CNIT 242 Chapter 1 AAA

Name the one place to set Windows Permissions

1. The file system itself

Requires separate authentication method

Access Control List (ACL)

Simplest method of authorization

Access Control List (ACL)

Contain a list of authorized users and their authorization level

Access Control List (ACLs)

_____ are attached to the resource Contain a list of authorized users and their authorization level Used in Windows and Netware

Access Control List (ACLs)

Once authorized to access a resource, how much of the resource are you using?

Accounting

The tracking of the consumption of network resources by users Usually data usage Can be used for bill-back purposes

Accounting

_____ can be accomplished using any of the following: What you know What you have What you are

Authenication

Do you have the credentials necessary to access this system?

Authentication

________ is based on comparisons against a known-good object

Authentication

Once authenticated, what do you have permission to do?

Authorization

Users are only allowed to access resources for which they are authorized

Authorization

________ is accomplished through the use of permissions (or rights)

Authorization

Web Password Best Practices

Create secure passwords (maximize entropy) Use a different password for each site Use a password management service

Adds security (IPSec or TLS) and Provides both stateful and stateless models

Diameter

Built into the base protocol

Diameter

Support for failover between ______ servers

Diameter

______ is really a framework protocol onto which services (like AAA) can be built

Diameter

________ is a successor to RADIUS

Diameter

___________ supports authorization through the use of the NASREQ add-in application

Diameter

Users in a domain environment will authenticate against the _____, not against the local machine

Domain

Login credentials stored in the directory as an account object

Domain Logon

Provided credentials are compared against those stored in the directory

Domain Logon

Name the 4 authentication protocols

Domain Logon, RADIUS, TACACS+, Diameter

T/F Share permissions apply when the resource is accessed over a domain.

False Network

T/F Resources other than users can't also be added to groups

False can

T/F File system permissions aren't inherited as you go down the hierarchy

False they are

T/F Permissions can't be explicitly assigned instead of inherited

False they can

User ID (UID) Physical Object (e.g. - ATM card) Biometrics Digital Certificates are examples of?

Identification

Built into Active Directory but also available as a 3rd party add-on that runs on most platforms

Kerberos

Designed as a strong network authentication protocol for client/server applications

Kerberos

Difficult to implement but easy to maintain since permissions are centralized

Kerberos

User IDs are typically created according to some algorithm

LNI or ILN

Where are NTFS permissions set

On the Security tab on the Properties dialog box on the Folder

Name the 3 servers required for Kerberos

One Authentication Server (AS) One Ticket Granting Server (TGS) At least one Application Server

Passwords Access Code (e.g. - PIN number) One-Time Tokens Biometrics Digital Certificates are examples of?

Proof of Identification

Uses Start and Stop packets to track usage (In Accounting)

RADIUS

______ includes authorization functions The access-accept response can include authorization attributes

RADIUS

Separate protocols are used to remotely check credentials

Radius

This protocol can authenticate users of multiple device types

Radius

This protocol includes authorization functions.The access-accept response can include authorization attributes

Radius

This server can also point to other, external sources such as a database, Kerberos, LDAP, AD server

Radius

Uses a RADIUS server as a central authentication point

Radius

Usually uses a Network Access Server as the client

Radius

What does RADIUS STAND FOR

Remote Authentication Dial In User Service

NTFS permissions set through the _____ tab on the _____ dialog box on the folder

Security, Properties

What does the Ticket Granting Server in Kerberos give you?

Service Granting Ticket

Operationally similar to RADIUS but Uses TCP instead of UDP Breaks each of the AAA functions into a separate process

TACACS+

Protocol breaks each of the AAA functions into a separate process

TACACS+

The _______ server tells the access server what ACL to use

TACACS+

Typically only used to access devices, not workstations/servers

TACACS+

Writes information to a log or a database (In Accounting)

TACACS+

______ uses ACLs on the NAS device

TACACS+

Protocol(s) uses a reliable transport layer protocol (TCP)

TACACS+ or Diameter

TACACS+ means what?

Terminal Access Controller Access-Control System (plus)

What does the Authentication Server give out in Kerberos?

Ticket Granting Token

T/F An explicit allow cannot override a inherited deny

True

T/F Best to assign access permissions to groups rather than individual users

True

T/F Generally, it's a best practice to set all permissions on the file system and allow everyone access the share

True

T/F Multiple users can be grouped together based on function or job role

True

T/F Permission types vary based on the resource to which they are attached

True

T/F When talking about permissions a subdirectory will, by default, inherit the permissions of its parent

True

Two-factor authentication uses two of the above to prove an identity

What you know What you have What you are

Access Control List (ACLs) are used in which operating systems

windows and netware