MODULE G Perform User Account Management
Date of transaction
(YYYYMMDD).
CIA
Confidentiality, Integrity, Availability
Phone
4 Defense Switched Network (DSN) or Commercial DSN (ex. 780-xxxx) Fort Gordon Commercial (706-791-xxxx)
Official E-Mail Address
Job Title and Grade/Rank
6 Information Technology (IT) Specialist/E-3/PFC
Citizenship
8. United States Citizen (US) Foreign National (FN) Other
Domains:
A collection of objects within a Microsoft Active Directory network
User ID
Provide correct Electronic Data Interchange Personal Identifier (EDIPI) + Personal Identity Verification (PIV).
Schema
Rules that govern the structure of the directory and stores data.
9. How do we make sure we are representing the military right online?
Being aware what we post, don't speak for the for the military
Implement access rights management software
Being careful prevents misuse of broad access and privileges. An access rights management tool can be beneficial to ensure user accounts are set up and managed with appropriate permissions and access.
3. What are examples of Controlled Unclassified Information (CUI)?
CUI includes Personal identifiable Information, protected Health Information, Personal information, propriety data, and operational information.
Active Directory Facts
Database and set of services that connect users to a domain network Simplifies life for administrators while adding security to networks A specialized software tool installed on a server Used for Domain Management Enable administrators to manage permissions and control access to network resources. Can be installed as part of the Remote Server Administration Tools (RSAT)
Remove unnecessary rights.
Denying nonessential user rights is helpful to keep security measures strong. This includes "deny access to this computer from the network," "deny logon locally," and "deny logon as a batch job."
Create service accounts from scratch.
Don't create service accounts in Active Directory by copying old ones, as you might accidentally be copying from a service account with much higher privileges than you need. This could lead to security issues and account misuse if you give someone an account with access to resources or information, they shouldn't be privy to.
What does Cyber Awareness Training provide?
The course provides an overview of current cybersecurity threats and best practices to keep information and information systems secure both at home and at work.
What is the use of the DD Form 2875?
The purpose of the DD2875 is to request access to the government system.
How many parts are there in an Army IT User Access Agreement?
Three
Set access by using the "Log On To" feature.
When you create a service account, you can allow it to only log on to certain machines to protect sensitive data. Open Active Directory Users and Computers, then "Properties." In the "Account" tab, click the "Log On To" button and add the computers to the list of permitted devices the service account can log on to.
Active Directory (AD)
is a database and set of services that connects users within the network resources. The database (or directory) contains critical information about your environment, including what users and computers there are and who's allowed to do what. For example, the database might list 100 user accounts with details like each person's job title, phone number and password. It will also record their permissions. Controls much of the activity that goes on in your IT environment. In particular, it makes sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter and allows them to access only the data they're allowed to use (authorization).
Supervisor Organization/Department
20a. Supervisor's Email Address 20b. Phone Number
Signature of Information Owner/OPR
21. Signature of the functional appointee responsible for approving access to the system being requested (i.e., Information Assurance Officer) 21 a. Phone Number 21 b. Date (YYYYMMDD)
Signature of IA or Appointee
22. Information Assurance Officer - Verifies completed training. Appointee - Contractor IA; Signature of the functional appointee responsible for approving access to the system being requested.
Organization/Department
23.
Phone Number
24.
Security Manager Signature
25.
Date (YYYYMMDD)
26.
Office Symbol
3 Identifies the originators of correspondence and electronically transmitted messages within the DA. Denote the placement of an organization within the Army structure for historical and records purpose (Ex. ATZH-DT) Army Regulation 25-59.
Official Mailing Address
7. 710 Chamberlain Ave, Bldg. 24801, Dixon Hall, Fort Gordon, GA. 30815.
Designation of Person
9. Military Civilian - A Department of Defense (DOD) civilian does not serve in the military but is instead appointed to the federal civil service. DOD civilians work for the military departments (i.e., Army, Navy, and Air Force) as well as other defense agencies and field activities (e.g., Defense Health Agency). Contractor - any person who enters a contract with a federal government of the United States to produce material or for the performance of services for national defense.
Containers
A container similar to an OU, however, unlike an OU, it is not possible to link a Group Policy Object (GPO) to a generic Active Directory container.
Active Directory Benefits
A hierarchal structure that keeps track of information about networked items. Active Directory Domain Services (AD DS) maintains user account information including names, passwords, phone numbers, allows other authorized users on the same network, and so on. Active Directory saves information about network objects and makes it easier for administrators and users to find that information. Organizes directory information logically and hierarchically using a structured data set.
Organizational Units (OU)
A subdivision within AD in which you can place users, groups, and computers. Recommended level to apply group policy.
Part I ACKNOWLEDGEMENT AND CONSENT
Acknowledgement. By signing the user agreement, the user acknowledges and consents that when they access Department of Defense (DoD) information systems you are assessing a U.S. Government (USG information system) Consent. You consent to the following conditions: The U.S. Government routinely intercepts and monitors communications on this information system for purposes including, but not limited to: Penetration testing, Communications security (COMSEC) monitoring Network operations and defense, Personnel Misconduct (PM), Law Enforcement (LE), and Counterintelligence (CI) investigations. *(One of a and b (1-8) see attached agreement).
Part III Acknowledgement with Signature
Acknowledgement. I have read, understand, and agree to abide by the responsibilities and requirements for IT usage and information handling in accordance with this agreement. I have read, understand and agree to the notice of privacy rights, and consented to monitoring and searches in accordance with this agreement. I have read, understand, and accept that violations of my responsibilities, unacceptable use of IT, or mishandling of information, may be punishable by administrative or judicial sanctions, may result in revocation or suspension of authorized access, may require remedial training in order to regain access, or may negatively influence adjudication decisions of security clearances.
The Built-in Administrators (BA) group
Administrators The Built-in Administrators (BA) group is a domain local group in a domain's Built-in container DAs and EAs are nested Group that is granted many of the direct rights and permissions in the directory and on domain controllers. Membership in domain-joined computers' local Administrators group is where local privilege is granted; The group's discussed DAs are members of all domain-joined computers' local Administrators groups by default. *note* the Administrators group for a domain does not have any privileges on member servers or on workstations.
Two-Person Control
Also called dual control Calls for two people to separately approve the completion of a sensitive business function. Students preparing for exams often confuse the concepts of two-person control and separation of duties. Two-person control requires two people to concur to perform a single action. Separation of duties requires that a single person not have the ability to perform two separate actions which, when combined, might pose a business risk.
7. What is an insider threat?
An insider threat is a security risk that originates from within the targeted organization. It typically involves a current or former employee or business associate who has access to sensitive information or privileged accounts within the network of an organization, and who misuses this access.
Domain Admins
Each domain in a forest has its own Domain Admins (DA) group Is a member of that domain's Built-in Administrators group in addition to a member of the local Administrators group on every computer that is joined to the domain. The only default member of the DA group for a domain is the Built-in Administrator account for that domain. DAs are all-powerful within their domains, while EAs have forest-wide privilege. In a properly designed and implemented delegation model, DA membership should be required only in "break glass" scenarios, which are situations in which an account with high levels of privilege on every computer in the domain is needed, or when certain domain wide changes must be made. Although native Active Directory delegation mechanisms do allow delegation to the extent that it is possible to use DA accounts only in emergency scenarios, constructing an effective delegation model can be time consuming, and many organizations use third-party applications to expedite the process.
Keep access limited.
Keep access limited. Ensure you only allocate AD service accounts the minimum privileges they require for the tasks they need to carry out, and don't give them any more access than is necessary. In many cases you can remove the functionality for remote access, terminal service login, internet access, and remote-control rights.
2. How do we mitigate spillage?
Label documents, secure documents and data, proper classification
Limit time frames.
Limit time frames. You can add extra security by configuring AD service accounts to be allowed to log on only at certain times of day.
5. What is malicious code?
Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses
Enterprise Access Management Service-Army (EAMS-A)
Single Sign-On (SSO) and the Army Manages access to secure Army sites by verifying a user's identity and permissions. All personnel issued a Common Access Card (CAC) are automatically provisioned in the EAMS-A enterprise directory, giving them access to Army sites as a Single Sign-On (SSO). Regulates access to secure Army sites by verifying a user's identity and permissions.
Least Privilege
The principle of least privilege says that an individual should be given the bare minimum access needed to perform their job functions.
What is the principle of Least Privilege?
The principle of least privilege says that an individual should be given the bare minimum access needed to perform their job functions. Consider a budget analyst that needs to review payroll information to complete a quarterly report. The analyst never needs to make any updates to the payroll data. That employee should have read only privileges to payroll.
Separation Of Duties
The principle of separation of duties says that no user should have all the privileges necessary to complete a critical business function by themselves. Critical business function should be divided into discrete tasks and the appropriate privilege granted to different users. Requiring the involvement of more than one employee, separation of duties helps prevent fraud and abuse.
What is the purpose of Cyber Awareness Training?
The purpose of the Cyber Awareness Challenge is to influence behavior, focusing on actions that authorized users can engage in to mitigate threats and vulnerabilities to DoD Information Systems.
10. What are examples of Phishing?
Suspicious e-mail and pop-ups
What are the two types of Cryptographic algorithms?
Symmetric Encryption Asymmetric Encryption
What is the difference between Symmetric and Asymmetric Encryption?
Symmetric Encryption: Use a shared key to encrypt and decrypt a message. Asymmetric Encryption: Requires a private key decrypt and a public key encrypt.
What is the Army IT User Access Agreement used for?
The Army IT User Access Agreement is a requirement within the policy established in AR 25-2, Army Cybersecurity; and the proponent agency Office of Army Chief Information Officer to allow access to Department of Defense (DoD) information systems.
What is ATCTS purpose?
The Army Training and Certification Tracking System provides managers at all levels a capability to report and manage their IA Workforce and General User population training and certification statistics and a summary report of certification voucher distribution.
Common Access Card (CAC)
The CAC, a "smart" card about the size of a credit card, is the standard identification for active-duty uniformed Service personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to DoD computer network and systems.
Enterprise Admins
The Enterprise Admins (EA) group is in the forest root domain: By default, it is a member of the Built-in Administrators group of every domain in that forest. The Built-in Administrator account in the forest root domain is the only default member of the EA group. EAs are granted rights and permissions that allow them to affect forest-wide changes. Changes that affect all domains in the forest such as: adding or removing domains establishing forest trusts or raising forest functional levels. In a properly designed and implemented delegation model: EA membership is required only when first constructing the forest When making certain forest-wide changes such as establishing an outbound forest trust.
Forests
The collection of more than one domain trees having different names or roots.
System Name
Platform or Applications (i.e., Non-Secure Protocol Router (NIPR), Secure Internet Protocol Router (SIPR) etc.).
User Requires Access To:
15. Unclassified - NIPR (Non-Secure Protocol Router) Classified - SIPR (Secure Internet Protocol Router), JWICS (Joint Worldwide Intelligence Communications System) Other - Other system access requests
Verification of Need to Know
16. Supervisor checks this block 16a. Access Expiration Date - Block is for DOD Contractors; Contractors must specify Company Name, Contract Number, Expiration Date.
Supervisor's Name
17.
Supervisor Signature (digital)
18.
Date - YYYYMMDD
19.
Organization
2 Ex. US Army Signal School
What is ATCTS stand for?
Army Training and Certification Tracking System
(SAAR)
DD 2875 System Authorization Access Request (SAAR)
Symmetric Encryption :
Use a shared key to encrypt and decrypt a message.
Justification for Access Provide
13. detailed justification on what the requestor job description is and what they require access for. Ex. " User requires access to conduct daily duties within the 1st BCT S3 section."
Type of Access Requested
14. Authorized - requestor is granted the applicable rights for system requested. Privileged - requestor is granted limited access for system request.
Name
1 Last, First, Middle Initial
Top 10 Active Directory Service Accounts Best Practices
1. Keep access limited. 2. Create service accounts from scratch. 3. Don't put service accounts in built-in privileged groups. 4. Disallow service account access to important objects. 5. Remove unnecessary rights. 6. Set access by using the "Log On To" feature. 7. Limit time frames. 8. Control password configuration. 9. Enable auditing 10. Implement access rights management software
Information Assurance and Awareness Certification Requirements
10. The requestor must check the block to say the IA training was conducted along with the date of training completion. Date - Year, Month, Month, Day, Day (YYYYMMDD)
User Signature
11. Digital signature (signed with CAC) required.
Date
12. Date - (YYYYMMDD)
ATCTS
Army Training and Certification Tracking System (ATCTS)
SSL
stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser. This digital certificate authenticates a website's identity, enabling the encrypted connection.
Enable auditing.
Enable auditing for all service accounts and related objects. Once enabled, regularly check the logs to see who's using the accounts, when, and for what purposes. Auditing is one of the most important of the best practices: it helps ensure security, verifies internal processes and compliance measures are being followed, and can discover any issues or breaches before too much time passes.
Global Catalog Server
Global Catalog Server: Provides searchable catalog of all objects in every domain in a multi-domain Active Directory Domain Services (AD DS)
Trees
Group/collection of Domains.
What training is submitted with the DD Form 2875?
Information Assurance Training
SAAR Type of Requests
Initial - Personnel initial request for an account at the servicing unit or organization. Modification - Request a change to existing account (ex. Request access to an additional DOD system). Deactivate - Turn off user access.
Single Sign-On (SSO)
Is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. SSO works based upon a trust relationship set up between an application, known as the service provider, and an identity provider. SSO Token Is a collection of data or information that is passed from one system to another during the SSO process. The data can simply be a user's email address and information about which system is sending the token. Tokens must be digitally signed form the token receiver to verify that the token is coming from a trusted source. The certificates that is used for this digital signature is exchanged during the initial configuration process.
Who has access to ATCTS?
Military personnel, DoD Civilians and Contractors
4. What is the difference between PII and PHI?
PII is a catch-all term for any information that can be traced to an individual's identity, PHI applies specifically to HIPAA covered entities that possess identifiable health information.
8. What information do you not want on your online accounts?
PII, location, and to much information about yourself that will make you a target.
How many parts are on a DD Form 2875? and what are they?
Part I (To be completed by the requestor) Part II (Endorsement of Access by Information Owner user Supervisor or Government Sponsor
Name the parts of an Army IT User Access Agreement:
Part I-Acknowledgement and consent Part II- Information System Access Part III- Acknowledgement with Signature
Privileged User Account Security Concerns
Privileged users have additional access to corporate resources and IT systems These accounts are open to abuse, mishaps, and exploitation, and are a type of insider threat. An over privileged user account is a potential vulnerability in enterprise security. If 100 employees have administrator privileges, that's 100 potential targets for infiltrating the network through social engineering, phishing or other means. Limiting that access to employees who need it, your risk profile drops dramatically. There was a day when organizations would grant widespread privileges to any user inside the network, on the dual assumptions that firewalls, Virtual Private Networks (VPN) and other safeguards could keep all potential bad actors out and that authorized users would not mistakenly or intentionally commit bad acts.
Don't put service accounts in built-in privileged groups.
Putting service accounts in groups with built-in privileges can be risky, because each person in the group will have access to the service account's credentials. If there's account misuse, it can be hard to figure out who the offender is. If you need a service account for a privileged group, create a new group with the same privileges and allow access only to the service account.
Asymmetric Encryption:
Requires a private key decrypt and a public key encrypt .
Define revocability as it pertains to the Army IT User Access Agreement:
Revocability is Access to Army resources is a revocable privilege and is subject to content monitoring and security testing. If the user knowingly threatens or damages an Army Information System (IS) or communications system or participates in unauthorized use of Army network(s), the user will have their network access suspended or terminated.
1. What is spillage?
Security incident that occurs whenever classified data is spilled either onto an unclassified information system or to an information system with a lower level of classification or different security category. Rationale: Spillage encompasses this term.
Control password configuration.
Setting service accounts prevents the user from changing their own password. You can also set it so the account can't be delegated to someone else. This ensures the administrator controls the password, and nobody other than authorized users has access to the account.
Schema Admins
The Schema Admins (SA) group is a universal group in the forest root domain. Built-in Administrator account as a default member, like the EA group. Membership in the SA group can allow an attacker to compromise the Active Directory schema. Framework for the entire Active Directory forest. SAs have few default rights and permissions beyond the schema carefully manage and monitor membership in the SA group This group is "less privileged" than the three highest privileged groups described earlier Scope of its privilege is very narrow. SAs have no administrative rights anywhere other than the schema.
EDIPI
is a Department of Defense identification number, a unique 10-digit number associated with personnel and their Common Access Card (CAC). Each record is registered in the U.S. Department of Defense's Defense Enrollment and Eligibility Reporting System (DEERS) database. The record in the DEERS database is a person plus personnel category (i.e., contractor, reservist, civilian, active duty, etc.).
Part II INFORMATION SYSTEM ACCESS
Understanding. The user understands that they have the primary responsibility to safeguard the information contained on the system being accessed from unauthorized or inadvertent modification, disclosure, destruction, denial of service, and use. Any use of Army Information Technology (IT) is made with the understanding that the user will have no expectation as to the privacy or confidentiality of any electronic communication, including minor incidental personal uses. Access. DoD policy states that Federal Government communication systems and equipment (including Government owned telephones, facsimile machines, electronic mail, internet systems, and commercial systems), when use of such systems and equipment is paid for by the Federal Government, will be for official use and authorized purposes only. Official use includes emergency communications and communications necessary to carry out the business of the Federal Government.*(a. (1-4) see attached agreement). Internet Access. Internet access is intended primarily for work related purposes. 3) Revocability Access to Army resources is a revocable privilege and is subject to content monitoring and security testing. If the user knowingly threatens or damages an Army Information System (IS) or communications system (for example, hacking or inserting malicious code or viruses) or participates in unauthorized use of Army network(s), the user will have their network access suspended or terminated. 4) Secret Classified Information Processing SIPRNet The SIPRNet is the primary classified Information System (IS) for the Department of the Army. SIPRNet is a United States DoD system and approved to process SECRET collateral information. *see 15 for remaining content* 5) Unclassified Information Processing The NIPRNet is the primary unclassified information system for
Disallow service account access to important objects.
Use an access control list to protect sensitive files, folders, groups, or registry objects from misuse by AD Service Accounts. To disallow access, go into an object and open the "Properties" window to access security permissions, add an account to the "Permission Entry" list, and set the status to "Deny." This will prevent the service account from accessing the object. If you need to give someone specific access to the object, you can add them, then switch them back to "Deny" later, when they've finished their task.
6. What can malicious code do?
Viruses can damage or destroy files on a computer system and are spread by sharing an already infected removable media, opening malicious email attachments, and visiting malicious web pages.
What are the types of User Account?
Visitor/Guest User Account Standard User Account Privileged User account
Certification Authorities (CAs)
are responsible for creating digital certificates and own the policies, practices, and procedures for vetting recipients and issuing the certificates.
The Army Training and Certification Tracking System provides managers ___
at all levels: Capability to report and manage their IA Workforce General User population training Certification statistics Summary report of certification voucher distribution. The IA workforce consists of personnel with Information System privileged access Admin or root Working IA functions Technical Management Computer Network Defense Service Provider Architect and Engineer positions.
