Chapter 2a (SEC+ 501)

OAuth and OpenID Connect OAuth is an open standard for authorization many companies use to provide secure a_________ to protected resources. Instead of creating a different account for each web site you access, you can often use the same account that you've created with Google, Facebook, PayPal, Microsoft, or Twitter. As an example, imagine that the Try-N-Save Department Store decides to sell some of its products online and management has decided to allow customers to make purchases through PayPal. Developers configure their web site to exchange a___________ programming interface (API) calls between it and PayPal servers. Now, when customers make a purchase, they log on with their PayPal account and make their purchase through PayPal. OAuth transfers data between PayPal and the Try-N-Save site so that the department store receives the money and knows what to ship to the customer. A benefit for the customers is that they don't have to create another account for Try-N-Save. OpenID Connect works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials. In this context, the client is typically a web site or application that needs to authenticate users. OpenID Connect provides i_________________ services, without requiring the application to handle the c_________________. It also streamlines the user experience for users. For example, Skyscanner is an application for finding flights, hotels, and car rentals. It allows users to sign in using their Facebook credentials. After doing so, Skyscanner provides a more personalized experience for the users.

Access application identification credentials

SSO and SAML Security A____________ Markup Language (SAML) is an E____________ Markup Language (XML)-based data format used for SSO on web b__________. Imagine two web sites hosted by two different organizations. Normally, a user would have to provide different credentials to access either web site. However, if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site. Many web-based portals use SAML for SSO. The user logs on to the portal once, and the portal then passes proof of the user's authentication to back-end systems. As long as one organization has authenticated users, they are not required to authenticate again to access other sites within the portal. SAML defines three roles: • Principal. This is typically a u____. The user logs on once. If necessary, the principal requests an identity from the identity provider. • Identity provider. An identity provider creates, maintains, and manages identity information for principals. • Service provider. A service provider is an entity that provides services to principals. For example, a service provider could host one or more web sites accessible through a web-based portal. When a principal tries to access a resource, the service provider redirects the principal to obtain an identity first. This process sends several XML-based messages between the systems. However, it is usually transparent to the user.

Assertion extensible browsers user

SAML and Authorization It's important to realize that the primary purpose of SSO is for identification and a_______________ of users. Users claim an identity and prove that identity with credentials. SSO does not provide authorization. For example, if the power plant and the school system create a federation using SAML, this doesn't automatically grant everyone in the school system full access to the nuclear power plant resources. Authorization is completely separate. However, many federation SSO systems, including SAML, include the ability to transfer authorization data between their systems. In other words, it's possible to use SAML for single sign-on authentication and for authorization. Remember this SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

Authentication

Kerberos is a network a_________________ mechanism used within Windows Active Directory domains and some Unix environments known as r_______.

Authentication realms

The Owner Establishes Access Remember this The D____ model specifies that every object has an owner, and the owner has f____, explicit control of the object. Microsoft NTFS uses the DAC model.

Dac full

Kerberos includes several requirements for it to work properly. They are: • A method of issuing tickets used for authentication. The Key D_________________ Center (KDC) uses a complex process of issuing ticket-g_____________ tickets (TGTs) and other tickets. The KDC (or TGT server) packages user credentials within a ticket. Tickets provide authentication for users when they access resources such as files on a file server. These tickets are sometimes referred to as tokens, but they are logical tokens, not a key fob type of token discussed earlier in the "Something You Have" section. • Time synchronization. Kerberos version 5 requires all systems to be s_______________ and within __(#) minutes of each other. The clock that provides the time synchronization is used to timestamp tickets, ensuring they expire correctly. This helps prevent replay attacks. -In a replay attack, a third party attempts to i_____________ a client after intercepting data captured in a session. However, if an attacker intercepts a ticket, the t____________ limits the amount of time an attacker can use the ticket. • A d___________ of subjects or u______. In a Microsoft environment, this is Active Directory, but it could be any database of users. When a user logs on with Kerberos, the KDC issues the user a ticket-granting ticket, which typically has a lifetime of ___(#) hours to be useful for a single workday. When the user tries to access a resource, the ticket-granting ticket is presented as authentication, and the user is issued a ticket for the resource. However, the ticket expires if users stay logged on for an extended period, such as longer than 10 hours. This prevents them from accessing network resources. In this case, users may be prompted to provide a password to renew the ticket-granting ticket, or they might need to log off and back on to generate a new ticket-granting ticket. Additionally, Kerberos uses symmetric-key cryptography to prevent unauthorized disclosure and to ensure confidentiality. Chapter 10 explains algorithms in more depth, but in short, symmetric-key cryptography uses a s________ key for both encryption and decryption of the same data. Remember this Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (or TGT server) to issue timestamped tickets that expire after a certain time period.

Distribution granting synchronized 5 impersonate timestamp database users 10 single

Beware of Trojans An inherent flaw associated with the DAC model is the susceptibility to Trojan horses. Trojan horses are e____________ files. They masquerade as something useful, but they include malware. For example, Bart might decide to download and install a program that a friend raved about. After installation, he decides it's not so great and forgets about it. However, the damage is done. What really happened? When Bart installed the program, it also installed malware. Moreover, if Bart was logged on with administrative privileges when he installed it, the Trojan is able to run with these administrative privileges. Many organizations require administrators to have two accounts to mitigate the risks associated with Trojans. Most of the time, administrators log on with a regular user account. If the system is infected with malware, the malware has limited permissions assigned to the regular user account. In contrast, if the system is infected with malware while the administrator is logged on with an administrative account, the malware has the elevated permissions of an administrator.

Executable

SSO and a Federation Some SSO systems can connect authentication mechanisms from different environments, such as different operating systems or different networks. One common method is with a federated identity management system, often integrated as a federated database. This f____________ database provides central authentication in a nonhomogeneous environment. As an example, imagine that the Springfield Nuclear Power Plant established a relationship with the Springfield school system, allowing the power plant employees to access school resources. It's not feasible or desirable to join these two networks into one. However, you can create a federation of the two networks. Once it's established, the power plant employees will log on using their power plant account, and then access the shared school resources without logging on again. A federation requires a federated identity management system that all members of the federation use. In the previous example, the members of the federation are the power plant and the school system. Members of the federation agree on a standard for federated identities and then exchange the information based on the standard. A federated identity l_____ a user's credentials from d___________ networks or operating systems, but the federation treats it as one identity. S_____________ is one of the federated identity solutions mentioned specifically in the CompTIA Security + exam objectives. It is open source and freely available, making it a more affordable solution than some of the commercially available federated identity solutions. It also includes Open SAML libraries written in C + + and Java, making it easier for developers to expand its usefulness.

Federated links different shibboleth

SSO and Transitive Trusts A transitive trust creates an i________ trust relationship. As an example, imagine a transitive trust relationship exists between Homer, Moe, and Fat Tony: • Homer trusts Moe. • Moe trusts Fat Tony. • Because of the transitive trust relationship, Homer trusts Fat Tony. Of course, this isn't always true with people and Homer might be a little upset with Moe if Moe shares Homer's secrets with Fat Tony. However, it reduces network administration in a domain. Within an LDAP-based network, domains use transitive trusts for S____. Figure 2.4 shows a common configuration with three domains in the same network. The parent domain is GetCertifiedGetAhead.com and the configuration includes two child domains—Training and Blogs.

Indirect sso

NTLM New Technology L___ Manager (NTLM) is a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems. At their most basic, they use a Message Digest hashing algorithm to c_____________ users and check their credentials. There are three versions of NTLM: . • NTLMv2 is a challenge-r___________ authentication protocol. When a user attempts to log on, NTMLv2 creates an HMAC-MD5 hash composed of a combination of the username, the logon domain name (or computer name), the user's password, the current time, and more. To create an HMAC-MD5 message, authentication code starts as the MD5 hash of a user's p__________, which is then e_____________. • NTLM2 Session improves NTLMv2 by adding in m_________ authentication. In other words, the client authenticates with the server, and the server also authenticates with the client. So, which protocol should you select? Actually, Microsoft specifically recommends that developers don't select one of these protocols. Instead, developers should use the N__________ security package within their applications. This security package selects the most secure security protocols available between the systems. It first tries to use Kerberos if it is available. If not, it uses either NTLMv2 or NLTM2 Session depending on the capabilities of the systems involved in the session.

Lan challenge response password encrypted mutual negotiate

Labels and Lattice The MAC model uses different levels of security to classify both the users and the data. These levels are defined in a l________. The lattice can be a complex relationship between different ordered sets of labels. These labels define the boundaries for the security levels. Figure 2.7 shows how the MAC model uses a lattice to divide access into separate compartments based on a need to know. The lattice starts by defining different levels of Top Secret, Secret, Confidential, and For Official Use. Each of these labels defines specific security boundaries. Within these levels, the lattice defines specific c__________________. For example, the Top Secret level includes compartments labeled Nuclear Power Plant, 007, and Happy Sumo.

Lattice compartments

LDAP and LDAPS L___________ Directory Access Protocol (LDAP) specifies formats and methods to q______ directories. In this context, a directory is a database of objects that provides a central access point to manage users, computers, and other directory objects. LDAP is an extension of the X. 500 standard that Novell and early Microsoft Exchange Server versions used extensively. Windows domains use Active Directory, which is based on LDAP. Active Directory is a directory of objects (such as users, computers, and groups), and it provides a single location for object management. Queries to Active Directory use the LDAP format. Similarly, Unix realms use LDAP to identify objects. Administrators often use LDAP in scripts, but they need to have a basic understanding of how to identify objects. For example, a user named Homer in the Users container within the GetCertifiedGetAhead.com domain is identified with the following LDAP string: LDAP:// CN = Homer, CN = Users, DC = GetCertifiedGetAhead, DC = com • CN = Homer. CN is short for c_________ name. • CN = Users. CN is sometimes referred to as c____________ in this context. • DC = GetCertifiedGetAhead. DC is short for d_________ component. • DC = com. This is the second domain component in the domain name. LDAP Secure (LDAPS) uses encryption to protect LDAP transmissions. When a client connects with a server using LDAPS, the two systems establish a T____________ Layer Security (TLS) session before transmitting any data. TLS encrypts the data before transmission. Remember this LDAP is based on an earlier version of X. 500. Windows Active Directory domains and Unix realms use LDAP to identify objects in query strings with codes such as CN = Users and DC = GetCertifiedGetAhead. LDAPS encrypts t_______________ with TLS.

Lightweight query common container domain transport transmission

Remember this Identification occurs when a user claims an identity such as with a username or email address. Authentication occurs when the user proves the claimed identity (such as with a password) and the credentials are verified. Access control systems provide authorization by granting access to resources based on permissions granted to the proven identity. L_________ provides accounting.

Logging

Mandatory Access Control The m____________ access control (MAC) model uses l_______ (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don't match, the access model blocks access. Military units make wide use of this model to protect data. You might have seen movies where they show a folder with a big red and black cover page labeled "Top Secret." The cover page identifies the sensitivity label for the data contained within the folder. Users with a Top Secret label (a Top Secret clearance) and a need to know can access the data within the Top Secret folder. Need to know is an important concept to understand. Just because individuals have a Top Secret clearance doesn't mean they should automatically have access to all Top Secret data. Instead, access is restricted based on a need to know. Security-enhanced Linux (SELinux) is one of the few operating systems using the mandatory access control model. SELinux was specifically created to demonstrate how mandatory access controls can be added to an operating system. In contrast, Windows operating systems use the discretionary access control model.

Mandatory labels

Windows domains use Group Policy to manage multiple users and computers in a domain. Group Policy allows an administrator to configure a setting once in a Group Policy O_______ (GPO) and apply this setting to many users and computers within the domain. A______ D___________ Domain Services (AD DS) is a directory service Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Administrators implement domain Group Policy on domain c______________.

Object active directory controllers

In the DAC model, o________ have control over the access and in an ABAC model, owners can create policies to grant access. The MAC model uses l_______ assigned to both subjects and objects and grants access when the labels match. Remember this The ABAC model uses a____________ defined in policies to grant access to resources. It's commonly used in software defined networks (SDNs).

Owners labels attributes

Remember this Group Policy is implemented on a domain controller within a domain. Administrators use it to create p___________ policies, implement security s__________, configure host-based firewalls, etc.

Password settings

Need to Know The principle of need to know is similar to the principle of least privilege in that users are granted access only to the data and information that they need to know for their job. Notice that need to know is focused on data and information, which is typically protected with p_____________. In contrast, the principle of least privilege includes both r_______ and permissions. Rights refer to actions and include actions such as the right to change the system time, the right to install an application, or the right to join a computer to a domain. Permissions typically refer to permissions on files, such as read, write, modify, read & execute, and full control.

Permissions rights

Remember this Least privilege is a t____________ control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.

Technical

As a reminder, four key concepts are: • Identification. Users claim an identity with an identifier such as a u__________. • Authentication. Users prove their identity using an authentication method such as a p___________. • Authorization. Users are authorized a_______ to resources, based on their proven identity. • Accounting. Logs r________ activity using the users' claimed identity. Remember this Requiring administrators to use two accounts, one with administrator privileges and another with regular user privileges, helps prevent privilege e_____________ attacks. Users should not use shared accounts.

Username password access record escalation