information for principals. • *Service provider.* A service provider is an entity that provides services to principals. For example, a service provider could host one or more web sites accessible through a web- based portal. When a principal tries to access a resource, the service provider redirects the principal to obtain an identity first. This process sends several XML-based messages between the systems. However, it is usually transparent to the user.
Shibboleth
Shibboleth is one of the federated identity solutions mentioned specifically in the CompTIA Security+ exam objectives. It is open source and freely available, making it a more affordable solution than some of the commercially available federated identity solutions. It also includes Open SAML libraries written in C++ and Java, making it easier for developers to expand its usefulness.
Single Sign-On
Single sign-on (SSO) refers to the ability of a user to log on or access multiple systems by providing credentials only once. SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down. SSO requires strong authentication to be effective. If users create weak passwords, attackers might be able to guess them, giving them access to multiple systems. Some people debate that SSO adds in risks because if an attacker can gain the user's credentials, it gives the attacker access to multiple systems. In a network with SSO capabilities, the user only needs to log on to the network once. The SSO system typically creates some type of SSO secure token used during the entire logon session. Each time the user accesses a network resource, the SSO system uses this secure token for authentication. Kerberos and LDAP both include SSO capabilities.
Remember This - Smart cards
Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password or PIN). Smart cards include embedded certificates used with digital signatures and encryption. CACs and PIVs are specialized smart cards that include photo identification. They are used to gain access into secure locations and to log on to computer systems.
SSO and a Federation
Some SSO systems can connect authentication mechanisms from different environments, such as different operating systems or different networks. One common method is with a federated identity management system, often integrated as a federated database. This federated database provides central authentication in a nonhomogeneous environment. A *federation* requires a federated identity management system that all members of the federation use. In the previous example, the members of the federation are the power plant and the school system. Members of the federation agree on a standard for federated identities and then exchange the information based on the standard. A federated identity links a user's credentials from different networks or operating systems, but the federation treats it as one identity
Troubleshooting Authentication Issues
Some common authentication issues that can cause security problems have been mentioned in this section. As a summary, they are: • *Weak passwords.* If users aren't forced to use strong, complex passwords, they probably won't and their accounts will be vulnerable to attacks. A technical password policy ensures users implement strong passwords, don't reuse them, and change them regularly. • *Forgotten passwords.* An organization needs to have a password recovery procedure in place to help users recover their passwords. If passwords are manually reset without verifying the identity of the user, it's possible for an attacker to trick someone into resetting the password. • *Biometric errors.* Weak biometric systems with a high crossover error rate may have a high false match rate (also called a false acceptance rate) or a low nonmatch rate (also called a false rejection rate).
Common Access Card (CAC)
Specialized type of smart card used by the U.S. Department of Defense. In addition to including the capabilities of a smart card, it also includes a picture of the user and other readable information. Users can use the CAC as a form of photo identification to gain access into a secure location.
Labels and Lattice
The MAC model uses different levels of security to classify both the users and the data. These levels are defined in a lattice. The lattice can be a complex relationship between different ordered sets of labels. These labels define the boundaries for the security levels.
Least Privilege
The principle of least privilege is an example of a technical control implemented with access controls. Privileges are the rights and permissions assigned to authorized users. Least privilege specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.
Something You Do authentication Factor
The something you do authentication factor refers to actions you can take such as gestures on a touch screen. As an example, Microsoft Windows 10 supports picture passwords. Other examples of something you do include how you write or how you type.
Somewhere you are authentication factor
The somewhere you are authentication factor identifies a user's location. Geolocation is a group of technologies used to identify a user's location and is the most common method used in this factor. Many authentication systems use the Internet Protocol (IP) address for geolocation. The IP address provides information on the country, region, state, city, and sometimes even the zip code.
Remember this - Authentication Factors
The third factor of authentication (something you are, defined with biometrics) is the strongest individual method of authentication because it is the most difficult for an attacker to falsify. Biometric methods include fingerprints, retina scans, iris scans, voice recognition, and facial recognition. Iris and retina scans are the strongest biometric methods mentioned in this section, though iris scans are used more than retina scans due to the privacy issues and the scanning requirements. Facial recognition is the most flexible and when using alternate lighting (such as infrared), they might become the most popular. The crossover error rate (CER) measures the accuracy of a system and lower CERs are better.
Recovering Accounts
The two primary account recovery scenarios are: • Enable a disabled account. Administrators can reset the user's password and take control of the account. Similarly, they pass control of the account to someone else, such as a supervisor or manager of an ex-employee. Administrators reset the user's password, set it to expire on first use, and then give the password to the other person. • Recover a deleted account. It is also possible to recover a deleted account. This is more complex than simply creating another account with the same name. Instead, administrators follow detailed procedures to recover the account.
Biometric Methods
There are multiple types of biometrics, including: • *Fingerprint scanner.* Many laptop computers include fingerprint scanners or fingerprint readers, and they are also common on tablet devices and smartphones. Similarly, some USB flash drives include a fingerprint scanner. They can store multiple fingerprints of three or four people to share access to the same USB drive. Law enforcement agencies have used fingerprints for decades, but they use them for identification, not biometric authentication. • *Retina scanner.* Retina scanners scan the retina of one or both eyes and use the pattern of blood vessels at the back of the eye for recognition. Some people object to the use of these scanners for authentication because they can identify medical issues, and because you typically need to have physical contact with the scanner. • *Iris scanner.* Iris scanners use camera technologies to capture the patterns of the iris around the pupil for recognition. They are used in many passport-free border crossings around the world. They can take pictures from about 3 to 10 inches away, avoiding physical contact. • *Voice recognition.* Voice recognition methods identify who is speaking using speech recognition methods to identify different acoustic features. One person's voice varies from another person's voice due to differences in their mouth and throat, and behavioral patterns that affect their speaking style. As an example, Apple's Siri supports voice recognition. After setting it up, Siri will only respond to the owner's voice. Unfortunately, that does prevent the old party trick of yelling out "Hey Siri" at a party where multiple people have iPhones. • *Facial recognition.* Facial recognition systems identify people based on facial features. This includes the size of their face compared with the rest of their body, and the size, shape, and position of their eyes, nose, mouth, cheekbones, and jaw. A drawback with this is that it is sometimes negatively affected by changes in lighting. Microsoft Windows systems support Windows Hello facial recognition services. To avoid the challenges from normal lighting, it uses infrared (IR) and can operate in diverse lighting conditions.
Time-of-day restrictions
Time-of-day restrictions specify when users can log on to a computer. If a user tries to log on to the network outside the restricted time, the system denies access to the user.
Authentication
Users prove their identity with authentication, such as with a password.
Something you are authentication factor
Uses biometrics for authentication. Biometric methods are the strongest form of authentication because they are the most difficult for an attacker to falsify. In comparison, passwords are the weakest form of authentication.
Remember This - Multifactor Authentication
Using two or more methods in the same factor of authentication (such as a PIN and a password) is single-factor authentication. Dual-factor (or two-factor) authentication uses two different factors, such as using a hardware token and a PIN. Multifactor authentication uses two or more factors.
Account Types
When managing accounts, it's important to recognize the common types of accounts used within a network. They are: • *End user accounts.* Most accounts are for regular users. Administrators create these accounts and then assign appropriate privileges based on the user's job responsibilities. Microsoft refers to this as a *Standard user account*. • *Privileged accounts.* A privileged account has additional rights and privileges beyond what a regular user has. As an example, someone with administrator privileges on a Windows computer has full and complete control over the Windows computer. • *Guest accounts.* Windows operating systems include a Guest account. These are useful if you want to grant someone limited access to a computer or network without creating a new account. For example, imagine an organization contracts with a temp agency to have someone do data entry. It's possible that the agency sends a different person every day. Enabling the Guest account for this person would be simpler than creating a new account every day. Administrators commonly disable the Guest account and only enable it in special situations. • *Service accounts.* Some applications and services need to run under the context of an account and a service account fills this need. As an example, SQL Server is a database application that runs on a server and it needs access to resources on the server and the network. Administrators create a regular user account, name it something like sqlservice, assign it appropriate privileges, and configure SQL Server to use this account. Note that this is like a regular end-user account. The only difference is that it's only used by the service or application, not an end user.
LDAP transitive trust used for SSO
there is a two-way trust between the parent domain (GetCertifiedGetAhead.com) and the child domain (Training.GetCertifiedGetAhead.com). The parent trusts the child, and the child trusts the parent. Similarly, there is a two-way trust between the parent domain and the Blogs child domain. The transitive relationship creates a two-way trust between them. With the transitive trust, it's possible to grant Homer access to the Costington server without creating another trust relationship directly between the Training and Blogs domains. Without a trust relationship, you'd have to create another account for Homer in the Blogs domain before you could grant him access. Additionally, Homer would need to manage the second account's password separately. However, with the transitive trust relationships, the network supports SSO, so Homer only needs a single account.
Something you know authentication factor
typically refers to a shared secret, such as a password or even a PIN. This factor is the least secure form of authentication. However, you can increase the security of a password by following some simple guidelines.