Security+ Objective 4.3
Lockout
A password lockout is usually a limited-time disablement of the password input form. It is used to defend against brute force attacks by stopping an entity from entering too many incorrect passwords in a row. Once the timer has ended, passwords may be entered again.
Password reuse
A password policy may stipulate that personnel shouldn't reuse the same password across multiple systems.
User account
A user account is just the standard account type for general users in your organization. These accounts are almost always limited in privileges.
Access Recertification
Access recertification is a review of the permissions tied to each user account, specifically to see if they are still adhering to the principle of least privilege.
Account maintenance
Account maintenance is a process whereby you modify existing accounts or remove accounts that are no longer in use.
Account types
Accounts can include a significant amount of customization to fit your organization's business and security needs. Most accounts will fit into one of a few general types or categories including user, shared, guest, service, and privilege accounts.
Permission auditing and review
Accounts should undergo permissions auditing and reviews to determine if they are still adhering to the principle of least privilege. Some accounts accumulate too many permissions over time—a process known as permissions creep.
Account policy enforcement
An account policy is a document that includes an organization's requirements for account creation, account monitoring, and account removal. Policies can include user-specific requirements or group management requirements.
Onboarding/offboarding
An onboarding and offboarding plan can guide you through the process of creating new accounts for new employee and disabling and removing accounts for employees that leave the organization to minimize disruption and prevent a terminated employee's account from being used as an attack vector.
Privileged accounts
Compared to a standard user account, a privileged account has greater access rights to data and systems in the organizations. Most administrator accounts fall into this category, as elevated privileges are required to access crucial infrastructure like domain controllers.
Credential management
Credential managers were created to help users and organizations more easily store and organize account user names and passwords. These applications typically store credentials in an encrypted database on the local machine.
Disablement
Disablement is the process of removing or disabling a password or account. This often occurs after the account is no longer valid or needed, such as after a user has left a company. Disablement ensures non-active users do not have access to systems they should not.
Expiration
Expiration ensures a password is valid only for a certain amount of time. After such time, the user must change their password.
Guest accounts
Guest accounts are provided to non-personnel who may need limited access to the network. There are no passwords or other major identifying information on the guest account, and people logging in as guest will have almost no ability to create, modify, or delete files.
Service accounts
Human users are not the only entities in an IAM system that use accounts. Some computers play specific roles in the organization and must access files and other systems to fulfill their duties.
Location-based policies
Location-based restrictions may protect against remote attacks that come from malicious or unknown sources.
Password history
Many password policies will force the user to choose a password that they haven't used before, or haven't used in a long time. This remembering of passwords ensures that users aren't just reusing the same password over and over every time they are forced to change it.
Time-of-day restrictions
One way to mitigate this risk of attack is to simply restrict an account's access to only certain times of the day, when the employee is working.
Password complexity
Password complexity is generally defined by the type of characters used and the formatting of those characters.
Recovery
Password recovery is a feature of many application and systems and allows a user to retrieve or reset their password if they have forgotten it. Password recovery often requires that the user knows their username, such as an email address, or some other "something you know" authentication factor.
Shared and generic accounts/credentials
Shared accounts are accessed by more than one user or resource, and unlike traditional unshared accounts, they are not associated with any one individual.
Group policy
The Group Policy service in Windows systems provides several different methods for managing account security across a domain including enforcing account password properties, account lockout thresholds, and auditing account management events.
Least privilege
The principle of least privilege dictates that users and software should have the minimal level of access that is necessary for them to perform the duties required of them.
Password length
To protect against brute force attacks, password policies often enforce a minimum length. The time it takes to brute force a password increases exponentially with the introduction of each additional character.
Standard naming convention
To reduce confusion, accounts should be named in a consistent manner. This helps facilitate management of accounts, especially through scripting and command-line usage.
Usage auditing and review
Usage auditing is the monitoring of how user accounts are being used in the organization. This can help you spot privilege escalation attacks, or simply alert you to behavior that an account should not be engaging in.
Group-based access control
When users are placed in groups, you can easily add or revoke permissions for multiple people, saving you time and effort. It's also easier to understand the job function that each user has in the organization if they are a member of certain groups.
