Unit 6 Identify, Access, and Account Management

Network Authentication Protocols - 802.1x

802.1x is an authentication method used on a LAN to allow or deny access based on a port or connection to the network. -802.1x is used for port authentication on switches and authentication to wireless access points. -802.1x requires an authentication server for validating user credentials. This server is typically a RADIUS server. -Authentication credentials are passed from the client, through the access point, to the authentication server. -The access point enables or disables traffic on the port based on the authentication status of the user. -Authenticated users are allowed full access to the network; unauthenticated users have access to only the RADIUS server. 802.1x is based on EAP and can use a variety of methods for authentication, such as usernames and passwords; certificates; or smart cards.

daemon

A Linux or UNIX program that runs as a background process, rather than being under the direct control of an interactive user.

Remote Access Policies Solutions - RADIUS

A Radius server is an authentication and authorization mechanism that uses the User Datagram Protocol (UDP) for authorization. It is used in Microsoft implementations. It provides a single solution for authentication and authorization.

Access Control List (ACL) Types - Discretionary access control list (DACL)

A discretionary access control list is an implementation of discretionary access control (DAC). Owners add users or groups to the DACL for an object and identify the permissions allowed for that object.

Permission

A permission controls the type of access that is allowed or denied for an object.

Hardening Authentication Methods - Account Restrictions

Account restrictions place restrictions on the use of a user account for login. For example, you can: -Prohibit multiple concurrent logins -Allow logins only during certain days and hours -Allow logins only from specific computers -Create expiration dates for user accounts for temporary users to prevent them from being used past a certain date

Local User Account Types - Administrator

Administrators have complete control of the system and can perform tasks such as: -Change global settings -Create/delete users -Install applications -Run applications in an elevated state -Access all files on the system

System ACL (SACL)

An ACL Microsoft uses for auditing to identify past actions users have performed on an object.

Access control policy

An access control policy defines the steps and measures that are taken to control access to objects.

Access control system

An access control system includes policies, procedures, and technologies that are implemented to control access to objects.

False negative

An error that occurs when a person who should be allowed access is denied access.

Biometric Parameter - Accuracy

Are the results accurate? Accuracy is extremely critical in a biometric system. Most devices can be configured for increased or reduced sensitivity. Note the following as it relates to biometric accuracy: -False rejection occurs when a person who should be allowed access is denied access. The false rejection rate (FRR) is a measure of the probability that a false negative will occur. -False acceptance occurs when a person who should be denied access is allowed access. The false acceptance rate (FAR) is a measure of the probability that a false positive will occur. False positives are more serious than false negatives and represent a security breach because unauthorized persons are allowed access. -A crossover error rate, also called the equal error rate, is the point at which the number of false positives matches the number of false negatives in a biometric system. It is advisable to select the system with the lowest crossover error rate within your budget.

Authentication

Authentication is the process of validating identity. It includes the identification process, a user providing input to prove identity, and the system accepting that input as valid. The verification of the issued identification credentials. It is usually the second step in the identification process and establishes that you are who you say you are. Authentication is the process of validating user credentials that prove user identity.

Biometric Parameter - Circumvention

Can the attribute be easily circumvented?

Identity Term - Certificates

Certificates are issued by a certificate authority and verify identity by providing the following: -Public keys -Details on the owner of the certificate -Details on the issuer of the certificate

Linux Group Commands - gpasswd

Changes a group password. -groupname prompts for a new password. - - r removes a group password.

Linux Group Commands - groupadd

Creates a new group. The following options override the settings as found in the /etc/login.defs file: - - g defines the group ID (GID). - - p defines the group password. - - r creates a system group.

Linux Group Commands - groups

Displays the primary and secondary group membership for the specified user account.

Biometric Method - Facial

Facial scanning creates a map of 80 points on an individual's face. The distances measured on this map can be used to identify the person in the future. Measurements could include the distance between eyes, the shape of a nose, the size of the cheekbones, etc.

Biometric Method - Fingerprints

Fingerprints are made up of patterns of ridges and valleys. Fingerprint scanners analyze these patterns and convert them into a numerical format that can be stored for future comparison.

Biometric Method - Gait

Gait recognition analyzes the way that people walk. Each person has a unique way of walking. Several factors determine your gait, including: -Height, weight, and body proportions -Age -Health (diseases or disorders) -Personality or emotions When analyzing gait, the following are measured: -Stride -Step -Speed -Hip and foot angle -Cadence Data is gathered using sensors, cameras, or wearable devices. The gait recognition system creates a digital signature that can be stored or compared to existing data. Gait recognition systems are still fairly new and, as with most biometric systems, should not be used as a stand-alone method of identification.

Biometric Parameter - Collectible

How easy is it to acquire this measurable attribute?

Access Control Best Practices - Identification

Identification is the act of claiming an identity, such as telling someone your name. Important facts to know about identification include: -In the computer world, a username is a form of identification. -Because anyone could pretend to be the user, identification by itself is not very secure. -To substantiate identity, the person must provide some form of identity verification.

Biometric Parameter - Unique

Is the physical attribute distinctive enough that it can be used to distinguish between individuals?

Linux Group Commands - newgrp

Is used to change the current group ID during a login session. If the optional - flag is given, the user's environment will be reinitialized as though the user had logged in. Otherwise, the current environment, including current working directory, remains unchanged. You can use this when working in a directory in which all the files must have the same group ownership.

Access Control Best Practices - Job rotation

Job rotation is a technique where users are cross-trained in multiple job positions. Responsibilities are regularly rotated between personnel. Job rotation: -Cross trains staff in different functional areas in order to detect fraud. -Exchanges positions of two or more employees to allow for oversight of past transactions. -Can be used for training purposes.

Active Directory Components - Generic container

Like OUs, generic containers are used to organize Active Directory objects. Generic container objects: -Are created by default -Cannot be moved, renamed, or deleted -Have very few properties you can edit

Objects

Objects are data, applications, systems, networks, and physical space.

Authentication Technologies - Push Notifications

Push notifications can also be used to grant access to an account. Whenever you log into your account, you enter your username. But instead of a password, you receive an access request notification on your mobile device. You can choose to either approve or decline this request.

Remote access policies

Remote access policies are used to restrict access. The policies identify authorized users, conditions, permissions, and connection parameters such as time of day, authentication protocol, caller id, etc.

User Management Commands - userdel

Remove the user from the system. Be aware of the following options: -userdel [username] (without options) removes the user account. - -r removes the user's home directory. - -f forces the removal of the user account even when the user is logged into the system.

Replication

Replication is the process of copying changes to Active Directory on the domain controllers.

Access Control Models - Rule-based access control

Rule-based access control uses rules applied to characteristics of objects or subjects to restrict access. -Access control entries identify a set of characteristics that are examined for a match. -If all characteristics match, access is either allowed or denied based on the rule. -An example of a rule-based access control implementation is a router access control list that allows or denies traffic based on characteristics within the packet, such as IP address or port number. -Because rule-based access control does not consider the identity of the subject, a system that uses rules can be viewed as a form of mandatory access control.

Local User Account Types - Standard User

Standard users have limited permission. For example, standard users can: -Use applications (but they cannot install them) -Change some settings that apply only to them Standard users cannot run applications in an elevated state.

Active Directory Advantages - Replication

The Active Directory database can be replicated to other systems. This eliminates the need to manually recreate user accounts on every system to which a user may need to access.

Hardening Authentication Methods - Account Maintenance

The following list provides best practices for account maintenance: -Delete an employee#39;s account when the employee leaves the organization. -Disable inactive accounts. -Use automatic account expiration when applicable. -Restrict remote access only to authorized clients (filtering by IP address).

Hardening Authentication Methods - Limit Remote Access

The following precautions should be taken when administering remote access: -Allow remote access to the network only for those users who need it to perform their duties (not standard for all users). -Do not allow remote access clients to connect directly to the internal network. Allow remote access clients to connect to a DMZ and then monitor the traffic. -Restrict remote access only to authorized clients . You can filter by IP address.

Identification

The initial process of confirming the identity of a user requesting credentials. This occurs when a user enters a user ID at logon.

Radio frequency identification(RFID)

The wireless, non-contact use of radio frequency waves to transfer data.

Authentication Management Operating Systems - Linux

There are a variety of credential management systems available for Linux systems. One commonly used package is KWalletManager, which stores account credentials for network resources, such as file servers and websites. KWalletManager: -Saves the account credentials in a secure "wallet." -Stores authentication credentials used to connect to network servers as well as secure websites. -Uses saved account credentials when the user accesses a particular network resource. -Offers two encryption options, Blowfish and GPG, for protecting credentials stored in the wallet. -Does not display passwords for saved credentials. -Uses KDE Wallet Manager application to add, remove, or modify saved credentials. KDE Wallet Manager can also back up the contents of the wallet by exporting it to an encrypted .kwl file.

Authentication Attribute - Something you can do

This requires you to perform a particular action to verify your identity. Here are a few examples of an action that can be used: -Supply a handwritten sample that's analyzed against a baseline sample for authentication. -Type sample text. Your typing behaviors are analyzed against a baseline before authentication.

Local User Tools - Windows Settings App

To create a local account on a computer not joined to a domain: 1. Right-click Start, select Settings, and then choose Accounts. 2. Select Family & other users (or Other users if the computer is joined to a domain). Then select Add someone else to this PC. 3. Follow the remaining steps to enter the name and password for the new user.

User Management Commands - usermod

Used to modify an existing user account; usermod uses several of the same switches as useradd. Be aware of the following switches: - -c changes the description for the account. - -l renames a user account. - -L locks the user account. This command inserts a ! before the password in the /etc/shadow file, effectively disabling the account. - -U unlocks the user account.

Biometric Method - Vein

Vein recognition scanners use infrared light to determine the vein pattern in your palm. Like a fingerprint, this pattern differs from one person to the next and does not change. The scanner converts the collected data into a code that is encrypted and assigned to you. The benefits of vein biometrics are: -Veins are internal so they cannot be altered or covered as easily as hands or a face could be. -Because a palm is larger than an eye or a finger, more data points can be collected. This provides a higher rate of accuracy. -Because veins are internal, they are harder to replicate and can only be captured in close proximity.

Access Control Best Practices - Defense-in-depth

wDefense-in-depth is an access control principle which implements multiple access control methods instead of relying on a single method. Multiple defenses make it harder to bypass security measures.

Domain controller

A domain controller is a server that holds a copy of the Active Directory database. The copy of the Active Directory database on a domain controller can be written to.

Domain

A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure.

Network Authentication Mode - Simple

A username and password are required. Normally, the username and password are passed in cleartext. LDAP uses ports 389 and 636 by default.

Hardening Authentication Methods - Account Lockout Policies

Account lockout disables a user account after a specified number of incorrect login attempts. Account lockout policies include: -Account lockout duration - Specifies the number of minutes a locked-out account remains locked out before automatically becoming unlocked. When set to 0, an administrator must unlock the account. -Account lockout threshold - Specifies the number of failed logon attempts that causes a user account to be locked out. -Reset account lockout counter after - Specifies the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. For example, if this value is set to 60 minutes and the account lockout threshold is set to 5, the user can enter up to four incorrect passwords within one hour without the account being locked. Account lockout can be used to prevent attackers from guessing passwords, but it can also be used maliciously to lock an account and prevent a valid user from logging in.

Hardening Authentication Methods - Account Monitoring

Account monitoring can help you detect unusual or risky behavior. You should monitor for the following: -Login activity. -Suspicious logins for the user (spikes, logins at unusual time of day, and/or frequent or failed logins). -Remote-access traffic.

Hardening Authentication Methods - Password Policies

Account policies help you control the composition and use of passwords. Password policies include: -Enforce password history - This determines the number of unique new passwords that have to be used before an old password can be reused. This helps to prevent users from reusing any recent passwords. -Maximum password age - This requires users to change their password after a given number of days. -Minimum password age - This determines the number of days that a password must be used before the user can change it. This prevents users from reverting back to their original password immediately after they have changed it. -Minimum password length - This identifies the minimum number of characters in a password. -Password must meet complexity requirements - A complex password prevents using passwords that are easy to guess or crack. Complex passwords must meet the following minimum requirements: --Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters --Must be at least six characters in length --Must contain characters from three of the following four categories: ---English uppercase characters (A through Z) ---English lowercase characters (a through z) ---Base-10 digits (0 through 9) ---Non-alphabetic characters (for example, !, $, #, or %) Complexity requirements are enforced when passwords are changed or created.

User Files - /etc/group

As with Active Directory, groups can be used to simplify user access to network resources. The /etc/group file contains information about each group.

User Management Commands - passwd

Assign or change a password for a user. -passwd (without a user name or options) changes the current user's password. -Users can change their own passwords. The root user can execute all other passwd commands. Be aware of the following options: - -S username displays the status of the user account. LK indicates that the user account is locked, and PS indicates that the user account has a password. - -l disables (locks) an account. This command inserts a !! before the password in the /etc/shadow file, effectively disabling the account. - -u enables (unlocks) an account. - -d removes the password from an account. - -n sets the minimum number of days after a password exists before it can be changed. - -x sets the number of days before a user must change the password (password expiration time). - -w sets the number of days before the password expires that the user is warned. - -t sets the number of days following the password expiration that the account will be disabled.

Remote Access Protocols - Challenge Handshake Authentication Protocol (CHAP)

CHAP uses a challenge/response (three-way handshake) mechanism to protect passwords. CHAP is the only remote access authentication protocol that ensures that the same client or system exists throughout a communication session by repeatedly and randomly re-testing the validated system.

User Management Commands - useradd

Create a user account. The following options override the settings as found in /etc/default/useradd: - -c adds a description for the account in the GECOS field of /etc/passwd. - -d assigns an absolute pathname to a custom home directory location. - -D displays the default values specified in the /etc/default/useradd file. - -e specifies the date on which the user account will be disabled. - -f specifies the number of days after a password expires until the account is permanently disabled. - -g defines the primary group membership. - -M defines the secondary group membership. - -m creates the user's home directory (if it does not exist). - -n does not create a group with the same name as the user (Red Hat and Fedora, respectively). - -p defines the encrypted password. - -r specifies that the user account is a system user. - -s defines the default shell. - -u assigns the user a custom UID. This is useful when assigning ownership of files and directories to a different user.

Network Authentication Protocols - Extensible Authentication Protocol(EAP)

EAP allows the client and server to negotiate the characteristics of authentication. -An EAP authentication scheme is called an EAP type. Both the client and authenticator have to support the same EAP type for authentication to function. -When a connection is established, the client and server negotiate the authentication type that will be used based on the allowed or required authentication types configured on each device. -The submission of authentication credentials occurs based on the rules defined by the authentication type. -EAP is used to allow authentication with smart cards, biometrics, and certificate-based authentication. Other versions of EAP include: -Protected Extensible Authentication Protocol (PEAP) is a more secure version of EAP. It provides authentication to a WLAN that supports 801.1x. PEAP uses a public key over TLS. -EAP-FAST, which is also known as flexible authentication via secure tunneling. This version performs session authentication in wireless networks and point-to-point connections.

Remote Access Protocols - Extensible Authentication Protocol (EAP)

EAP allows the client and server to negotiate the characteristics of authentication. When a connection is established, the client and server negotiate the authentication type that will be used based on the allowed or required authentication types configured on each device. EAP allows authentication using a variety of methods, including passwords, certificates, and smart cards.

Object

Each resource within Active Directory is identified as an object.

Remote Access Protocols - Hypertext Transport Protocol Secure (HTTPS)

HTTPS uses HTTP over Secure Socket Layer (SSL). It has replaced S-HTTP as the method of securing HTTP (web) traffic. It is a session-based encryption technology, meaning that the keys used for that session are valid for that session only. HTTPS is used predominantly throughout the internet. HTTPS operates over TCP port 443.

Remote Access Protocols - Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

MS-CHAP is Microsoft's version of CHAP. -MS-CHAP encrypts the shared secret on each system so that it is not saved in cleartext. -MS-CHAP v2 allows for mutual authentication, in which the both the server and the client authenticate. Mutual authentication helps to prevent man-in-the-middle attacks and server impersonation.

Network Authentication Protocols - Kerberos

Kerberos is used for both authentication and authorization services. It is the default authentication method used by computers that are a part of an Active Directory domain. Kerberos grants tickets, also called a secure tokens, to authenticated users and to authorized resources. The process of using tickets to validate permissions is called delegated authentication. Kerberos uses the following components: -An authentication server (AS) accepts and processes authentication requests. -A service server (SS) is a server that provides or holds network resources. -A ticket-granting server (TGS) grants tickets that are valid for specific resources on specific servers. -The authentication server and ticket-granting server are often combined into a single entity known as the Key Distribution Center (KDC). Kerberos uses the following process: 1. The client sends an authentication request to the authentication server. 2. The authentication server validates the user identity and grants a ticket-granting ticket (TGT). The TGT validates the user identity and is good for a specific ticket-granting server. 3. When the client needs to access a resource, it submits its TGT to the TGS. The TGS validates that the user is allowed access and issues a client-to-server ticket. 4. The client connects to the service server and submits the client-to-server ticket as proof of access. 5. The SS accepts the ticket and allows access.

User Security Commands - ulimit

Limits computer resources used for applications launched from the shell. Limits can be hard or soft limits. Soft limits can be temporarily exceeded up to the hard limit setting. Users can modify soft limits, but only the root user can modify hard limits. Options include: - -c limits the size of a core dump file. The value is in blocks. - -f limits the file size of files created using the shell session. The value is in blocks. - -n limits the maximum number of files that can be open. - -t limits the amount of CPU time a process can use. This is set in seconds. - -u limits the number of concurrent processes a user can run. - -d limits the maximum amount of memory a process can use. The value is in kilobytes. - -H sets a hard resource limit. - -S sets a soft resource limit. - -a displays current limits. The default shows soft limits.

Linux Group Commands - usermod

Modifies group membership for the user account. Be aware of the following options: - - g assigns a user to a primary group. - - G assigns a user to a secondary group (or groups). Follow the command with a comma-separated list of groups. - - aG assigns a user to a secondary group (or groups) by appending the group to any groups the user already belongs to. Follow the command with a comma-separated list of groups. - - G "" removes the user from all secondary group memberships. Do not include a space between the quotes.

Linux Group Commands - groupmod

Modifies the existing group. Be aware of the following options: -groupname prompts for a new password. - - r removes a group password.

Linux Group Commands - groupdel

Modifies the system account files by deleting all entries that refer to the specified group. The named group must exist. You cannot remove the primary group of any existing user. You must remove the user before you remove the group.

Remote Access Protocols - Simple Network Management Protocol Version 3(SNMPv3)

NMPv3 is a protocol used to monitor and manage devices on a network. SNMPv3 provides authentication and encryption.

Remote Access Protocols - Point-to-Point Protocol (PPP)/Point-to-Point Protocol over Ethernet (PPPoE)

PPP and PPPoE use the data link layer. PPP is less common because it typically uses dial-up connections. PPPoE normally requires a static IP from the ISP and sometimes a username and a password to authenticate with the ISP.

Remote Access Protocols - Public Switch Telephone Network (PSTN)

PSTN uses modems to connect to a remote access server. This, however, is an outdated method because of slow connection speeds.

Authentication Management Operating Systems - Windows

On Windows hosts, you can use Credential Manager to manage authentication credentials. Credential Manager stores account credentials for network resources, such as file servers and websites. Credential Manager: -Saves authentication credentials in the Windows Vault. -Uses saved account credentials when the user accesses a particular network resource. -Stores account credentials from Windows Explorer, Internet Explorer, or the Remote Desktop client. -Allows account credentials to be added to the vault using one of the following methods: --The Remember My Credentials link in the Windows Security dialog allows the credentials to be added when accessing the resource. --The Add a Windows credential link allows the credentials to be added without accessing the resource. When using this option, you must enter the internet or network address of the resource. -Allows saved credentials to be edited or deleted. -Does not display passwords for saved credentials.

Network Authentication Mode - Anonymous

Only a user name (no password) is required to authenticate.

Network Authentication Protocols - Open Authorization(OAuth)

Open Authorization (OAuth) is an open standard for token-based authentication and authorization on the internet. It allows access tokens to be issued to third-party clients by an authorization server with the approval of the resource owner. The third party uses the access token to access the protected resources hosted by the resource server. This mechanism is used by companies like Google, Facebook, Microsoft, and Twitter, to permit users to share information about their accounts with third-party applications or websites. OAuth specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. It is designed to work with the Hypertext Transfer Protocol (HTTP). OAuth is a service that is complementary to and distinct from OpenID.

Network Authentication Protocols - OpenID

OpenID is an open standard and decentralized authentication protocol. It allows users to be authenticated by co-operating sites using a third-party service and allowing users to log in to multiple unrelated websites without having a separate identity and password for each. Users create accounts by selecting an OpenID identity provider and using those accounts to sign on to any website that accepts OpenID authentication. The OpenID protocol does not rely on a central authority to authenticate a user's identity. Because neither services nor the OpenID standard mandates how to authenticate users, authentication methods range from passwords to smart cards and biometrics.

Network Authentication Mode - Simple Authentication and Security Layer (SASL)

SASL is an extensible mechanism for protecting authentication.

User Security Commands - change

Set user passwords to expire. Be aware of the following options: - -M sets the maximum number of days before the password expires. - -W sets the number of days before the password expires that a warning message displays. - -m sets the minimum number of days that must pass after a password has been changed before a user can change the password again.

Subjects

Subjects are users, applications, or processes that need access to objects.

Remote Access Policies Solutions - Terminal Access Controller Access-Control System Plus (TACACS+)

TACACS and the updated version, TACACS+: -Separate authentication, authorization, and accounting into different services. -Allow the services to be on the same server or split between different servers. -Use Transmission Control Protocol (TCP) instead of UDP.

User Files (caution) - /etc/default/useradd

The /etc/default/useradd file contains default values used by the useradd utility when creating a user account, including: -Group IDHome directory -Account expiration -Default shell -Secondary group membership

User Files (caution) - /etc/login.defs

The /etc/login.defs file contains: -Values used for the group and user ID numbers -Parameters for password encryption in the shadow file -Password expiration values for user accounts

User Files - /etc/passwd

The /etc/passwd file contains the user account information. Each user's information is stored in a single line on this file. There are two types of accounts in a Linux system: -Standard accounts (these are user accounts). -System user accounts (these are used by services).

User Files - /etc/shadow

The /etc/shadow file contains the users' passwords in an encrypted format. The shadow file is linked to the /etc/passwd file. There are corresponding entries in both files, and they must stay synchronized. There are password and user management utilities provided by the system that allow you to edit the files and keep them synchronized. You can use the following commands to identify errors and synchronize the files: -pwck verifies each line in the two files and identifies discrepancies. -pwconv adds the necessary information to synchronize the files.

User Files (caution) - /etc/skel

The /etc/skel directory contains a set of configuration file templates that are copied into a new user's home directory when it is created, including the following files: -.bashrc -.bash_logout -.bash_profile -.kshrc

Hardening Authentication Methods - Multifactor Authentication

When possible, multifactor authentication should be used. This means using more than one method to authenticate your users. End users can be authenticated using three types of factors: -Something you know -Something you have -Something you are Robust authentication processes use two or more of these factors.

Policy

A policy is a set of configuration settings applied to users or computers.

Biometric Method - Retina

A retina is the back portion of the eye that is sensitive to light. Numerous capillaries move blood to the retina and these capillaries create a unique pattern. A retinal scanner shines infrared light into an eye and measures the amount of reflection. The vessels in the retina absorb infrared light so that the reflection pattern can be stored for future identification.

Identity Term - SSH Keys

A secure shell (SSH) key is an access credential. It operates like usernames and passwords but is mostly used to implement single sign-on and other automated processes.

Access Control List (ACL) Types - System access control list (SACL)

A system access control list is used by Microsoft for auditing in order to identify past actions performed by users on an object.

Identity Term - Tokens

A token is a device or a file used to authenticate. A hardware token, such as a key fob, serves as something you have. A software token, also known as a soft token, is stored in devices such as laptops, desktops, or mobile phones. These tokens are specific to the device, and cannot be altered or duplicated.

Tree

A tree is a group of related domains that share the same contiguous DNS namespace.

Active Directory Components - Domain controller

A domain controller is a server that holds a copy of the Active Directory database that can be written to. Replication is the process of copying changes to Active Directory between the domain controllers. In contrast, member servers are servers in the domain that do not have the Active Directory database.

Active Directory Components - Domain

A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure. Depending on the network structure and requirements, the entire network might be represented by a single domain with millions of objects, or the network might require multiple domains.

Authentication Methods - Federation

A federation is a group of domains that have established trust and therefore shared authorizations. A federation can be within one organization with multiple domains or it can include several trusted organizations to share resources. The good thing about this method of authentication is that everything happens onsite and provides detailed levels of access control.

Forest

A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.

Active Directory Advantages - Scalability

A hierarchical database lets you grow the Active Directory to meet the needs of your environment.

Access control list (ACL)

A list that identifies users or groups who have specific security assignments to an object.

Multifactor authentication

A method of confirming identity by using two or more pieces of evidence (or factors) to an authentication mechanism. Using more than one method to authenticate users.

Access control

Access control is the ability to permit or deny access to resources on a network or computer.

Permission Types - Effective permissions

Access rights (permissions) are cumulative. If you are a member of two groups with different permissions, you have the combined permissions of both groups (this is known as effective permissions). Effective permissions are the combination of inherited permissions and explicit permissions.

False positive

An error that occurs when a person who should be denied access is allowed access.

Identity Term - Identity Provider(IdP)

An identity provider is an online service that manages identity information for other organizations. The IdP creates records from an organization's existing data and policies. These records are used to authenticate user requests.

Discretionary ACL (DACL)

An implementation of discretionary access control (DAC) in which owners add users or groups to the DACL for an object and identify the permissions allowed for that object.

Security Principal

An object such as a user account, computer account, and security group account that can be given permissions to an object.

Active Directory Components - Organizational unit (OU)

An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit: -Is a container object -Can hold other organizational units -Can hold objects such as users and computers Can be used to logically organize network resources -Simplifies security administration

Organizational unit

An organizational unit is similar to a folder. It subdivides and organizes network resources within a domain.

Authentication Methods - Attestation

Attestation is a protocol that is used to prove that software can be trusted. It tells the remote user that the application or OS software is legitimate and has been certified. Attestation can work both ways. Say you were going to log into your bank account. You want to be sure that the site you are logging into is trustworthy and the bank wants to be sure that the correct individual is logging into the account.

Access Control Models - Attribute-based access control(ABAC)

Attribute-based access control restricts access by assigning attributes to resources. -Attributes can be things like a user's role, position, or current project. -The set of attributes assigned to a resource constitutes a policy that uses Boolean logic to determine who can access the resource. -An example of a file access policy might include the following attributes: role = manager, department = development, and project = NewApp. Only users who possess all three attributes can access the file. -ABAC uses a special markup language called eXtensible Access Control Markup Language (XACML) to define access control policies.

Identity Term - Attributes

Attributes can be your role, position, or current project. This information can be used to determine policy and permission.

Auditing

Auditing, also referred to as accounting, is maintaining a record of the activity within the information system.

Authentication Technologies - Authentication Applications

Authentication applications are third-party tools that organizations use to authenticate their users, especially those working remotely. An authenticator app, typically installed on a smartphone, provides a new six-to-eight digit code every 30 seconds. This passcode, along with your username and password, provides additional verification that you are who you say you are. Another similar method that you may have used is a one-time password. Some banks use this method to allow ATM withdrawals without using a debit card. An application or token creates a one-time password. This password only works for a single login. After that, the password expires. There are two different methods for creating one-time passwords: -HMAC-based one-time password (HOTP): This type of one-time password uses a mathematical algorithm to create a new password based on the previous password that was generated. -Time-based one-time password (TOTP): This one-time password is generated by sending a shared secret key and the current time through an algorithm. This generated password is valid for only a short period, typically thirty seconds. After that, a new one-time password is generated using the same method.

Authorization

Authorization is granting or denying access to an object based on the level of permissions or the actions allowed with the object. The process of controlling access to resources, such as computers, files, or printers.

GPO Category - Computer Configuration

Computer policies are enforced for the entire computer and are initially applied when the computer boots. Computer policies are in effect regardless of the user logging into the computer. Computer policies include: -Software that should be installed on a specific computer -Scripts that should run at startup or shutdown -Password restrictions that must be met for all user accounts -Network communication security settings -Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree) Computer policies also include a special category of policies called user rights. User rights identify system maintenance tasks and the users or groups who can perform these actions. Actions include: -Changing the system time -Loading and unloading device drivers -Removing a computer from a docking station -Shutting down the system Computer policies are initially applied as the computer boots and are enforced before any user logs on.

Access Control Models - Conditional access

Conditional access is a way to enforce access control while also encouraging users to be productive wherever they are. Conditional access isn't intended to be the first point of security. Instead, it steps in after the first-factor authentication has been granted. Conditional access policies work by asking a user to complete an action in order to access a resource. Depending on the level of security of the requested resource, the user may be required to complete more actions. For policy decisions, conditional access can be configured to consider many different factors including: -Implement control at the user or group level. -Permit or deny access based on an IP address or an IP range. -Permit or deny access to users who are using specific applications. -Permit, restrict, or deny access to users who are using specific devices or device states.

Active Directory Advantages - Delegation

Delegation allows you to assign users to manage portions of the Active Directory database without giving all users rights to the entire database. For example, you can assign an administrator to manage the sales department in North America and enable this administrator to create user accounts, remove user accounts, and change passwords. However, this sales administrator won't be allowed to access the accounting or development departments. As another example, you can allow an administrator to manage all departments in Europe, but none in North American or Asia.

Permission Types - Deny permissions

Deny permissions always override Allow permissions. For example, if a user belongs to two groups and a specific permission is allowed for one group and denied for the other, the permission is denied. However, the exception to this rule comes with inherited permissions. If an object has an explicit Allow permission entry, inherited Deny permissions do not prevent access to the object. Explicit permissions override inherited permissions, including Deny permissions.

Authentication Methods - Directory Services

Directory services implement single sign-on for resources on the network. Examples are: -Active Directory on a Microsoft network -LDAP Directory Services -Azure Active Directory is an identity and access management solution for the cloud Single sign-on can be implemented between directory services of different systems. For example, single sign-on can be implemented if the directory services are compatible, such as Microsoft and Linux systems. In this case, logging into a Linux system would authenticate you to access resources on the Microsoft network that you have permissions to access. Directory services users sign on using a domain user account and password to gain access to resources available on the domain.

Access Control Models - Discretionary access control (DAC)

Discretionary access control assigns access directly to subjects based on the owner's discretion. -Objects have a discretionary access control list (DACL) with entries for each subject. -Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perform on the object. -With discretionary access control, subjects can pass permissions on to other subjects. Many computer systems use discretionary access control to limit access to systems or other resources.

Biometric Parameter - Universal

Does each person have the physical attribute being measured?

Transition Best Practices Event - Active accounts

During the life of an account: -Modify access rights as job roles and circumstances change. -Monitor password resets and lockouts to ensure account security. -Re-evaluate access rights on a periodic basis.

Authentication Attribute - Someone you know

Having someone who can vouch for you can go a long way in establishing relationships and building trust. The same is true with authentication. Certificates and attestation are examples of this attribute.

Active Directory Advantages - Organization

Hierarchical databases let you sort and organize your user accounts by location, function, and department.

Biometric Parameter - Permanent

How well does the specified attribute hold up to aging?

Access Control Models - Mandatory access control (MAC)

Mandatory access control uses labels for both subjects (users who need access) and objects (resources with controlled access, such as data, applications, systems, networks, and physical space). Every operation performed is tested against a set of authorization policies to determine if the operation is allowed. -Classification labels, such as secret or top secret, are assigned to objects by their owner, who is usually a managerial or governmental entity. -Clearance labels are assigned to subjects. -When a subject's clearance lines up with an object's classification and the user has a need to know (referred to as a category), the user is then granted access. -Access control is mandatory because access is based on policy (the matching of the labels) rather than identity. Owners can only assign labels; they cannot grant access to specific subjects.

Member servers

Member servers are servers in the domain that do not have the Active Directory database.

Access Control Best Practices - Multi-Factor Authentication

Multi-Factor Authentication is the process of using more than one way to verify identity. In the computer world, Multi-Factor Authentication is achieved by requiring two or more methods that only the user can provide. Five categories of computer system authentication include: -Something you are, such as biometric information (e.g., fingerprint or retina scan). -Something you have, such as smart cards, RSA tokens, or security key fobs. -Something you know, such as passwords and PINs. -Somewhere you are, such as a geographical location. -Something you do, such as how you type a sentence on a keyboard.

Active Directory Components - Trees and forests

Multiple domains are grouped together in the following relationship: -A tree is a group of related domains that share the same contiguous DNS namespaces. -A forest is the highest level of the organization hierarchy and is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.

Access Control Best Practices - Mutual authentication

Mutual authentication is when two communicating entities authenticate each other before exchanging data. It requires not only the server to authenticate the user, but the user to authenticate the server. This makes mutual authentication more secure than traditional, one-way authentication.

Access Control Best Practices - Need to know

Need to know describes the restriction of data that is highly sensitive and is usually referenced in government and military context. Important facts about the need to know include: -Even if an individual is fully cleared, the information will not be divulged unless the person has a need to know the information to perform official duties. -Need to know discourages casual browsing of sensitive materials. -In a classified environment, a clearance into a top secret compartment allows access to only certain information within that compartment. This is a form of mandatory access control (MAC).

Access Control Models - Role-based access control(RBAC)

Role-based access control allows access based on a role in an organization; it is not user specific. Role-based access control is also known as non-discretionary access control. -Roles are defined by job description or security access level. -Users are made members of a role and receive the permissions assigned to the role. -RBAC is similar to group-based access control. Group-based access control uses a collection of users; RBAC uses a collection of permissions.

Access Control Best Practices - Separation of duties

Separation of duties is the concept of having more than one person required to complete a task. This is a preventive principle primarily designed to reduce conflicts of interest. It also prevents insider attacks because no one person has end-to-end control and no one person is irreplaceable. Important facts to know about separation of duties include: -System users should have the lowest level of rights and privileges necessary to perform their work and should have those privileges only for the shortest length of time possible. -To achieve a separation of duties, a business can use the principle of split knowledge. This means that no single person has total control of a system's security mechanisms; no single person can completely compromise the system. -In cases of sensitive or high-risk transactions, a business can use two-man controls. This means that two operators must review and approve each other's work.

Authentication Technologies - Short Message Service (SMS)

Short Message Service (SMS) authentication uses SMS messaging to send a one-time code or password to a known user of an account in order to verify their identity. This requirement can be requested at every login, at every time the user signs into a new device or browser, or at timed intervals.

Smart cards

Similar in appearance to credit cards, smart cards have an embedded memory chip that contains encrypted authentication information. These cards are used for authentication.

Authentication Technologies - Phone Call

Similar to SMS, the user receives a phone call with the one-time code or password.

Authentication Attribute - Something you exhibit

Something that you exhibit could include a personality trait or a habit. For example: -The time of day you usually log on. -The method you usually use to access information. -The types of tasks you usually perform. When administrators notice unusual or risky behavior, they may choose to restrict access. This could mean requiring a password change, requiring another method of authentication, or even blocking your access.

Authentication Factor - Something you are

Something you are authentication uses a biometric system. A biometric system attempts to identify you based on metrics or a mathematical representation of a biological attribute, such as eye or fingerprint. This is the most expensive and least accepted but is generally considered to be the most secure form of authentication.

Authentication Factor - Something you have

Something you have, also called token-based authentication, bases authentication on something physical you have in your possession. Examples of something you have authentication controls include: -Swipe cards (similar to credit cards) with authentication information stored on the magnetic strip. -Photo IDs are very useful when combined with other forms of authentication, but are high-risk if they are the only form of required authentication. Photo IDs are easily manipulated or reproduced, require personnel for verification, and cannot be verified against a system. -Key fobs are small, programmable hardware often used to provide access to buildings and open doors. Key fobs are often attached to a keychain. -Security tokens generate a unique password when activated manually. These passwords are used one time and usually expire in minutes. Types of token-based authentication include:\ --A static password that is saved on the token device. Swiping the token supplies the password for authentication. --Synchronous dynamic password systems that generate new passwords at specific intervals on the hardware token. You must read the generated password and enter it along with the PIN to gain access. --An asynchronous dynamic password system that generates new passwords based on an event, such as pressing a key. --A challenge response system that generates a random challenge string. The challenge text is entered into the token, along with the PIN. The token then uses both to generate a response used for authentication. -Smart cards contain a memory chip with encrypted authentication information. Smart cards can: --Require contact such as swiping, or they can be contactless. --Contain microprocessor chips with the ability to add, delete, and manipulate data. --Store digital signatures, cryptography keys, and identification codes. --Use a private key for authentication to log a user into a network. The private key is used to digitally sign messages. --Be based on challenge response. You are given a code (the challenge) which you enter into the smart card. The smart card then displays a new code (the response) that you can present to log in. -Smart cards typically use certificates for identification and authentication. With certificates, the digital document is associated with a user in one of the following ways: --With a one-to-one mapping, each certificate maps to an individual user account (each user has a unique certificate). --With many-to-one mapping, a certificate maps to many user accounts (a group of users share the same certificate).

Authentication Factor - Something you know

Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication, but also the most commonly used. Examples of something you know authentication controls are: -Passwords, codes, or IDs. -PINs. -Passphrases (long, sentence-length passwords). -Cognitive information, such as questions that only you can answer, such as mother's maiden name, the model of your first car, or the city where you were born. -Composition passwords are created by the system and are usually two or more unrelated words divided by symbols on the keyboard. Usernames are not a form of something you know authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity. To be safe, the same password should not be used for more than one application or website.

Authentication Attribute - Somewhere you are

Somewhere you are (also known as geolocation) uses physical location to verify your identity. Examples of implementations include: -A desktop system configured to allow authentication requests only if you have passed through the building's entrance using your ID card. If your are not in the building, your account is locked. -A system configured with an RFID proximity reader and required RFID badges. If you are within the RFID range of the workstation, authentication requests are allowed. If you move out of range, the workstation is immediately locked and re-authentication is not allowed until you move back within range. -GPS location data is used to determine a device's location. If you and the device are in a specified location, authentication requests are allowed. If not, the device is locked or additional authentication factors are requested. -Wi-Fi triangulation is used to determine a device's location. If you and the device are in a specified location, authentication requests are allowed. If not, the device is locked, or additional authentication factors are requested.

Permission Types - Cumulative permissions

The following suggestions will help you plan permissions and mitigate issues related to cumulative permissions: -Identify the users and their access needs (the actions each user needs to be able to perform). -Create a group for each type of users with similar needs. Then, make the users members of the appropriate group. -Assign each group (not user) the permissions appropriate to the group's data access needs. Grant only the permissions that are necessary. -Take inheritance into account as you assign permissions. Inheritance means that permissions granted to a parent container object flow down to child objects within the container. Set permissions as high as possible on the parent container and allow each child container to inherit the permissions. -Override inheritance on a case-by-case basis when necessary.

Biometric Method - Iris

The iris is the colorful portion of the eye around the pupil. Infrared light lights up the iris, and the scanner captures images of its unique patterns.

Processing rate

The number of subjects or authentication attempts that can be validated.

Crossover error rate

The point at which the number of false positives matches the number of false negatives in a biometric system.

Access Control Best Practices - Principle of least privilege

The principle of least privilege states that users or groups are given only the access they need to do their jobs and nothing more. Common methods of controlling access include: -Implicit deny denies access to users or groups who are not specifically given access to a resource. Implicit deny is the weakest form of privilege control. -Explicit allow specifically identifies users or groups who have access. Explicit allow is a moderate form of access control in which privilege has been granted to a subject. -Explicit deny identifies users or groups who are not allowed access. Explicit deny is the strongest form of access control and overrules all other privileges granted. When assigning privileges, be aware that it is often easier to give a user more access when the user needs it than to take away privileges that have already been granted. Access recertification is the process of continually reviewing a user's permissions and privileges to make sure the user has the correct level of access.

Microprobing

The process of accessing a smart cards chip surface directly to observe, manipulate, and interfere with the circuit.

Local User Tools - Computer Management

To create a local account: 1. Right-click Start and then select Computer Management. 2. From Computer Management, expand Local Users and Groups. 3. Right-click Users and then select New User. 4. Complete the required options and click Create. With this tool you are not required to use security questions. This method also gives you the ability to: -Force users to change the password at the next sign-in -Restrict the user from changing the password -Allow the password to never expire -Disable/enable an account

GPO Category - User Configuration

User policies are enforced for specific users and are applied when the user logs on. User Policy settings include: -Software that should be installed for a specific user -Scripts that should run at logon or logoff -Internet Explorer user settings (such as favorites and security settings) -Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree) User policies are initially applied as the user logs on and customizes Windows based on his or her preferences.

Biometric Method - Voice

Voice recognition systems analyzes a person's voice for things like pitch, intensity, and cadence. These systems can be text dependent or text independent. Text-dependent authentication requires a specific phrase to be spoken. This could be a pre-determined phrase, or it could be randomly generated. Text-independent authentication uses any speech content.

Transition Best Practices Event - Account creation

When an account is created, apply the appropriate access rights based on the job role as implemented in the access control system. Use the principle of least privilege and grant only the minimum privileges required to perform the duties of the position.

Transition Best Practices Event - Old accounts

When an account is no longer needed, take appropriate actions to: -Delete accounts that will no longer be used. -Rename accounts to give new users in the same job role the same access privileges. -Lock accounts that will not be used for extended periods to prevent them from being used. -Remove unnecessary rights from accounts that will be kept on the system. -Archive important data or files owned by the user, or assign ownership to another user. -Prohibit the use of generic user accounts, such as the Guest or Administrator users on Windows systems. End-of-life procedures should include not only deactivating or deleting unused accounts, but also destroying data that might remain on storage media. This will prevent sensitive data from being accessible to unauthorized users.

Active Directory Components - Object

Within Active Directory, each resource is identified as an object. Common objects include: -Users -Groups -Computers -Shared folders Each object contains additional information about the shared resource that can be used for locating and securing resources. Groups are composed of other directory objects that have a common level of access. The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the objects. In Active Directory, each user is assigned a Security Account Manager (SAM) account name; therefore, each user name must be unique.