Chapter 11
eXtensible Access Control Markup Language (XACML)
-An open standard XML-based language used to describe access control.
Layer 2 Tunneling Protocol (L2TP)
A Cisco switching protocol that operates at the data link layer.
Personal identity verification (PIV)
A U.S. government smart card that contains the credential data for the cardholder used to determine access to federal facilities and information systems.
Smart card
A card that can increase physical security because they can carry cryptographic tokens that are too long to remember and have too large a space to guess.
Group
A collection of users with some common criteria, such as a need for access to a particular dataset or group of applications.
Remote access server (RAS)
A combination of hardware and software used to enable remote access to a network.
Domain controller
A computer that responds to security authentication requests, such as logging into a computer, for a Windows domain.
Directory
A data storage mechanism similar to a database, but it has several distinct differences designed to provide efficient data-retrieval services compared to standard database mechanisms. A directory is designed and optimized for reading data, offering very fast search and retrieval operations.
Digital certificate
A digital file that is sent as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from.
Token
A hardware device that can be used in a challenge-response authentication process.
Access control list (ACL)
A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can do to the object (such as read, write, or execute).
Access control matrix
A matrix that provides the simplest framework for illustrating a process.
False acceptance rate (FAR)
A measurement of the level of false positives are going to be allowed in the system. Expressed as probabilities, the false acceptance rate is the probability that the system incorrectly identifies a match between the biometric input and the stored template value. The FAR is calculated by counting the number of unauthorized accesses granted, divided by the total number of access attempts.
False rejection rate (FRR)
A measurement of what level of false negatives, or rejections, are going to be allowed in the system. If an authorized user is rejected by the system, this is a false rejection.
Certificate
A method of establishing authenticity of specific objects such as an individual's public key or downloaded software.
Digest authentication
A method used to negotiate credentials across the Web. Digest authentication uses hash functions and a nonce to improve security over basic authentication.
Kerberos
A network authentication protocol designed by MIT for use in client/server environments.
Something you are
A one of the categories of authentication factors. It specifically refers to biometrics, as the "you are" indicates. One of the challenges with something-you-are artifacts is they are typically hard to change, so once assigned they become immutable. Another challenge with biometrics involves the issues associated with measuring things on a person. bio
Domain password policy
A password policy for a specific domain.
Key distribution center (KDC)
A portion of the Kerberos authentication system.
Ticket-granting server (TGS)
A portion of the Kerberos authentication system.
Remote Desktop Protocol (RDP)
A proprietary Microsoft protocol designed to provide a graphical connection to another computer.
Password Authentication Protocol (PAP)
A protocol that involves a two-way handshake in which the username and password are sent across the link in cleartext. PAP authentication does not provide any protection against playback and line sniffing. PAP is now a deprecated standard.
Challenge-Handshake Authentication Protocol (CHAP)
A protocol used to provide authentication across a point-to-point link using PPP. In this protocol, authentication after the link has been established is not mandatory.
Transitive trust
A relationship where the trust relationship extended to one domain will be extended to any other domain trusted by that domain.
Authentication server (AS)
A server used to perform authentication tasks.
Shibboleth
A service designed to enable single sign-on and federated identity-based authentication and authorization across networks.
Secure token
A service that is responsible for issuing, validating, renewing, and cancelling these security tokens.
OpenID connect
A simple identity layer on top of the OAuth 2.0 protocol. OpenID Connect allows clients of all types (mobile, JavaScript, and web based clients) to request and receive information about authenticated sessions and end users.
Security Assertion Markup Language (SAML)
A single sign-on capability used for web applications to ensure user identities can be shared and are protected.
Common Access Card (CAC)
A smart card identification used by the U.S. Department of Defense (DoD) for active duty military, selected reserve personnel, DoD civilians, and eligible contractors. It is used for carrying the credential data, in the form of a certificate, for the cardholder used to determine access to Federal facilities and information systems.
Administrator
A superuser account under the Windows operating system.
User
A term that generally applies to any person accessing a computer system. In privilege management, a user is a single individual, such as "John Forthright" or "Sally Jenkins." This is generally the lowest level addressed by privilege management and the most common area for addressing access, rights, and capabilities.
Username
A unique alphanumeric identifier that a user will use to identify himself or herself when logging into or accessing the system.
Extensible Authentication Protocol (EAP)
A universal authentication framework defined by RFC 3748 that is frequently used in wireless networks and point-to-point connections. Although EAP is not limited to wireless and can be used for wired authentication, it is most often used in wireless LANs.
Superuser
Accounts that accounts are not typically assigned to a specific individual and are restricted, accessed only when the full capabilities of that account are required.
Service accounts
Accounts that are used to run processes that do not require human intervention to start/stop/administer.
Generic accounts
Accounts without a named user behind them. These can be employed for special purposes, such as running services and batch processes, but because they cannot be attributed to an individual, they should not have login capability.
AAA
Acronym for authentication, authorization, and accounting (AAA). They are three common functions performed upon system login. Authentication and authorization almost always occur, with accounting being somewhat less common.
Remote Authentication Dial-In User Service (RADIUS)
An AAA protocol designed as a connectionless protocol that uses the User Datagram Protocol (UDP) as its transport layer protocol. Connection type issues, such as timeouts, are handled by the RADIUS application instead of the transport layer. RADIUS utilizes UDP port 1812 for authentication and authorization and UDP port 1813 for accounting functions.
Rule-based access control
An access control mechanism based on rules.
Discretionary access control (DAC)
An access control mechanism in which the owner of an object (such as a file) can decide which other subjects (such as other users) may have access to the object, and what access (read, write, execute) these objects can have.
Mandatory access control (MAC)
An access control mechanism in which the security mechanism controls access to all objects (files), and individual subjects (processes or users) cannot change that access.
Role-based access control (RBAC)
An access control mechanism in which, instead of the users being assigned specific access permissions for the objects associated with the computer system or network, a set of roles that the user may perform is assigned to each user.
Attribute-based access control (ABAC)
An access control model built around a set of rules built upon specific attributes.
Software tokens
An access tokens that is implemented in software.
Root
An account under Unix that is reserved for special functions and typically have much more access and control over the computer system than the average user account.
Federated identity management
An agreement between multiple enterprises that lets parties use the same identification data to obtain access to the networks of all enterprises in the group. This federation enables access to be managed across multiple systems in common trust levels.
HMAC-based One-Time Password (HOTP)
An algorithm that can be used to authenticate a user in a system by using an authentication server. (HMAC stands for Hash-based Message Authentication Code.)
Time-based One-Time Password (TOTP)
An algorithm that is a specific implementation of an HOTP that uses a secret key with a current time stamp to generate a one-time password.
Single sign-on (SSO)
An authentication process by which the user can enter a single user ID and password and then move from application to application or resource to resource without having to supply further authentication information.
IEEE 802.1X
An authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router.
Virtual private network (VPN)
An encrypted network connection across another network, offering a private communication channel across a public medium.
Usage auditing and review
An examination of logs to determine user activity. Reviewing access control logs for root level accounts is an important element of securing access control methods.
False negative
An instance when the system denies access to someone who is actually authorized.
False positive
An instance where you receive a positive result for a test, when you should have received a negative result. Thus, a false positive result occurs when a biometric is scanned and allows access to someone who is not authorized.
Lightweight Directory Access Protocol (LDAP)
An offshoot of the Directory Access Protocol (DAP) that offers all of the functionality most directories need and is easier and more economical to implement. It is the protocol that is commonly used to handle user authentication/authorization as well as control access to Active Directory objects.
Point-to-Point Protocol (PPP)
An older, still widely used protocol for establishing dial-in connections over serial lines or Integrated Services Digital Network (ISDN) services. PPP has several authentication mechanisms, including PAP, CHAP, and the Extensible Authentication Protocol (EAP).
OAuth (Open Authorization)
An open protocol that allows secure token based authentication and authorization in a simple and standard method from web, mobile, and desktop applications, for authorization on the Internet.
Something you do
Another one of the categories of authentication factors. It specifically refers to activities, as the "you do" indicates. An example of this is a signature, because the movement of the pen and the two dimensional output are difficult for others to reproduce. : job
Something you know
Another one of the categories of authentication factors. It specifically refers to passwords, as the "you know" indicates. The most common example of something you know is a password. Password
Something you have -
Another one of the categories of authentication factors. It specifically refers to tokens and other items that a user can possess physically, as the "you have" indicates. :Access Token
Somewhere you are
Another one of the categories of authentication factors. One of the more stringent elements is your location, or somewhere you are. Location can be compared to records to determine if you are really there, or even should be there . Location
Privileged accounts
Any accounts with greater than normal user access. Privileged accounts are typically root or admin-level accounts and represent risk in that they are unlimited in their powers.
Permissions
Authorized actions a subject can perform on an object. See also access controls.
Mutual authentication
Describes a process in which each side of an electronic communication verifies the authenticity of the other.
Guest accounts
Frequently used on corporate networks to provide visitors' access to the Internet and to some common corporate resources, such as projectors, printers in conference rooms, and so on. Again, these types of accounts are restricted in their network capability to a defined set of machines, with a defined set of access, much like a user from the Internet visiting their publically facing web site.
Shared accounts
Go against the specific treatise that accounts exist so that user activity can be tracked. They exist only to provide a specific set of functionality, like in a PC running in kiosk mode, with a browser limited to specific sites as an information display. Sometimes the shared accounts are called generic accounts.
Offboarding
Involves the bringing of personnel onto a project or team. During onboarding, proper account relationships need to be managed. New members can be put into the correct groups.
Onboarding
Involves the taking personnel off a project or team. When people are offboarded, they can be removed from the groups they were added to when brought onto the project.
Access control
Mechanism or method used to determine what access permissions subjects (such as users) have for specific objects (such as files).
OpenID
OpenID is about proving who you are, the first step in the Authentication-Authorization ladder used for authentication. OpenID was created for federated authentication that lets a third party authenticate your users for you, by using accounts the users already have.
Credential management
Refers to the processes, services, and software used to store, manage, and log the use of user credentials. Credential management solutions are typically aimed at assisting end users manage their growing set of passwords.
SFTP -
SFTP refers to running FTP over SSH, as later versions of SSH allow securing of channels such as the FTP control channel. SFTP is also referred to as Secure FTP.
Multifactor authentication
Simply the combination of two or more types of authentication. Also known as multiple-factor authentication.
Time-of-day restrictions
Specify restrictions that limit when a user can log in, when certain resources can be accessed, and so on. Time-of-day restrictions are usually specified for individual accounts.
Group policy object (GPO)
Stores the group policy settings in a Microsoft Active Directory environment.
Privileges
Term meaning that you have the ability to "do something" on a computer system such as create a directory, delete a file, or run a program.
Role
Term used to describe a person's job or function within the organization.
Accounting
The collection of billing and other detail records.
Terminal Access Controller Access Control System+ (TACACS+)
The current generation of the TACACS protocol family. TACACS+ extended the attribute control and accounting processes.
Tunneling
The encapsulation of one packet within another, which allows you to hide the original packet from view or change the nature of the network transport. This can be done for both security and practical reasons.
Ticket-granting ticket (TGT)
The first ticket issued in the Kerberos environment. The KDC verifies credentials and issues a ticket-granting ticket (TGT) which the user presents for service to the KDC.
Authorization
The function of determining what is permitted for an authorized user.
Biometric factors
The measurements of certain biological features to identify one specific person from other people. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint.
Authentication
The process by which a subject's (such as a user's) identity is verified.
Identification
The process of determining identity as part of identity management and access control. Usually performed only once, when the user ID is assigned.
Account recertifcation
The process of recertifying an account periodically. The process of recertifcation ensures that only users needing accounts have accounts in the system.
Privilege management
The process of restricting a user's ability to interact with the computer system.
Crossover error rate
The rate where both accept and reject error rates are equal. This is the desired state for most efficient operation, and it can be managed by manipulating the threshold value used for matching. Also known as the equal error rate (EER).
Account maintenance
The routine screening of all tributes for an account.
Client-to-server ticket
The second ticket used in the Kerberos environment that is used to gain access to a server's service in the realm. The user presents a request and a client-to-server ticket to the desired service and if the client-to-server ticket is valid, service is granted to the client. Also called a service ticket.
Account expiration
The setting of an ending time for an account's validity.
Basic authentication
The simplest technique used to manage access control across HTTP. Basic authentication operates by passing information encoded in Base64 form using standard HTTP headers. This is a plaintext method without any pretense of security.
FTPS
The use of FTP over an SSL/TLS secured channel.
Point-to-Point Tunneling Protocol (PPTP)
The use of generic routing encapsulation over PPP to create a methodology used for virtual private networking.
Rights
These define the actions a user can perform on the system itself, such as change the time, adjust auditing levels, and so on. Rights are typically applied to operating system-level tasks.