AAA ( Authentication, Authorization, Accounting )
What is used to request access to services in the Kerberos process?
A Ticket Granting Ticket (TGT) is used to request access to services in the Kerberos process.
In a Certificate Authority (CA) infrastructure, why is a client certificate used?
A client certificate is used to authenticate the client with other computers.
DN (Distinguished Name)
A long form of an object's name in Active Directory that explicitly indicates the object name, plus the names of its containers and domains. A distinguished name includes a DC (domain component), OU (organizational unit), and CN (common name). A client uses the distinguished name to access a particular object, such as a printer.
OTP (one-time password)
A password that is generated for used in one specific session and becomes invalid after the session ends.
Authorization is concerned with determining ______ to resources.
Access
How is auditing related to accounting?
Accounting involves recording resource and network access and usage. Auditing is reviewing these usage records by looking for any anomalies.
A company is utilizing Google Business applications for the marketing department. These applications should be able to temporarily access a user's email account to send links for review. Why should the company use Open Authorization (OAuth) in this situation?
Admn multiple ????
NTP (Network Time Protocol)
An Internet protocol that enables synchronization of computer clock times in a network of computers by exchanging time signals.
Authentication is concerned with determining _______.
Authentication is concerned with confirming the identities of individuals.
How is authentication different from authorization?
Authentication is proving that an entity is who they claim to be, while authorization is determining whether or not that entity is permitted to access resources.
What role does authorization play?
Authorization has to do with what resource a user or account is permitted or not permitted to access.
In the three As of security, which part pertains to describing what the user account does or doesn't have access to?
Authorization pertains to describing what the user account does or doesn't have access to.
A Lightweight Directory Access Protocol (LDAP) uses a _____ structure to hold directory objects.
BInd????
A systems administrator is designing a directory architecture to support Linux servers using Lightweight Directory Access Protocol (LDAP). The directory needs to be able to make changes to directory objects securely. Which of these common operations supports these requirements?
Bind, modify??
What is CRL?
CRL stands for "Certificate Revocation List." It's a list published by a CA, which contains certificates issued by the CA that are explicitly revoked, or made invalid.
True or false: The Network Access Server handles the actual authentication in a RADIUS scheme.
FALSE The Network Access Server only relays the authentication messages between the RADIUS server and the client; it doesn't make an authentication evaluation itself.
True or false: Clients authenticate directly against the RADIUS server.
False Clients don't actually interact directly with the RADIUS server; the authentication is relayed via the Network Access Server.
Your bank set up multifactor authentication to access your account online. You know your password. What other factor combined with your password qualifies for multifactor authentication?
Fingerprint PIN?? +
Access control entries can be created for what types of file system objects?
Folder Files. Programs
TGS (Ticket-Granting Service)
In Kerberos terminology, an application separate from the AS (authentication service) that runs on the KDC and issues Ticket-Granting Tickets to clients so that they need not request a new ticket for each new service they want to access.
What advantages does single sign-on offer?
It reduces the total of credentials it reduces time spent authenticating
TACACS+ (Terminal Access Controller Access Control System Plus)
It's a Cisco developed AAA protocol that was released as an open standard in 1993. It replaced the older TACACS protocol developed in 1984 for MILNET
U2F (Universal Second Factor)
It's a standard developed jointly by Google, Yubico and NXP Semiconductors. The finalized standard for U2F are being hosted by the FIDO alliance. U2F incorporates a challenge-response mechanism, along with public key cryptography to implement a more secure and more convenient second-factor authentication solution.
Which of these are examples of a Single Sign-On (SSO) service?
Kerberos Open ID
An organization needs to setup a(n) _____ infrastructure to issue and sign client certificates.
LDAP??
What does OAuth provide?
OAuth is an open authorization protocol that allows account access to be delegated to third parties, without disclosing account credentials directly.
What does a Kerberos authentication server issue to a client that successfully authenticates?
Once authenticated, a Kerberos client receives a ticket-granting ticket from the authentication server. This TGT can then be presented to the ticket-granting service in order to be granted access to a resource.
What does OpenID provide?
OpenID allows authentication to be delegated to a third-party authentication service.
Which of these are examples of "something you have" for multifactor authentication?
RSA SecureID token is an example of an OTP. It is a small battery-powered device with an LCD display. Passwords??
Security Keys utilize a secure challenge-and-response authentication system, which is based on ________.
Security keys use public key cryptography to perform a secure challenge response for authentication.
In a multi-factor authentication scheme, a password can be thought of as:
Since a password is something you memorize, it's something you know when talking about multi-factor authentication schemes.
Multiple client switches and routers have been set up at a small military base. The network team decided to implement Terminal Access Controller Access-Control System Plus (TACACS+), along with Kerberos, and an external Lightweight Directory Access Protocol (LDAP) service. What is the primary reason TACACS+ was chosen for this?
TACACS+ is primarily used for device administration authentication, authorization, and accounting (AAA).
What are some drawbacks to using biometrics for authentication?
There are potential privacy concerns Biometric authentication is difficult or impossible to change if compromised
CRL (Certificate Revocation List)
This is a signed list published by the CA which defines certificates that have been explicitly revoked
What elements of a certificate are inspected when a certificate is verified?
To verify a certificate, the period of validity must be checked, along with the signature of the signing certificate authority, to ensure that it's a trusted one.
Security Keys are more ideal than OTP generators because they're resistant to _______ attacks.
Where the OTP code can be phished, security keys rely on a challenge response system which prevents phishing attacks.
In what way are U2F tokens more secure than OTP generators?
With one-time-password generators, the one-time password along with the username and password can be stolen through phishing. On the flip side, U2F authentication is impossible to phish, given the public key cryptography design of the authentication protocol.
Authentication (authn)
about proving you are who you claim to be
common operations that can be called by a client to interact with an LDAP server are:
bind, which is how clients authenticate to the server StartTLS, which permits a client to communicate using LDAP v3 over TLS Search, for performing look ups and retrieval of records. Add/delete/modify which are various operations to write data to the directory Unbind, which closes the connection to the LDAP server
Accounting
his means, keeping records of what resources and services your users access or what they did when they were using your systems
TACACS+ (TACACS Plus)
is a device access AAA system that manages who has access to your network devices and what they do on them
Kerberos
is a network authentication protocol that uses tickets to allow entities to prove their identity over potentially insecure channels to provide mutual authentication. It also uses symmetric encryption to protect protocol messages from eavesdropping and replay attacks.
RADIUS (Remote Authentication Dial-In User Service,)
is a protocol that provides AAA services for users on a network
Multifactor authentication
is a system where users are authenticated by presenting multiple pieces of information or objects.
SSO (Single Sign-On)
is an authentication concept that allows users to authenticate once to be granted access to a lot of different services and applications.
LDAP (Lightweight Directory Access Protocol)
is an open industry-standard protocol for accessing and maintaining directory services. When we say directory services, we're referring to something similar to a phone or email directory.
OAuth (Open Authorization)
is an open standard that allows users to grant third-party websites and applications access to their information without sharing account credentials. OAuth permissions can be used in phishing style attacks to gain access to accounts without requiring credentials to be compromised.
identification
is the idea of describing an entity uniquely
Biometric authentication
is the process of using unique physiological characteristics of an individual to identify them. By confirming the biometric signature,t he individual is authenticated.
Authorization (authz)
pertains to describing what the user account has access to or doesn't have access to.
An Open Authorization (OAuth) access token would have a _____ that tells what the third party app has access to.
request??
multifactor authentication system can be categorized into three types:
something you know something you have something you are
What does a Terminal Access Controller Access Control System Plus (TACACS+) keep track of?
tracks user authentication. tracks commands that were ran by a user.