6.1 - 6.10 Identity, Access, and Account Management

On a computer network, a directory service is an example of a technical access control system that you use to manage and enforce access control policies. Within the directory service:

> A user account is created for each subject. > Identification is performed during logon when the user supplies a valid user account name. > Authentication is performed during logon when the user password or other credentials are verified. > Authorization to use network resources, such as files, printers, or computers, is controlled by permissions or rights. > Auditing is performed by the operating system as it tracks subjects' actions toward objects.

Smart cards (Something you have)

> Smart cards contain a memory chip with encrypted authentication information. Smart cards can: > Require contact such as swiping, or they can be contactless. > Contain microprocessor chips with the ability to add, delete, and manipulate data. > Store digital signatures, cryptography keys, and identification codes. > Use a private key for authentication to log a user into a network. The private key is used to digitally sign messages. > Be based on challenge response. You are given a code (the challenge) which you enter into the smart card. The smart card then displays a new code (the response) that you can present to log in. > Smart cards typically use certificates for identification and authentication. With certificates, the digital document is associated with a user in one of the following ways: > With a one-to-one mapping, each certificate maps to an individual user account (each user has a unique certificate). > With many-to-one mapping, a certificate maps to many user accounts (a group of users share the same certificate).

If you are considering implementing biometrics, keep in mind the following:

> Some biometric factors are unique. This is true even between identical twins. > When a biometric is used by itself, it is no more secure than a strong password. A single successful attack can subvert a biometric in much the same way that a single successful attack can subvert a password. > Biometric attacks need not be physically harmful (such as cutting off a finger) but can include a wide variety of realistic reproductions that fool the biometric reader device. > The most important consideration for a biometric device is accuracy. > When a biometric device has its sensitivity set too high, it can result in numerous false-negative rejections where authorized users are not recognized. > To use a biometric, new users must go through a physical enrollment process that is more complex and time consuming than the enrollment process for a password-only system. > Biometric enrollment requires new users to prove their identity to a user administrator. The new user must then provide the first example of their biometric to a reader device under the supervision of the user administrator. This first example is digitized and stored as a reference template. All future uses of the biometric compare the contemporary biometric sample offered with the historically recorded template.

Multifactor authentication

A method of confirming identity by using two or more pieces of evidence (or factors) to an authentication mechanism.

Retina

A retina is the back portion of the eye that is sensitive to light. Numerous capillaries move blood to the retina and these capillaries create a unique pattern. A retinal scanner shines infrared light into an eye and measures the amount of reflection. The vessels in the retina absorb infrared light so that the reflection pattern can be stored for future identification.

SSH Keys

A secure shell (SSH) key is an access credential. It operates like usernames and passwords but is mostly used to implement single sign-on and other automated processes.

Tokens

A token is a device or a file used to authenticate. A hardware token, such as a key fob, serves as something you have. A software token, also known as a soft token, is stored in devices such as laptops, desktops, or mobile phones. These tokens are specific to the device, and cannot be altered or duplicated.

Access Control Best Practices

Access control best practices take into consideration the following security principles and concepts:

Authentication, Authorization, and Accounting

Access control includes the following processes: > Identification specifies the name used to identify the subject. Examples include a user name or a user ID number. > Authentication is the process of validating a subject's identity. It includes the identification process, the user providing input to prove identity, and the system accepting that input as valid. > Authorization is granting or denying an authenticated subject's access to an object based on the subject's level of permissions or the actions allowed with the object. > Auditing, also referred to as accounting, is maintaining a record of a subject's activity within the information system.

Access control

Access control is the ability to permit or deny access to resources on a network or computer.

Access Control

Access control is the ability to permit or deny the privileges that a user has when accessing resources on a network or computer. Access control involves three entities: > Objects are data, applications, systems, networks, and physical space. > Subjects are users, applications, or processes that need access to objects. > The access control system includes policies, procedures, and technologies that are implemented to control subjects' access to objects.

Access Control Models

Access control is the process by which resource and service use is granted or denied. The following table lists the most commonly used access control models, also known as access control schemes.

Access control policy

An access control policy defines the steps and measures that are taken to control access to objects.

Access Control Policies

An access control policy defines the steps and measures that are taken to control subjects' access to objects. Access controls can be classified according to the function they perform: > Preventive access controls deter intrusion or attacks. These include separation of duties and dual-custody processes. > Detective access controls search for details about the attack or the attacker. These include intrusion detection systems. > Corrective access controls implement short-term repairs to restore basic functionality following an attack. > Deterrent access controls discourage attack escalation. > Recovery access controls restore the system to normal operations after the attack and the short-term stabilization period. > Compensative access controls are alternatives to primary access controls.

Access control system

An access control system includes policies, procedures, and technologies that are implemented to control access to objects.

False negative

An error that occurs when a person who should be allowed access is denied access.

False positive

An error that occurs when a person who should be denied access is allowed access.

Identity Provider(IdP)

An identity provider is an online service that manages identity information for other organizations. The IdP creates records from an organization's existing data and policies. These records are used to authenticate user requests.

Accuracy

Are the results accurate? Accuracy is extremely critical in a biometric system. Most devices can be configured for increased or reduced sensitivity. Note the following as it relates to biometric accuracy: > False rejection occurs when a person who should be allowed access is denied access. The false rejection rate (FRR) is a measure of the probability that a false negative will occur. > False acceptance occurs when a person who should be denied access is allowed access. The false acceptance rate (FAR) is a measure of the probability that a false positive will occur. False positives are more serious than false negatives and represent a security breach because unauthorized persons are allowed access. > A crossover error rate, also called the equal error rate, is the point at which the number of false positives matches the number of false negatives in a biometric system. It is advisable to select the system with the lowest crossover error rate within your budget.

6.1 Access Control Models

As you study this section, answer the following questions: > What is access control and why is it important? > How are rule-based access control and mandatory access control (MAC) similar? > How does role-based control differ from rule-based control? > How do separation of duties and job rotation differ? > Which authentication type requires you to prove your identity? In this section, you will learn to: > Implement discretionary access control.

6.2 Authentication

As you study this section, answer the following questions: > What is the difference between authentication factors and attributes? > What is an example of the "something you are" authentication type? > What is an example of the "something you have" authentication type? > What is an example of the "something you know" authentication type? > What is multi-factor authentication? > Which physical attributes can be used to identify an individual? In this section, you will learn to: > Use a biometric scanner. > Use single sign-on

Attestation

Attestation is a protocol that is used to prove that software can be trusted. It tells the remote user that the application or OS software is legitimate and has been certified. Attestation can work both ways. Say you were going to log into your bank account. You want to be sure that the site you are logging into is trustworthy and the bank wants to be sure that the correct individual is logging into the account.

Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject?

Attribute-Based Access Control (ABAC) The ABAC model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject. The MAC model is based on classification labels being assigned to objects and clearance labels being assigned to subjects. When a subject's clearance lines up with an objects classification, the subject is granted access. The RBAC model grants access based on the subject's role in an organization. The Rule-Based Access Control model grants access based on a set of rules or policies.

Attribute-based access control (ABAC)

Attribute-based access control restricts access by assigning attributes to resources. > Attributes can be things like a user's role, position, or current project. > The set of attributes assigned to a resource constitutes a policy that uses Boolean logic to determine who can access the resource. > An example of a file access policy might include the following attributes: role = manager, department = development, and project = NewApp. Only users who possess all three attributes can access the file. > ABAC uses a special markup language called eXtensible Access Control Markup Language (XACML) to define access control policies.

Attributes

Attributes are different from factors because they do not, on their own, verify your identity. However, they do help to improve security and work well when Multi-Factor Authentication is needed. The following table describes each type of attribute:

Auditing

Auditing, also referred to as accounting, is maintaining a record of the activity within the information system.

A remote access user needs to gain access to resources on the server. Which of the following processes are performed by the remote access server to control access to resources?

Authentication and authorization A remote access server performs the following functions: > Authentication is the process of proving identity. After devices agree on the authentication protocol to use, the login credentials are exchanged and login is allowed or denied. > Authorization is the process of identifying the resources that a user can access over the remote access connection. Authorization is controlled through the use of network policies (remote access policies) as well as access control lists. Accounting is an activity that tracks or logs the use of the remote access connection. Accounting is used to keep track of resource use but is not typically used to control resource use. If access is allowed or denied based on time limits, information provided by accounting might be used by authorization rules to allow or deny access. Identification is the initial process of confirming the identity of a user requesting credentials and occurs when a users types in a user ID to log on. Identity proofing occurs during the identification phase as the user proves that they are who they say they are in order to obtain credentials.

Authentication Applications

Authentication applications are third-party tools that organizations use to authenticate their users, especially those working remotely. An authenticator app, typically installed on a smartphone, provides a new six-to-eight digit code every 30 seconds. This passcode, along with your username and password, provides additional verification that you are who you say you are. Another similar method that you may have used is a one-time password. Some banks use this method to allow ATM withdrawals without using a debit card. An application or token creates a one-time password. This password only works for a single login. After that, the password expires. There are two different methods for creating one-time passwords: > HMAC-based one-time password (HOTP): This type of one-time password uses a mathematical algorithm to create a new password based on the previous password that was generated. > Time-based one-time password (TOTP): This one-time password is generated by sending a shared secret key and the current time through an algorithm. This generated password is valid for only a short period, typically thirty seconds. After that, a new one-time password is generated using the same method.

Authentication

Authentication is the process of validating identity. It includes the identification process, a user providing input to prove identity, and the system accepting that input as valid.

Authorization

Authorization is granting or denying access to an object based on the level of permissions or the actions allowed with the object.

6.2.8 Section Quiz

CIST 1601

Circumvention

Can the attribute be easily circumvented?

Certificates

Certificates are issued by a certificate authority and verify identity by providing the following: > Public keys > Details on the owner of the certificate > Details on the issuer of the certificate

Conditional access

Conditional access is a way to enforce access control while also encouraging users to be productive wherever they are. Conditional access isn't intended to be the first point of security. Instead, it steps in after the first-factor authentication has been granted. Conditional access policies work by asking a user to complete an action in order to access a resource. Depending on the level of security of the requested resource, the user may be required to complete more actions. For policy decisions, conditional access can be configured to consider many different factors including: > Implement control at the user or group level. > Permit or deny access based on an IP address or an IP range. > Permit or deny access to users who are using specific applications. > Permit, restrict, or deny access to users who are using specific devices or device states.

Defense-in-depth

Defense-in-depth is an access control principle which implements multiple access control methods instead of relying on a single method. Multiple defenses make it harder to bypass security measures.

Audit trails produced by auditing activities are which type of security control?

Detective Audit trails produced by auditing activities are a detective security control. Audit trails are used to detect the occurrence of unwanted or illegal actions by users. Audit trails give administrators the ability to reconstruct historical events and locate aberrant activities. Once an issue is discovered in an audit trail, the collected information can be used to guide the corrective or recovery procedure to restore resources, prevent re-occurrence, and prosecute the perpetrator. The security function of auditing the activities of user accounts on a secured system is considered a preventative or deterrent security control.

Directory Services

Directory services implement single sign-on for resources on the network. Examples are: > Active Directory on a Microsoft network > LDAP Directory Services > Azure Active Directory is an identity and access management solution for the cloud Single sign-on can be implemented between directory services of different systems. For example, single sign-on can be implemented if the directory services are compatible, such as Microsoft and Linux systems. In this case, logging into a Linux system would authenticate you to access resources on the Microsoft network that you have permissions to access. Directory services users sign on using a domain user account and password to gain access to resources available on the domain.

Discretionary access control (DAC)

Discretionary access control assigns access directly to subjects based on the owner's discretion. > Objects have a discretionary access control list (DACL) with entries for each subject. > Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perform on the object. > With discretionary access control, subjects can pass permissions on to other subjects. Many computer systems use discretionary access control to limit access to systems or other resources.

Active accounts

During the life of an account: > Modify access rights as job roles and circumstances change. > Monitor password resets and lockouts to ensure account security. > Re-evaluate access rights on a periodic basis.

Facial

Facial scanning creates a map of 80 points on an individual's face. The distances measured on this map can be used to identify the person in the future. Measurements could include the distance between eyes, the shape of a nose, the size of the cheekbones, etc.

Fingerprints

Fingerprints are made up of patterns of ridges and valleys. Fingerprint scanners analyze these patterns and convert them into a numerical format that can be stored for future comparison.

Gait

Gait recognition analyzes the way that people walk. Each person has a unique way of walking. Several factors determine your gait, including: > Height, weight, and body proportions > Age > Health (diseases or disorders) > Personality or emotions When analyzing gait, the following are measured: > Stride > Step > Speed > Hip and foot angle > Cadence Data is gathered using sensors, cameras, or wearable devices. The gait recognition system creates a digital signature that can be stored or compared to existing data. Gait recognition systems are still fairly new and, as with most biometric systems, should not be used as a stand-alone method of identification.

Someone you know

Having someone who can vouch for you can go a long way in establishing relationships and building trust. The same is true with authentication. Certificates and attestation are examples of this attribute.

Collectible

How easy is it to acquire this measurable attribute?

Permanent

How well does the specified attribute hold up to aging?

Identification

Identification is the act of claiming an identity, such as telling someone your name. Important facts to know about identification include: > In the computer world, a username is a form of identification. > Because anyone could pretend to be the user, identification by itself is not very secure. > To substantiate identity, the person must provide some form of identity verification.

Identity

Identity is as simple as telling someone your name. In the computer world, a username is a form of identification. Because anyone could pretend to be you, identification alone is not very secure. To substantiate your identity, you need to provide some type of verification that you are who you say you are. The following chart provides a few of the basics of identity authentication.

Unique

Is the physical attribute distinctive enough that it can be used to distinguish between individuals?

Job rotation

Job rotation is a technique where users are cross-trained in multiple job positions. Responsibilities are regularly rotated between personnel. Job rotation: > Cross trains staff in different functional areas in order to detect fraud. > Exchanges positions of two or more employees to allow for oversight of past transactions. > Can be used for training purposes.

Mandatory access control (MAC)

Mandatory access control uses labels for both subjects (users who need access) and objects (resources with controlled access, such as data, applications, systems, networks, and physical space). Every operation performed is tested against a set of authorization policies to determine if the operation is allowed. > Classification labels, such as secret or top secret, are assigned to objects by their owner, who is usually a managerial or governmental entity. > Clearance labels are assigned to subjects. > When a subject's clearance lines up with an object's classification and the user has a need to know (referred to as a category), the user is then granted access. > Access control is mandatory because access is based on policy (the matching of the labels) rather than identity. Owners can only assign labels; they cannot grant access to specific subjects.

Multi-Factor Authentication

Multi-Factor Authentication is the process of using more than one way to verify identity. In the computer world, Multi-Factor Authentication is achieved by requiring two or more methods that only the user can provide. Five categories of computer system authentication include: > Something you are, such as biometric information (e.g., fingerprint or retina scan). > Something you have, such as smart cards, RSA tokens, or security key fobs. > Something you know, such as passwords and PINs. > Somewhere you are, such as a geographical location. > Something you do, such as how you type a sentence on a keyboard.

Mutual authentication

Mutual authentication is when two communicating entities authenticate each other before exchanging data. It requires not only the server to authenticate the user, but the user to authenticate the server. This makes mutual authentication more secure than traditional, one-way authentication.

Which of the following principles is implemented in a mandatory access control model to determine object access by classification level?

Need to Know Need to Know is used with mandatory access control environments to implement granular control over access to segmented and classified data. Separation of duties is the security principle that states that no single user is granted sufficient privileges to compromise the security of an entire environment. Clearance is the subject classification label that grants a user access to a specific security domain in a mandatory access control environment. Ownership is the access right in a discretionary access control environment that gives a user complete control over an object. This is usually because he or she created the object.

Need to know

Need to know describes the restriction of data that is highly sensitive and is usually referenced in government and military context. Important facts about the need to know include: > Even if an individual is fully cleared, the information will not be divulged unless the person has a need to know the information to perform official duties. > Need to know discourages casual browsing of sensitive materials. > In a classified environment, a clearance into a top secret compartment allows access to only certain information within that compartment. This is a form of mandatory access control (MAC).

Transition Best Practices

Organizations should follow strict guidelines when an employee transitions out of a position or into a new position. Creeping privileges occur when a user's job position changes and the user is granted a new set of access privileges, but the user's current access privileges are not removed or modified, resulting in privilege escalation. As a result, the user accumulates privileges that are not necessary for the current work tasks. The principle of least privilege and separation of duties are countermeasures against creeping privileges. To avoid creeping privileges and to best protect the security of information, the following precautions should be taken in each stage of the account's life cycle:

What is the primary purpose of separation of duties?

Prevent conflicts of interest The primary purpose of separation of duties is to prevent conflicts of interest by dividing administrative powers between several trusted administrators. This prevents a single person from having all of the privileges over an environment, which would create a primary target for attack and a single point of failure. Increasing administrative difficulty, informing managers that they are not trusted, or granting a greater range of control to senior management are not the primary purposes of separation of duties. Separation of duties might seem to increase administrative difficulty, but this separation provides significant security benefits. A manager is informed they are not trusted when they are not given any responsibility as opposed to a reasonable portion of responsibility. Senior management already has full control over their organization.

You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with?

Principle of least privilege The principle of least privilege is the assignment of access permissions so that users can only access the resources required to accomplish their specific work tasks. Job rotation and cross-training involve training groups of employees how to perform multiple job roles and periodically rotating those roles. Need to know is a feature of MAC environments where data within your classification level is compartmentalized and requires specific work-task needs for privilege access.

Which of the following is an example of privilege escalation?

Privilege creep Privilege creep occurs when a user's job position changes and he or she is granted a new set of access privileges for their new work tasks, but their previous access privileges are not removed. As a result, the user accumulates privileges over time that are not necessary for their current work tasks. This is a form of privilege escalation. Principle of least privilege and separation of duties are countermeasures against privilege escalation. Mandatory vacations are used to perform peer reviews, which requires cross-trained personnel and help detect mistakes and fraud.

Push Notifications

Push notifications can also be used to grant access to an account. Whenever you log into your account, you enter your username. But instead of a password, you receive an access request notification on your mobile device. You can choose to either approve or decline this request.

You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is being used?

RBAC Role-based access control (RBAC) allows access based on a role in an organization, not individual users. Roles are defined based on job description or a security-access level. Users are made members of a role and receive the permissions assigned to the role. Discretionary access control (DAC) assigns access directly to subjects based on the discretion of the owner. Objects have a discretionary access control list (DACL) with entries for each subject. Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perform on the object. Mandatory access control (MAC) uses labels for both subjects (users who need access) and objects (resources with controlled access). When a subject's clearance lines up with an object's classification, and when the user has a need to know (referred to as a category), the user is granted access.

Role-based access control (RBAC)

Role-based access control allows access based on a role in an organization; it is not user specific. Role-based access control is also known as non-discretionary access control. > Roles are defined by job description or security access level. > Users are made members of a role and receive the permissions assigned to the role. > RBAC is similar to group-based access control. Group-based access control uses a collection of users; RBAC uses a collection of permissions.

Which of the following is an example of rule-based access control?

Router access control lists that allow or deny traffic based on the characteristics of an IP packet. A router access control list that allows or denies traffic based on the characteristics of an IP packet is an example of rule-based access control. A subject with a government clearance that allows access to government classification labels of Confidential, Secret, and Top Secret is an example of mandatory access control. A member of the accounting team that is given access to the accounting department documents is an example of role-based access control. A computer file owner who grants access to the file by adding other users to an access control list is an example of discretionary access control.

Rule-based access control

Rule-based access control uses rules applied to characteristics of objects or subjects to restrict access. > Access control entries identify a set of characteristics that are examined for a match. > If all characteristics match, access is either allowed or denied based on the rule. > An example of a rule-based access control implementation is a router access control list that allows or denies traffic based on characteristics within the packet, such as IP address or port number. > Because rule-based access control does not consider the identity of the subject, a system that uses rules can be viewed as a form of mandatory access control.

Separation of duties

Separation of duties is the concept of having more than one person required to complete a task. This is a preventive principle primarily designed to reduce conflicts of interest. It also prevents insider attacks because no one person has end-to-end control and no one person is irreplaceable. Important facts to know about separation of duties include: > System users should have the lowest level of rights and privileges necessary to perform their work and should have those privileges only for the shortest length of time possible. > To achieve a separation of duties, a business can use the principle of split knowledge. This means that no single person has total control of a system's security mechanisms; no single person can completely compromise the system. > In cases of sensitive or high-risk transactions, a business can use two-man controls. This means that two operators must review and approve each other's work.

Short Message Service (SMS)

Short Message Service (SMS) authentication uses SMS messaging to send a one-time code or password to a known user of an account in order to verify their identity. This requirement can be requested at every login, at every time the user signs into a new device or browser, or at timed intervals.

Phone Call

Similar to SMS, the user receives a phone call with the one-time code or password.

Something you exhibit

Something that you exhibit could include a personality trait or a habit. For example: > The time of day you usually log on. > The method you usually use to access information. > The types of tasks you usually perform. When administrators notice unusual or risky behavior, they may choose to restrict access. This could mean requiring a password change, requiring another method of authentication, or even blocking your access.

Something you are

Something you are authentication uses a biometric system. A biometric system attempts to identify you based on metrics or a mathematical representation of a biological attribute, such as eye or fingerprint. This is the most expensive and least accepted but is generally considered to be the most secure form of authentication.

Something you have

Something you have, also called token-based authentication, bases authentication on something physical you have in your possession. Examples of something you have authentication controls include: > Swipe cards (similar to credit cards) with authentication information stored on the magnetic strip. > Photo IDs are very useful when combined with other forms of authentication, but are high-risk if they are the only form of required authentication. Photo IDs are easily manipulated or reproduced, require personnel for verification, and cannot be verified against a system. > Key fobs are small, programmable hardware often used to provide access to buildings and open doors. Key fobs are often attached to a keychain.

Something you know

Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication, but also the most commonly used. Examples of something you know authentication controls are: > Passwords, codes, or IDs. > PINs. > Passphrases (long, sentence-length passwords). > Cognitive information, such as questions that only you can answer, such as mother's maiden name, the model of your first car, or the city where you were born. > Composition passwords are created by the system and are usually two or more unrelated words divided by symbols on the keyboard. > Usernames are not a form of something you know authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity. To be safe, the same password should not be used for more than one application or website.

Somewhere you are

Somewhere you are (also known as geolocation) uses physical location to verify your identity. Examples of implementations include: > A desktop system configured to allow authentication requests only if you have passed through the building's entrance using your ID card. If your are not in the building, your account is locked. > A system configured with an RFID proximity reader and required RFID badges. If you are within the RFID range of the workstation, authentication requests are allowed. If you move out of range, the workstation is immediately locked and re-authentication is not allowed until you move back within range. > GPS location data is used to determine a device's location. If you and the device are in a specified location, authentication requests are allowed. If not, the device is locked or additional authentication factors are requested. > Wi-Fi triangulation is used to determine a device's location. If you and the device are in a specified location, authentication requests are allowed. If not, the device is locked, or additional authentication factors are requested.

Authentication Technologies

The following chart reviews several technologies that can be used for multifactor authentication:

Authentication Methods

The following table describes authentication methods.

Identification

The initial process of confirming the identity of a user requesting credentials. This occurs when a user enters a user ID at logon.

Iris

The iris is the colorful portion of the eye around the pupil. Infrared light lights up the iris, and the scanner captures images of its unique patterns.

Processing rate

The number of subjects or authentication attempts that can be validated.

Crossover error rate

The point at which the number of false positives matches the number of false negatives in a biometric system.

Principle of least privilege

The principle of least privilege states that users or groups are given only the access they need to do their jobs and nothing more. Common methods of controlling access include: > Implicit deny denies access to users or groups who are not specifically given access to a resource. Implicit deny is the weakest form of privilege control. > Explicit allow specifically identifies users or groups who have access. Explicit allow is a moderate form of access control in which privilege has been granted to a subject. > Explicit deny identifies users or groups who are not allowed access. Explicit deny is the strongest form of access control and overrules all other privileges granted. > When assigning privileges, be aware that it is often easier to give a user more access when the user needs it than to take away privileges that have already been granted. Access recertification is the process of continually reviewing a user's permissions and privileges to make sure the user has the correct level of access.

Authentication

The verification of the issued identification credentials. It is usually the second step in the identification process and establishes that you are who you say you are.

6.1.3 Access Control Facts

This lesson covers the following topics: > Access control > Authentication, authorization, and accounting > Access control policies

6.1.4 Access Control Best Practices

This lesson covers the following topics: > Access control best practices > Transition best practices

6.2.3 Authentication Facts

This lesson covers the following topics: > Authentication > Identity > Authentication methods

6.2.7 Biometrics and Authentication Technologies Facts

This lesson covers the following topics: > Biometric authentication > Authentication technologies Biometric authentication is based on a unique physical attribute or characteristic. This type of authentication requires capturing and storing a unique physical attribute with a biometric system. This initial capture is known as enrollment. Subsequent authentication attempts are tested against the stored biometric template. For biometric authentication to be a viable security mechanism, it must conform to the following parameters:

6.1.6 Access Control Model Facts

This lesson covers the topic of access control models.

Something you can do

This requires you to perform a particular action to verify your identity. Here are a few examples of an action that can be used: > Supply a handwritten sample that's analyzed against a baseline sample for authentication. > Type sample text. Your typing behaviors are analyzed against a baseline before authentication.

Authentication

To access resources on a network, you must prove who you are and that you have the required permissions. This process consists of the following elements: > Identification is the initial process of confirming your identity when you request credentials. It occurs when you enter a userid to log on. Identity proofing occurs during the identification phase as you prove that you are who you say you are in order to obtain credentials. If you have been identified previously but cannot provide the assigned authentication credentials (such as a lost password), identity proofing is called upon again. > Authentication is the verification of the issued identification credentials. It is usually the second step in the identification process and establishes your identity, ensuring that you are who you say you are. > To verify an identity, you need some unique piece of information or data that could come only from you. Multi-Factor Authentication (MFA) requires more than one method of identification and uses factors and attributes. The following is a description of each type of factor:

Which of the following is used for identification?

Username Identification is the initial process of confirming the identity of a user requesting credentials and occurs when a users types in a user ID to log on. The username is used for identification, while a password, PIN, or some other cognitive information is used for authentication. Authentication is the verification of the issued identification credentials. It is usually the second step after identification and establishes the user's identity, ensuring that users are who they say they are.

Vein

Vein recognition scanners use infrared light to determine the vein pattern in your palm. Like a fingerprint, this pattern differs from one person to the next and does not change. The scanner converts the collected data into a code that is encrypted and assigned to you. The benefits of vein biometrics are: > Veins are internal so they cannot be altered or covered as easily as hands or a face could be. > Because a palm is larger than an eye or a finger, more data points can be collected. This provides a higher rate of accuracy. > Because veins are internal, they are harder to replicate and can only be captured in close proximity.

Account creation

When an account is created, apply the appropriate access rights based on the job role as implemented in the access control system. Use the principle of least privilege and grant only the minimum privileges required to perform the duties of the position.

Old accounts

When an account is no longer needed, take appropriate actions to: > Delete accounts that will no longer be used. > Rename accounts to give new users in the same job role the same access privileges. > Lock accounts that will not be used for extended periods to prevent them from being used. > Remove unnecessary rights from accounts that will be kept on the system. > Archive important data or files owned by the user, or assign ownership to another user. > Prohibit the use of generic user accounts, such as the Guest or Administrator users on Windows systems. End-of-life procedures should include not only deactivating or deleting unused accounts, but also destroying data that might remain on storage media. This will prevent sensitive data from being accessible to unauthorized users.

In the /etc/shadow file, which character in the password field indicates that a standard user account is locked?

! (Exclamation Point) ! or !! in the password field of /etc/shadow indicates that the account is locked and cannot be used to log in. The /etc/shadow file holds passwords and password expiration information for user accounts. $ preceding the password identifies the password as an encrypted entry. * indicates a system user account entry (which cannot be used to log in).

You want to protect the authentication credentials you use to connect to the LAB server in your network by copying them to a USB drive. Click the option you use in Credential Manager to protect your credentials.

*Click "Back up Credentials" Within Credential Manager, use the Back up Credentials and Restore Credentials links to back up and restore credentials. It is recommended that you back up credentials to a removable device, such as a USB flash drive, to protect them from a hard disk crash on the local system.

Click on the object in the TESTOUTDEMO.com Active Directory domain that is used to manage individual desktop workstation access.

*Click "CORPWS7" Computer objects are used to manage access for individual computer systems in the domain, including servers, desktops, and notebooks. In this example, the desktop named CORPWS7 is represented by a corresponding computer object in the domain. A domain (in this case, TESTOUTDEMO.com) is an administratively defined collection of network resources that share a common directory database and security policies. An organizational unit (OU) subdivides and organizes network resources within a domain. Several OUs are displayed in this scenario, including MarketingManagers, PermMarketing, and TempMarketing. User objects are used to manage access for individual employees. In this scenario, the employee named Tom Plask is represented by a corresponding user object in the domain.

You are creating a new Active Directory domain user account for the Rachel McGaffey user account. During the account setup process, you assigned a password to the new account. However, you know that the system administrator should not know any user's password for security reasons. Only the user should know his or her own password. Click the option you would use in the New Object - User dialog to remedy this situation.

*Click "User must change password at next logon When creating a new user account or resetting a forgotten password, a common practice is to reset the user account password and select User must change password at next logon. This forces the user to reset the password immediately following logon, ensuring the user is the only person who knows the password. Enable the User cannot change password option when you want to maintain control over a guest, service, or temporary account. For example, many applications use service accounts for performing system tasks. The application must be configured with the user account name and password. In this situation, you may also need to enable the Password never expires option. The Account is disabled option is used in situations where you want to create an account in the present, but the user will not actually need the account until a future date.

Which chage option keeps a user from changing their password every two weeks?

-m 33 Using chage -m 33 forces a user to keep his or her password for 33 days. This sets the minimum number of days that must pass after a password change before a user can change the password again. Be aware of the other chage options: -M sets the maximum number of days before the password expires. -W sets the number of days before the password expires that a warning message displays. The chage -a option is not a valid option.

Using the groupadd -p command overrides the settings found in which file?

/etc/login.defs Using the groupadd command with this option overrides the default settings found in the /etc/login.defs file.

To make a computer a member of a workgroup:

1. Access the System Configuration app. - Right-click Start and then select System. - From the right pane, select System info under Related settings. 2. Under Computer name, Domain, and Workgroup settings, select Change settings. 3. From the Computer Name tab, click Change. Next, enter the name of the desired workgroup and click OK.

Which of the following ports are used with TACACS?

49 Terminal Access Controller Access Control System (TACACS) uses port 49 for TCP and UDP. Port 22 is used by Secure Shell (SSH). Protocol numbers 50 and 51 are used by IPsec. Ports 1812 and 1813 are used by Remote Authentication Dial-In User Service (RADIUS). Port 3389 is used by Remote Desktop Protocol (RDP).

Which ports does LDAP use by default? (Select two.)

636 389 Lightweight Directory Access Protocol (LDAP) uses ports 389 and 636 by default. Port 636 is used for LDAP over SSL. This is the secure form or mode of LDAP. Unsecured LDAP uses port 389. Port 69 is used by Trivial File Transfer Protocol (TFTP). Port 110 is used by Post Office Protocol version 3 (POP3). Port 161 is used by Simple Network Management Protocol (SNMP).

You want to deploy SSL to protect authentication traffic with your LDAP-based directory service. Which port does this action use?

636 To use Secure Sockets Layer (SSL) for LDAP authentication, use port 636. Port 80 is used for HTTP, while port 443 is used for HTTPS (HTTP with SSL). Simple LDAP authentication uses port 389.

802.1x

802.1x is an authentication method used on a LAN to allow or deny access based on a port or connection to the network. > 802.1x is used for port authentication on switches and authentication to wireless access points. > 802.1x requires an authentication server for validating user credentials. This server is typically a RADIUS server. > Authentication credentials are passed from the client, through the access point, to the authentication server. > The access point enables or disables traffic on the port based on the authentication status of the user. > Authenticated users are allowed full access to the network; unauthenticated users have access to only the RADIUS server. 802.1x is based on EAP and can use a variety of methods for authentication, such as usernames and passwords; certificates; or smart cards.

Access control measures can also be classified based on how they restrict or control access:

> Administrative controls are policies that describe accepted practices. Examples include directive policies and employee awareness training. > Technical controls are computer mechanisms that restrict access. Examples include encryption, one-time passwords, access control lists, and firewall rules. > Physical controls restrict physical access. Examples include perimeter security, site location, networking cables, and employee segregation.

Prohibit the use of shared user accounts:

> Disable and/or remove unnecessary accounts installed on the operating system by default, or disable specific user accounts that are no longer needed. > Prohibit the use of generic user accounts. Generic accounts, such as guest or administrator accounts in Windows, should be disabled. > Shared accounts: - Increase the likelihood of the account being compromised. Because the account is shared, users tend to take security for the account less seriously. For example, one organization found that the passwords for shared user accounts proliferated to the point where hundreds of current and former employees knew them. - Make password management more difficult. Because password changes must be communicated to multiple users, many system administrators avoid making any password changes at all. If the password is well known, employees (including former employees that no longer need access to the account) may still know the password. - Reduce responsibility for the account. Because users view the account as communal, users may do things with the account that they would not do with their personal account. - Destroy audit trails for the account. Because multiple users are associated with the account, it can be difficult to identify who is actually responsible for actions performed with the account. - Make it difficult to monitor the account for unusual activity. Because multiple users are associated with the account, it is much more difficult to define behaviors that are normal and behaviors that are abnormal. This is problematic because identifying abnormal account activity is key to detecting attacks on your systems.

GPOs apply to objects when they are linked to containers and configured with specific settings.

> GPOs can be linked to Active Directory domains or organizational units (OUs). > Built-in containers (such as the Computers container) and folders cannot have GPOs linked to them. > A GPO applied to an OU affects only the users and computers in that OU. > A GPO applied to a domain affects all users and computers in all OUs in that domain. > A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network. > A specific setting in a GPO can be: - Undefined - this means that the GPO has no value for that setting and does not change the current setting. - Defined - this means that the GPO identifies a value to enforce. > GPOs are applied in the following order: 1. The Local Group Policy on the computer. 2. GPOs linked to the site. 3. GPOs linked to the domain that contains the User or Computer object. 4. GPOs linked to the organizational unit(s) that contain(s) the User or Computer object (from the highest-level OU to the lowest-level OU). > Use the acronym LSDOU (Local, Site, Domain, and OU) to help you remember the order that GPOs are applied. The local policy is always applied, but it may be overwritten by a policy from Active Directory. Individual settings within all GPOs are combined to form the effective Group Policy setting as follows: > If a setting is defined in one GPO and undefined in another, the defined setting is enforced (regardless of the position of the GPO in the application order). > If a setting is configured in two GPOs, the setting in the last-applied GPO is used.

Security tokens (Something you have)

> Security tokens generate a unique password when activated manually. These passwords are used one time and usually expire in minutes. Types of token-based authentication include: > A static password that is saved on the token device. Swiping the token supplies the password for authentication. > Synchronous dynamic password systems that generate new passwords at specific intervals on the hardware token. You must read the generated password and enter it along with the PIN to gain access. > An asynchronous dynamic password system that generates new passwords based on an event, such as pressing a key. > A challenge-response system that generates a random challenge string. The challenge text is entered into the token, along with the PIN. The token then uses both to generate a response used for authentication.

When implementing account lockout and account policies on Microsoft systems:

> The Local Security Policy controls policies for user accounts that are defined on a local system. > Policy settings in Group Policy are linked to the domain control settings for all user accounts in the domain. Settings defined at other levels in Group Policy do not affect password or account lockout settings.

When using workgroups, consider the following:

> Workgroups provide only sign-in security. > No username or password is required to join a workgroup. > Computers that belong to the same workgroup can share resources only if they are on the same segment. > Workgroups have no centralized authentication. This means that for a user to access a remote system, the same username and password must be created on the remote system. Otherwise, each user would need to know the username and password on the remote system. > If a domain is not used, the computer is a member of the workgroup named Workgroup by default.

daemon

A Linux or UNIX program that runs as a background process, rather than being under the direct control of an interactive user.

RADIUS

A Radius server is an authentication and authorization mechanism that uses the User Datagram Protocol (UDP) for authorization. It is used in Microsoft implementations. It provides a single solution for authentication and authorization.

Discretionary access control list (DACL)

A discretionary access control list is an implementation of discretionary access control (DAC). Owners add users or groups to the DACL for an object and identify the permissions allowed for that object.

Domain controller

A domain controller is a server that holds a copy of the Active Directory database that can be written to. Replication is the process of copying changes to Active Directory between the domain controllers. In contrast, member servers are servers in the domain that do not have the Active Directory database.

Domain controller

A domain controller is a server that holds a copy of the Active Directory database. The copy of the Active Directory database on a domain controller can be written to.

Domain

A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure.

Domain

A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure. Depending on the network structure and requirements, the entire network might be represented by a single domain with millions of objects, or the network might require multiple domains.

Federation

A federation is a group of domains that have established trust and therefore shared authorizations. A federation can be within one organization with multiple domains or it can include several trusted organizations to share resources. The good thing about this method of authentication is that everything happens onsite and provides detailed levels of access control.

Forest

A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.

Scalability

A hierarchical database lets you grow the Active Directory to meet the needs of your environment.

Permissions, Privileges, and Roles

A key part of any security administrator's job is to control access to resources. Access to resources is controlled using permissions, privileges, and roles. Permissions, privileges, and roles are usually cumulative, making it possible for one user account to receive access to more than one entity.

Access control list (ACL)

A list that identifies users or groups who have specific security assignments to an object.

Local User Accounts

A local user account can be created and used to sign in and access your Windows 10 computer instead of using a Microsoft account. When you use a local account, some features offered to Microsoft accounts are not available. These include Microsoft's OneDrive and synced settings. Local user account types include:

6.4.2 Windows Operating System Roles Facts

A networking model defines how network components function and interact. Windows operating systems can use a stand-alone model, a workgroup network model, or a client-server network model. This lesson covers the following topics: > Stand-alone model > Workgroup network model > Client-server network model

Permission

A permission controls the type of access that is allowed or denied for an object.

Policy

A policy is a set of configuration settings applied to users or computers.

Group Policy

A policy is a set of configuration settings applied to users or computers. Group policies allow the administrator to apply multiple settings to multiple objects within the Active Directory domain at one time. A set or collection of Group Policy configurations is called a Group Policy Object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.

What is mutual authentication?

A process by which each party in an online communication verifies the identity of the other party. Mutual authentication is the process by which each party in an online communication verifies the identity of the other party. Mutual authentication is most common in VPN links, SSL connections, and e-commerce transactions. In each of these situations, both parties in the communication want to ensure that they know with whom they are interacting. The use of two or more authentication factors is called two-factor authentication. Challenge Handshake Authentication Protocol (CHAP) and Extensible Authentication Protocol (EAP) are authentication protocols. Communicating hosts might use certificates issued by a trusted CA in performing mutual authentication. However, using the CA is not, in itself, a definition of mutual authentication.

Security Principle

A security principal is an object that can be given permissions to an object. Security principles include user accounts, computer accounts, and security group accounts. > Each security principal is given a unique identification number called a Security ID (SID). > When a security principal logs on, an access token is generated. The access token is used for controlling access to resources and contains the SID for the user or computer, for all groups the user or computer is a member of, and the user rights granted to the security principal. > When the security principal tries to access a resource or take an action, information in the access token is checked. For example, when a user tries to access a file, the access token is checked for the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL to identify permissions that apply. > On a Microsoft system, the access token is only generated during authentication. Changes made to group memberships or user rights do not take effect until the user logs on again and a new access token is created

System access control list (SACL)

A system access control list is used by Microsoft for auditing in order to identify past actions performed by users on an object.

Tree

A tree is a group of related domains that share the same contiguous DNS namespace.

Simple

A username and password are required. Normally, the username and password are passed in cleartext. LDAP uses ports 389 and 636 by default.

Workgroup Network Model

A workgroup model is based on peer-to-peer networking. In the workgroup model: > No hosts in a workgroup have a specific role. - All hosts can function as both workstation and server. - All hosts in a workgroup can both provide network services and consume network services. > The hosts are linked together by some type of local network connection. > Hosts in the same workgroup can access shared resources on other hosts. > No specialized software is required. Some drawbacks of the workgroup network model include: > Lack of scalability > Lack of centralized configuration control > Complexity of backing up data > Lack of centralized authentication. To use resources on another computer, the same user account must be created on both systems. > Lack of centrally applied security settings

Effective permissions

Access rights (permissions) are cumulative. If you are a member of two groups with different permissions, you have the combined permissions of both groups (this is known as effective permissions). Effective permissions are the combination of inherited permissions and explicit permissions.

Which of the following terms describes the component that is generated following authentication and is used to gain access to resources following login?

Access token When a security principal logs on, an access token is generated. The access token is used to control access to resources and contains the following information: > The security identifier (SID) for the user or computer > The SID for all groups the user or computer is a member of > User rights granted to the security principal When the security principal tries to access a resource or take an action, information in the access token is checked. For example, when a user tries to access a file, the access token is checked for the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL to identify permissions that apply. Account policies in Group Policy control requirements for passwords, such as minimum length and expiration times. Cookies are text files that are stored on a computer to save information about your preferences, browser settings, and web page preferences. Cookies identify you (or your browser) to websites. A proxy is a server that stands between a client and destination servers.

Account Lockout Policies

Account lockout disables a user account after a specified number of incorrect login attempts. Account lockout policies include: > Account lockout duration - Specifies the number of minutes a locked-out account remains locked out before automatically becoming unlocked. When set to 0, an administrator must unlock the account. > Account lockout threshold - Specifies the number of failed logon attempts that causes a user account to be locked out. > Reset account lockout counter after - Specifies the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. For example, if this value is set to 60 minutes and the account lockout threshold is set to 5, the user can enter up to four incorrect passwords within one hour without the account being locked. Account lockout can be used to prevent attackers from guessing passwords, but it can also be used maliciously to lock an account and prevent a valid user from logging in.

Account Monitoring

Account monitoring can help you detect unusual or risky behavior. You should monitor for the following: > Login activity. > Suspicious logins for the user (spikes, logins at unusual time of day, and/or frequent or failed logins). > Remote-access traffic.

Password Policies

Account policies help you control the composition and use of passwords. Password policies include: > Enforce password history - This determines the number of unique new passwords that have to be used before an old password can be reused. This helps to prevent users from reusing any recent passwords. > Maximum password age - This requires users to change their password after a given number of days. Minimum password age - This determines the number of days that a password must be used before the user can change it. This prevents users from reverting back to their original password immediately after they have changed it. > Minimum password length - This identifies the minimum number of characters in a password. > Password must meet complexity requirements - A complex password prevents using passwords that are easy to guess or crack. Complex passwords must meet the following minimum requirements: - Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters - Must be at least six characters in length - Must contain characters from three of the following four categories: > English uppercase characters (A through Z) > English lowercase characters (a through z) > Base-10 digits (0 through 9) > Non-alphabetic characters (for example, !, $, #, or %) Complexity requirements are enforced when passwords are changed or created.

Account Restrictions

Account restrictions place restrictions on the use of a user account for login. For example, you can: > Prohibit multiple concurrent logins > Allow logins only during certain days and hours > Allow logins only from specific computers > Create expiration dates for user accounts for temporary users to prevent them from being used past a certain date

What is the MOST important aspect of a biometric device?

Accuracy The most important aspect of a biometric device is accuracy. If an access control device is not accurate, it does not offer reliable security. Enrollment time is how long it takes for a new user to be defined in the biometric database. Typically, an enrollment time less than two minutes is preferred. The size of the reference profile is irrelevant in most situations. Throughput is how many users a biometric device can scan and verify within a given time period. Typically, a throughput of 10 users per minute is preferred.

What is the name of the service included with the Windows Server operating system that manages a centralized database containing user account and security information?

Active Directory Active Directory (AD) is a centralized database that is included with the Windows Server operating system. Active Directory is used to store information about a network. It stores such things as user accounts, computers, printers, and security policies.

Active Directory

Active Directory is a centralized database that contains user account and security information. In a workgroup, security and management are decentralized. They take place on each individual computer; each computer holds its own information about users and resources. With Active Directory, all computers share the same central database on a remote computer called a domain controller. Active Directory is a hierarchical database. Hierarchical directory databases have the following advantages over a flat file database structure:

Active Directory Components

Active Directory organizes network resources and simplifies management using the following components:

There are registry-based settings that can be configured within a GPO to control the computer and the overall user experience, such as: > Use Windows features such as BitLocker, Offline Files, and Parental Controls > Customize the Start menu, taskbar, or desktop environment > Control notifications > Restrict access to Control Panel features > Configure Internet Explorer features and options What are these settings known as?

Administrative templates Administrative templates are registry-based settings that can be configured within a GPO to control the computer and the overall user experience. These include: > Use Windows features such as BitLocker, Offline Files, and Parental Controls > Customize the Start menu, taskbar, or desktop environment > Control notifications > Restrict access to Control Panel features > Configure Internet Explorer features and options Use software restriction policies to define the software permitted to run on any computer in the domain. These policies can be applied to specific users or all users. Security options allow you to apply or disable rights for all users the Group Policy applies to. Use account policies to control password settings, account lockout settings, and Kerberos settings.

Administrator

Administrators have complete control of the system and can perform tasks such as: > Change global settings > Create/delete users > Install applications > Run applications in an elevated state > Access all files on the system

Domain objects

All network resources, such as users, groups, computers, and printers are stored as objects in Active Directory.

Which of the following are characteristics of TACACS+? (Select two.)

Allows three different servers (one each for authentication, authorization, and accounting) Uses TCP TACACS+ was originally developed by Cisco for centralized remote access administration. TACACS+: > Provides three protocols (one each for authentication, authorization, and accounting). This allows each service to be provided by a different server. > Uses TCP. > Encrypts the entire packet contents. > Supports more protocol suites than RADIUS. RADIUS is used by Microsoft servers for centralized remote access administration. RADIUS: > Combines authentication and authorization using policies to grant access. > Uses UDP. > Encrypts only the password. > Often uses vendor-specific extensions. RADIUS solutions from different vendors might not be compatible. > Uses UDP ports 1812 and 1813 and can be vulnerable to buffer overflow attacks.

User Management Commands

Although it is possible to edit the /etc/passwd and /etc/shadow files manually to manage user accounts, doing so can disable your system. Instead, use the following commands to manage user accounts:

AAA Server

An AAA server handles user request for access to computer resources. A remote access server typically controls client access to remote systems. Clients might be restricted to access resources only on the remote access server; or, they might be allowed to access resources on other hosts on the private network. Two common AAA server solutions include RADIUS and TACACS+. Remote access policies identify authorized users and other required connection parameters. In a small implementation, you typically define user accounts and remote access policies on the remote access server. With this configuration, you must define user accounts and policies on each remote access server. For larger deployments with multiple remote access servers, you can centralize the administration of remote access policies by using an AAA server. Connection requests from remote clients are received by the remote access server and forwarded to the AAA server to be approved or denied. Policies you define on the AAA server apply to all clients connected to all remote access servers.

System ACL (SACL)

An ACL Microsoft uses for auditing to identify past actions users have performed on an object.

Access Control Lists

An access control list identifies users or groups who have specific security assignments to an object. The term permission identifies the type of access that is allowed or denied for the object. For example, permissions for a file include read and write, and they can either allow or deny the specified access. The table below describes two types of New Technology File System (NTFS) access lists:

Network Authentication Protocols

An authentication protocol identifies how credentials are submitted, protected during transmission, and validated. Instead of a simple username and password, some authentication protocols require certificates and digital signatures for proof of identity. > A certificate is a digital document that identifies a user or a computer. The certificate includes a subject name, which is the name of a user or a computer. > Certificates are obtained from a public key infrastructure (PKI). A PKI is a collection of hardware, software, policies, and organizations that create, issue, and manage digital certificates. > A PKI is made up of certificate authorities (CAs), also called certification authorities. A CA: - Accepts certificate requests - Verifies the information provided by the requester - Creates and issues the certificate to the requester - Revokes certificates, which invalidates them - Publishes a list of revoked certificates known as the certificate revocation list (CRL) > You can obtain certificates from a public CA such as DigiCert or install your own PKI and CAs to issue certificates to users and computers in your organization. > Computers accept any certificate issued by a trusted CA as valid. By default, most computers trust well-known public CAs. If you configure your own PKI, you need to configure each computer in your organization to trust your own CAs. > A digital signature is a digital document that is altered so that it could have come only from the subject identified in the certificate. A certificate obtained from a PKI is signed by the CA that issued the certificate. The digital signature of the issuing CA is included in the certificate. > A computer that receives a certificate verifies the issuing CA's signature. If the CA is trusted, the computer will accept the user or computer's identity. The following table describes various authentication methods used for network authentication. Many of these use some form of challenge/response mechanism.

Discretionary ACL (DACL)

An implementation of discretionary access control (DAC) in which owners add users or groups to the DACL for an object and identify the permissions allowed for that object.

Security Principal

An object such as a user account, computer account, and security group account that can be given permissions to an object.

Organizational unit (OU)

An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit: > Is a container object > Can hold other organizational units > Can hold objects such as users and computers > Can be used to logically organize network resources > Simplifies security administration

Organizational unit

An organizational unit is similar to a folder. It subdivides and organizes network resources within a domain.

/etc/group

As with Active Directory, groups can be used to simplify user access to network resources. The /etc/group file contains information about each group.

6.6 Hardening Authentication

As you study this section, answer the following questions: > Identify the characteristics that typically define a complex password. > What does the minimum password age setting prevent? > What is a drawback to account lockout for failed password attempts? > What are the advantages of a self-service password reset management system? In this section, you will learn to: > Configure account password policies. > Restrict local accounts. > Secure default accounts. > Enforce user account control. > Configure smart card authentication.

6.7 Linux Users

As you study this section, answer the following questions: > How can you view the default values in the /etc/default/useradd file? > How do you create a user in Linux? > Which command deletes a user and the user's home directory at the same time? > What is the difference between hard and soft limits? > Which command removes all restrictions for process memory usage? > Why shouldn't passwords expire too frequently? > Which directory contains configuration file templates that are copied into a new user's home directory? In this section, you will learn to: > Create a user account. > Rename a user account. > Delete a user. > Change your password. > Change a user's password. > Lock and unlock user accounts.

6.9 Remote Access

As you study this section, answer the following questions: > How does EAP differ from CHAP? > What is the difference in authentication and authorization? > What is the difference between RADIUS and TACACS+? In this section, you will learn to: > Configure a RADIUS solution.

6.10 Network Authentication

As you study this section, answer the following questions: > In the challenge/response process, what information is exchanged over the network during logon? > What is included in a digital certificate? > What is PKI? > Which tool can manage authentication credentials on Windows hosts? In this section, you will learn to: > Control the authentication method. > Configure Kerberos policy settings. > Manage credentials.

6.4 Windows User Management

As you study this section, answer the following questions: > What are the main differences between the workgroup network model and the domain network model? > What are the disadvantages of a large company using a peer-to-peer network model? > What are the differences between the stand-alone model and client-server model? > What are the disadvantages of the client-server model? > When is it beneficial to use Azure Active Directory (Azure AD)? In this section, you will learn to: > Use local user accounts for sign-in. > Join a workgroup. > Use online user accounts for sign-in. > Use domain user accounts for sign-in. > Use Azure AD user accounts for sign-in.

6.5 Active Directory Overview

As you study this section, answer the following questions: > What is the purpose of a domain? > What is the difference between a tree and a forest? > How do organizational units (OUs) simplify security administration? > What are advantages of a hierarchal directory database over a flat file database? > When are user policies applied? > How do computer policies differ from user policies? > What is the order in which Group Policy Objects (GPOs) are applied? > If a setting is defined in two GPOs, which setting is applied? In this section, you will learn to: > Create OUs > Delete OUs > Use Group Policy > Create and link a GPO > Create user accounts > Manage user accounts > Create a group > Create global groups

6.3 Authorization

As you study this section, answer the following questions: > What three types of information make up an access token? > On a Microsoft system, when is the access token generated? > What types of objects are considered security principals? > What is the difference between a discretionary access control list (DACL) and a system access control list (SACL)? In this section, you will learn to: > Examine an access token.

6.8 Linux Groups

As you study this section, answer the following questions: > Which usermod option changes the secondary group membership? > Which command removes all secondary group memberships for specific user accounts? > Which groupmod option changes the name of a group? In this section, you will learn to: > Manage Linux groups. > Rename and create groups. > Add users to a group. > Remove a user from a group.

passwd

Assign or change a password for a user. > passwd (without a user name or options) changes the current user's password. > Users can change their own passwords. The root user can execute all other passwd commands. Be aware of the following options: > -S username displays the status of the user account. LK indicates that the user account is locked, and PS indicates that the user account has a password. > -l disables (locks) an account. This command inserts a !! before the password in the /etc/shadow file, effectively disabling the account. > -u enables (unlocks) an account. > -d removes the password from an account. > -n sets the minimum number of days after a password exists before it can be changed. > -x sets the number of days before a user must change the password (password expiration time). > -w sets the number of days before the password expires that the user is warned. > -t sets the number of days following the password expiration that the account will be disabled.

Attributes

Attributes can be your role, position, or current project. This information can be used to determine policy and permission.

RADIUS is primarily used for what purpose?

Authenticating remote clients before access to the network is granted Remote Authentication Dial-In User Service (RADIUS) is primarily used for authenticating remote clients before access to a network is granted. RADIUS is based on RFC 2865 and maintains client profiles in a centralized database. RADIUS offloads the authentication burden for dial-in users from the normal authentication of local network clients. For environments with a large number of dial-in clients, RADIUS provides improved security, easier administration, improved logging, and alleviated performance impact on LAN security systems.

Authentication

Authentication is the process of validating user credentials that prove user identity.

Network Authentication Overview

Authentication is the process of validating user credentials that prove user identity. Authentication is typically the first step in connecting to a network. Following successful authentication, access controls can be implemented to allow or deny access to network resources. A simple form of authentication sends a username and password to an authentication server. If the password is sent in cleartext, the authentication credentials can be intercepted and used to impersonate an authorized user. One method of protecting login credentials is by using a challenge/response mechanism (also called a three-way handshake). Using this method, both the authentication server and the authenticator are configured with a common shared secret. This shared secret is usually a password associated with a user account. The process is: 1. The authentication server sends a challenge string to the authenticator. 2. The authenticator uses the shared secret to hash the challenge string and returns the user account name and the hashed value to the authentication server. 3. The authentication server also uses its shared secret value to hash the challenge string. If the two hashed values match, the authentication server assumes that the authenticator also knows the shared secret. With the challenge/response method, the password is never sent through the network; only the hashed challenge string is exchanged. Be aware that the hashed challenge string is not an encrypted form of the password.

What is the process of controlling access to resources such as computers, files, or printers called?

Authorization Authorization is the process of controlling access to resources such as computers, files, or printers. Mandatory access control (MAC) is an access control system based on classifications of subjects and objects to define and control access. Conditional access is a way to enforce access control while also encouraging users to be productive wherever they are. Authentication is the verification of the issued identification credentials.

Authorization

Authorization is the process of controlling access to resources such as computers, files, or printers. When managing access to resources, be aware of the following: > A group is an object that identifies a set of users with similar access needs. Microsoft systems have two kinds of groups: distribution and security. Only security groups can be used for controlling access to objects. > When you assign permissions to a group grants those same permissions to all members of the group. > On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time. > Permissions apply to objects (files, folders, printers, etc.), while user rights apply to the entire system (the computer).

Which of the following account types is a cloud-based identity and access management service that provides access to both internal and external resources?

Azure AD Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is similar to on-premises Active Directory except that Azure AD runs in Microsoft's Azure cloud. Administrator is a local user account that has complete control of a system. Domain accounts are created and stored in Active Directory on a domain controller server. This provides central management of users and groups. Microsoft accounts use a single sign-on system. This means that you can sign into different systems while maintaining the same user settings and password. A Microsoft account is a cloud-based Active Directory account type.

Azure Active Directory

Azure AD is Microsoft's cloud-based identity and access management service. It helps employees sign in and access resources.

Azure Active Directory Account Sign-In

Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is similar to on-premises Active Directory except that Azure AD runs in Microsoft's Azure cloud. With Azure AD, users can sign in and access both internal and external resources. Internal resources include such things as the applications on a corporate network. External resources include such things as Microsoft Office 365 and other Software as a Service (SaaS) applications. As with on-premises Active Directory, to use Azure AD a user account must be created in Azure AD and the local computer must be joined to the Azure AD domain. To join a device to Azure Active Directory: > Right-click Start and then go to Settings > Accounts. > Select Access work or school and select Connect. > Select Join this device to Azure Active Directory. > Follow the remaining prompts to complete the process. After joining the computer to Azure AD, you sign in using the same steps as you would to sign into a local domain. The only difference is that you use the Azure AD domain.

A smart card can be used to store all but which of the following items?

Biometric template original A smart card cannot store biometric template originals, as those are physical components of the human body. A smart card can store digital signatures, cryptography keys, and identification codes.

6.7.5 Rename a User Account Lab

Brenda Cassini (bcassini) was recently married. You need to update her Linux user account to reflect her new last name of Palmer. In this lab, your task is to use the usermod command to: > Rename Brenda's user account bpalmer. > Change Brenda's comment field to read Brenda Palmer. > Change and move Brenda's home directory to /home/bpalmer. > When you're finished, view the /etc/passwd file and /home directory to verify the modification. Complete this lab as follows: 1. Rename the bpalmer account and move her home directory. a. From the Linux prompt, type usermod -l bpalmer bcassini -m -c "Brenda Palmer" -d /home/bpalmer and press Enter. 2. Verify account modification. a. Type cat /etc/passwd and press Enter. b. Type ls /home and press Enter to verify that the account was modified.

Challenge Handshake Authentication Protocol (CHAP)

CHAP uses a challenge/response (three-way handshake) mechanism to protect passwords. CHAP is the only remote access authentication protocol that ensures that the same client or system exists throughout a communication session by repeatedly and randomly re-testing the validated system.

6.1.8 Practice Questions

CIST 1601

6.10.9 Practice Questions

CIST 1601

6.3.5 Section Quiz

CIST 1601

6.4.9 Section Quiz

CIST 1601

6.5.15 Practice Questions

CIST 1601

6.6.13 Practice Questions

CIST 1601

6.7.13 Practice Questions

CIST 1601

6.8.6 Practice Questions

CIST 1601

6.9.5 Practice Questions

CIST 1601

Biometric information

Can be collected for each of the following:

You manage a group of 20 Windows workstations that are currently configured as a workgroup. You have been thinking about switching to an Active Directory configuration. Which advantages would there be to switching to Active Directory? (Select two.)

Centralized configuration control Centralized authentication Installing an Active Directory database provides several advantages, including: > Improved scalability > Centralized configuration control > Reduced data backup complexity > Centralized authentication > Centrally applied security settings Active Directory also includes some drawbacks, for example: > Increased cost > Specialized hardware and software needs > Increased planning time for implementation

gpasswd

Changes a group password. groupname prompts for a new password. - r removes a group password.

You are configuring a small workgroup. You open System Properties on each computer that will be part of the workgroup. Click the System Properties options you can use to configure each computer's workgroup association. (Select two. Each option is part of a complete solution.)

Click Network ID Click Change In System Properties on each computer, you can click Change to manually configure the workgroup of each computer or network ID to use a wizard to join the computers together.

You are consulting a small startup company that needs to know which kind of Windows computer network model they should implement. The company intends to start small with only 12 employees, but they plan to double or triple in size within 12 months. The company founders want to make sure they are prepared for growth. Which networking model should they implement?

Client-server This startup company should invest in a client-server network if they want to be prepared to double or triple in size within 12 months. A client-server network that uses Active Directory as a centralized database to manage network resources is the most scalable networking model. The workgroup (peer-to-peer) networking model would be less expensive and easier to set up for a dozen employees, but it would become too difficult to manage when the company increases in size. The standalone networking model would not connect the company's computers to each other. Employees would not be able to share any resources, such as printers or data storage. Wired and wireless networks are not networking models. These network configurations provide connectivity between computers and can be used for any of the networking models. A public network, such as the internet, would be the only way computers using the standalone networking model could communicate with each other.

Which of the following are networking models that can be used with the Windows operating system? (Select two.)

Client-server Workgroup The following networking models can be used with the Windows operating system: > Workgroup - computers that are physically connected to a wired or wireless network can be set up as a simple peer-to-peer network, which Microsoft refers to as a workgroup. Computers that are part of a workgroup are both workstations and servers. A workgroup is easy to set up, but it can become very difficult to manage if the number of computers exceeds 10 to 15. > Client-server - in a client-server network, which Microsoft refers to as a domain, computers are joined to a network domain that uses an Active Directory database to contain user accounts and network security policies. Organizational units are logical containers in Active Directory that are used to hold and organize network resources. A domain controller is a server that holds a copy of the Active Directory database. Active Directory is a centralized database that contains user account and security information.

Which of the following is a password that relates to things that people know, such as a mother's maiden name or a pet's name?

Cognitive Cognitive passwords relate to things that people know, such as a mother's maiden name or a pet's name. Dynamic passwords change upon each consecutive login. One-time passwords are only valid for a single use. A passphrase is a password long enough to be a phrase.

Computer Configuration

Computer policies are enforced for the entire computer and are initially applied when the computer boots. Computer policies are in effect regardless of the user logging into the computer. Computer policies include: > Software that should be installed on a specific computer > Scripts that should run at startup or shutdown > Password restrictions that must be met for all user accounts > Network communication security settings > Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree) Computer policies also include a special category of policies called user rights. User rights identify system maintenance tasks and the users or groups who can perform these actions. Actions include: > Changing the system time > Loading and unloading device drivers > Removing a computer from a docking station > Shutting down the system Computer policies are initially applied as the computer boots and are enforced before any user logs on.

For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within ten minutes. What should you do?

Configure account lockout policies in Group Policy Account lockout disables a user account after a specified number of incorrect login attempts. The account lockout threshold identifies the allowed number of incorrect login attempts. The account lockout counter identifies a time period for keeping track of incorrect attempts (such as 10 minutes). If account lockout locks a user account, use the unlock feature to allow login. Use the enable/disable feature to prevent or allow login using the user account. Configure account (password) policies in Group Policy to enforce rules about the composition of passwords, such as minimum length, complexity, and history requirements. Use account expiration in a user account to disable an account after a specific day. Use day/time restrictions to prevent login during certain days or hours.

You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days. What should you do?

Configure account policies in Group Policy Configure account (password) policies in Group Policy to enforce rules about the composition of passwords, such as minimum length, complexity, and history requirements. Use account expiration in a user account to disable an account after a specific day. Use day/time restrictions to prevent login during certain days or hours. Account lockout disables a user account after a specified number of incorrect login attempts.

You have hired ten new temporary employees to be with the company for three months. How can you make sure that these users can only log on during regular business hours?

Configure day/time restrictions in user accounts Use day/time restrictions to limit the days and hours when users can log on. Configure account expiration to disable an account after a specific date. Use account policies in Group Policy to configure requirements for passwords. Use account lockout settings in Group Policy to automatically lock accounts when a specific number of incorrect passwords are entered.

6.8.5 Remove a User from a Group Lab

Corey Flynn (cflynn) currently belongs to several groups. Due to some recent restructuring, he no longer needs to be a member of the hr group. To preserve existing group membership, use the usermod -G command to list all groups to which the user must belong. Do not include the primary group name in the list of groups. In this lab, your task is to: > Remove cflynn from the hr group. > Preserve all other group memberships. > View the /etc/group file or use the groups command to verify the changes. Complete this lab as follows: 1. View a list of all groups to which Cory Flynn belongs. a. At the prompt, type groups cflynn and press Enter. *Notice that cflynn currently belongs to the mgmt1, hr, and it secondary groups. The cflynn group is the user's primary group. 2. Change and verify Cory Flynn's group membership. a. Type usermod -G mgmt1,it cflynn and press Enter. b. Type groups cflynn and press Enter. *Cory now only belongs to the mgmt1 and it groups.

You want to ensure that all users in the Development OU have a common set of network communication security settings applied. Which action should you take?

Create a GPO computer policy for the computers in the Development OU. Network communication security settings are configured in the Computer Policies section of a GPO. Built-in containers (such as the Computers container) and folders cannot be linked to a GPO.

You manage an Active Directory domain. All users in the domain have a standard set of internet options configured by a GPO linked to the domain, but you want users in the Administrators OU to have a different set of internet options. What should you do?

Create a GPO user policy for the Administrators OU. Internet options are configured in the User Policies section of a GPO. Linking this policy to the Administrators OU only applies it to users in that OU because GPOs linked to OUs are applied last. If Local Group Policies are created on the Administrator's computers, the policies are overwritten by the GPO that is linked to the domain, which applies a standard set of internet options to all users in the domain. There is already a GPO user policy linked to the domain.

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, which is a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer, and he would like his account to have even more strict password policies than are required for other members in the Directors OU. What should you do?

Create a granular password policy for Matt. Apply the new policy directly to Matt's user account. To use a different set of policies for a specific user, create a Password Settings Object (PSO) for the user and apply it directly to the user account. If a PSO has been applied directly to a user, that PSO is in effect regardless of the precedence value. You could create a second group only for Matt's account and password policy. However, this policy must have a lower precedence value than the value set for the policy applied to the DirectorsGG group. Removing Matt's account from the DirectorsGG group is unnecessary and would probably affect his permissions to network resources.

useradd

Create a user account. The following options override the settings as found in /etc/default/useradd: > -c adds a description for the account in the GECOS field of /etc/passwd. > -d assigns an absolute pathname to a custom home directory location. > -D displays the default values specified in the /etc/default/useradd file. > -e specifies the date on which the user account will be disabled. > -f specifies the number of days after a password expires until the account is permanently disabled. > -g defines the primary group membership. > -M defines the secondary group membership. > -m creates the user's home directory (if it does not exist). > -n does not create a group with the same name as the user (Red Hat and Fedora, respectively). > -p defines the encrypted password. > -r specifies that the user account is a system user. > -s defines the default shell. > -u assigns the user a custom UID. This is useful when assigning ownership of files and directories to a different user.

groupadd

Creates a new group. The following options override the settings as found in the /etc/login.defs file: - g defines the group ID (GID). - p defines the group password. - r creates a system group.

A manager has told you she is concerned about her employees writing their passwords for websites, network files, and database resources on sticky notes. Your office runs exclusively in a Windows environment. Which tool could you use to prevent this behavior?

Credential Manager Credential Manager securely stores account credentials for network resources, such as file servers, websites, and database resources. Local Users and Groups manages only local account credentials. Key Management Service is used to manage the activation of Windows systems on a network. Computer Management is used to complete Windows management tasks, such as viewing event logs, managing hardware devices, and managing hard disk storage.

6.8.3 Rename and Create Groups Lab

Currently, all the salespeople in your company belong to a group called sales. The VP of sales wants two sales groups, a western sales division and an eastern sales division. In this lab, your task is to: > Rename the sales group to western_sales_division. > Create the eastern_sales_division group. > Remove aespinoza as a member of the western_sales_division group. > Assign aespinoza as a member of the eastern_sales_division group. > When you're finished, view the /etc/group file or use the groups command to verify the changes. 1. Rename the sales group western_sales_division and create the eastern_sales_division group. a. At the prompt, type groupmod -n western_sales_division sales and press Enter. b. Type groupadd eastern_sales_division and press Enter. 2. Modify the group membership as needed. a. Type usermod -G eastern_sales_division aespinoza and press Enter. * When you assign aespinoza to the eastern_sales_division group using the usermod -G option, the user account is removed from the western_sales_division group. 3. Use cat /etc/group or groups aespinoza to verify aespinoza's group membership.

Delegation

Delegation allows you to assign users to manage portions of the Active Directory database without giving all users rights to the entire database. For example, you can assign an administrator to manage the sales department in North America and enable this administrator to create user accounts, remove user accounts, and change passwords. However, this sales administrator won't be allowed to access the accounting or development departments. As another example, you can allow an administrator to manage all departments in Europe, but none in North American or Asia.

Deny permissions

Deny permissions always override Allow permissions. For example, if a user belongs to two groups and a specific permission is allowed for one group and denied for the other, the permission is denied. However, the exception to this rule comes with inherited permissions. If an object has an explicit Allow permission entry, inherited Deny permissions do not prevent access to the object. Explicit permissions override inherited permissions, including Deny permissions.

Active Directory

Developed by Microsoft, Active Directory is a centralized database that contains user accounts and security information. It is included in most Windows Server operating systems as a set of processes and services.

What should you do to a user account if the user goes on an extended vacation?

Disable the account Disabling the account is the best measure to protect an inactive account. This prevents the account from being used for login. If you delete the account or the rights assigned to the account, you have to re-create the account or the rights when the user returns. Leaving the account active might expose it to attack, even if you regularly monitor it.

groups

Displays the primary and secondary group membership for the specified user account.

Universal

Does each person have the physical attribute being measured?

Extensible Authentication Protocol(EAP)

EAP allows the client and server to negotiate the characteristics of authentication. > An EAP authentication scheme is called an EAP type. Both the client and authenticator have to support the same EAP type for authentication to function. > When a connection is established, the client and server negotiate the authentication type that will be used based on the allowed or required authentication types configured on each device. > The submission of authentication credentials occurs based on the rules defined by the authentication type. > EAP is used to allow authentication with smart cards, biometrics, and certificate-based authentication. Other versions of EAP include: > Protected Extensible Authentication Protocol (PEAP) is a more secure version of EAP. It provides authentication to a WLAN that supports 801.1x. PEAP uses a public key over TLS. > EAP-FAST, which is also known as flexible authentication via secure tunneling. This version performs session authentication in wireless networks and point-to-point connections.

Extensible Authentication Protocol (EAP)

EAP allows the client and server to negotiate the characteristics of authentication. When a connection is established, the client and server negotiate the authentication type that will be used based on the allowed or required authentication types configured on each device. EAP allows authentication using a variety of methods, including passwords, certificates, and smart cards.

GPO Structure

Each GPO has a common structure with hundreds of configuration settings that can be enabled and configured. Settings are divided into two categories:

Object

Each resource within Active Directory is identified as an object.

Which of the following is a characteristic of TACACS+?

Encrypts the entire packet, not just authentication packets

You are configuring the Local Security Policy of a Windows system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least five days before changing it again. Which policies should you configure? (Select two.)

Enforce password history Minimum password age Set the Enforce password history policy to prevent users from reusing old passwords. Set the Minimum password age policy to prevent users from changing passwords too soon. Passwords must remain the same for at least the time period specified. Use the Maximum password age policy to force periodic changes to the password. After the maximum password age has been reached, the user must change the password. Use the Password must meet complexity requirements policy to require that passwords include letters, numbers, and symbols. This makes it harder for hackers to guess or crack passwords.

6.7.9 Lock and Unlock User Accounts

Every seven years, your company provides a six-week sabbatical for every employee. Vera Edwards (vedwards), Corey Flynn (cflynn), and Bhumika Kahn (bkahn) are leaving today. Maggie Brown (mbrown), Brenda Cassini (bcassini), and Arturo Espinoza (aespinoza) are just returning. The company security policy mandates that user accounts for employees gone for longer than two weeks be disabled. In this lab, your task is to: > Lock the following user accounts: vedwards cflynn bkahn > Unlock the following user accounts: mbrown bcassini aespinoza > When you're finished, view the /etc/shadow file to verify the changes. Complete this lab as follows: 1. Lock the applicable accounts. a. At the prompt, type usermod -L vedwards or passwd -l vedwards and press Enter. b. Type usermod -L cflynn or passwd -l cflynn and press Enter. c. Type usermod -L bkahn or passwd -l bkahn and press Enter. 2. Unlock the applicable accounts. a. Type usermod -U mbrown or passwd -u mbrown and press Enter. b. Type usermod -U bcassini or passwd -u bcassini and press Enter. c. Type usermod -U aespinoza or passwd -u aespinoza and press Enter. 3. Verify your changes by typing cat /etc/shadow and pressing Enter. a. The inclusion of the exclamation point (!) in the password field indicates whether the account is disabled.

Which of the following terms is used to describe an event in which a person who should be allowed access is denied access to a system?

False negative A false negative occurs when a person who should be allowed access is denied access. A false positive occurs when a person who should be denied access is allowed access. The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated. The crossover error rate, also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system.

KWalletManager is a Linux-based credential management system that stores encrypted account credentials for network resources. Which encryption methods can KWalletManager use to secure account credentials? (Select two.)

GPG Blowfish KWalletManager offers two encryption options for protecting stored account credentials. These two encryption options are Blowfish and GPG. HMAC-SHA1 is most often used with one-time passwords. Kerberos is used for login authentication and authorization in a Windows domain. Twofish is an encryption mechanism that is similar to the Blowfish block cipher but has not been standardized at this point.

Which of the following objects identifies a set of users with similar access needs?

Group A group is an object that identifies a set of users with similar access needs. Microsoft systems have two kinds of groups, distribution groups and security groups. Only security groups can be used for controlling access to objects. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). A system access control list (SACL) is used by Microsoft for auditing in order to identify past actions performed by users on an object. Permissions define the rights and access users and groups have with objects.

Hypertext Transport Protocol Secure (HTTPS)

HTTPS uses HTTP over Secure Socket Layer (SSL). It has replaced S-HTTP as the method of securing HTTP (web) traffic. It is a session-based encryption technology, meaning that the keys used for that session are valid for that session only. HTTPS is used predominantly throughout the internet. HTTPS operates over TCP port 443.

Hardening Authentication Methods

Hardening means to strengthen. You want to make sure your authentication methods are strong so that you can be confident that users accessing your network are who they say they are. The following table provides various methods for strengthening your authentication.

Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make his user account a member of the Managers group, which has access to a special shared folder. Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do?

Have Marcus log off and log back in. On a Microsoft system, an access token is only generated during authentication. Changes made to group memberships or user rights do not take effect until the user logs in again and a new access token is created. Use NTFS and share permissions, not Group Policy, to control access to files. In addition, Group Policy is periodically refreshed, and new settings are applied on a regular basis.

Organization

Hierarchical databases let you sort and organize your user accounts by location, function, and department.

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You need to make the change as easily as possible. Which of the following actions should you take?

Implement a granular password policy for the users in the Directors OU. Use granular password policies to force different password policy requirements for different users. Password and account lockout policies are enforced only in GPOs linked to the domain, not to individual OUs. Prior to Windows Server 2008, the only way to configure different password policies was to create a different domain.

Organizational unit (OU)

In Active Directory, an organizational unit is a way to organize such things as users, groups, computers, etc. It is also referred to as a container object.

Domain Account Sign-In

In addition to local and Microsoft account sign-ins, you can also sign into a Windows system using a domain account. Domain accounts are created and stored in Active Directory on a domain controller server. This provides central management of users and group. When using a domain user account to sign into your system, the username and password entered are sent to the domain controller. The domain controller then checks to see if the username and password submitted match the credentials it has for that particular user. If they do match, it sends a message back to the local system verifying the credentials, and the user is allowed to sign into the system. Before a user can sign in using a domain account, the domain user account must have already been created in Active Directory and the computer must have been joined to the desired domain. To sign in using a domain account, you need to specify the domain to which you want to sign into. If this is the first time you are signing into the domain, or you want to make sure you are signing into the correct domain, select Other user from the sign-in screen. From this dialog, a known domain will be shown. If the domain shown is the one you want to use, enter the username and password in the applicable fields. However, if the domain listed is not correct, you can change domains by specifying the correct domain in the username field using the syntax of domain\username. For example, to sign into the ACME domain using the Admin account, in the username field you would type AMCE\Admin. As soon as you type the backslash, the name of the domain is shown in the Sign in to area.

Client-Server Network Model

In the client-server model, each host has a specific role in the network. Servers provide services such as file storage, user management, security configuration, and printing. Clients request services from servers. The client-server model is known as domain networking in a Windows environment. Some key domain networking facts include the following: > Domain networking uses the concept of security principals. These are entities such as users, computers, and resources. > A Windows domain is a collection of security principals that share a central authentication database known as Active Directory (AD). > The Active Directory database is located on one or more servers in the domain. - The servers running the Active Directory database are called domain controllers (DCs). - Hosts must run a supported version of the Windows operating system to join a domain. - The distinguished name of the domain is composed of the domain name along with the top-level domain name from DNS. > Domains are much more efficient and scalable than workgroups due to a centralized management structure and function. - Objects represent resources such as users, computers, and printers. - Objects are used to define security attributes such as access, availability, and use limitations within the domain. - Objects can be organized in container objects. - An organizational unit (OU) is a type of container object used to logically organize network resources and simplify administration. Some drawbacks of the client-server network model include increases in the following areas: > Cost to implement due to specialized hardware and software requirements > Planning time required for implementation > Complexity of implementation > Knowledge required to manage the implementation

newgrp

Is used to change the current group ID during a login session. If the optional - flag is given, the user's environment will be reinitialized as though the user had logged in. Otherwise, the current environment, including current working directory, remains unchanged. You can use this when working in a directory in which all the files must have the same group ownership.

Credential Management Systems

It's not uncommon for an organization's network to evolve over time to include many systems that use their own exclusive authentication mechanisms. In this situation, users must use several sets of authentication credentials to access the services on these systems. The danger associated with this situation is that users may begin to write down passwords or save them in a file. This represents a significant security risk. To prevent this from happening, consider using a credential management system. A credential management system securely stores a user's authentication credentials for multiple systems, including servers and websites.

John, a user, is attempting to install an application but receives an error that he has insufficient privileges. Which of the following is the MOST likely cause?

John has a local standard user account. If John is receiving an error that he has insufficient privileges to install an application, the most likely cause is that he has a local standard user account. Standard users have limited permissions. For example, standard users: > Can use applications (but they cannot install them) > Can change some settings that apply only to them > Cannot run applications in an elevated state John is not a local administrator, as he would not receive an error message in that case. The application is a valid Windows application, otherwise, the installation would not be able to start. Logging in with a Microsoft account would not give John the privileges to install an application.

Kerberos

Kerberos is used for both authentication and authorization services. It is the default authentication method used by computers that are a part of an Active Directory domain. Kerberos grants tickets, also called a secure tokens, to authenticated users and to authorized resources. The process of using tickets to validate permissions is called delegated authentication. Kerberos uses the following components: > An authentication server (AS) accepts and processes authentication requests. > A service server (SS) is a server that provides or holds network resources. > A ticket-granting server (TGS) grants tickets that are valid for specific resources on specific servers. > The authentication server and ticket-granting server are often combined into a single entity known as the Key Distribution Center (KDC). Kerberos uses the following process: 1. The client sends an authentication request to the authentication server. 2. The authentication server validates the user identity and grants a ticket-granting ticket (TGT). The TGT validates the user identity and is good for a specific ticket-granting server. 3. When the client needs to access a resource, it submits its TGT to the TGS. The TGS validates that the user is allowed access and issues a client-to-server ticket. 4. The client connects to the service server and submits the client-to-server ticket as proof of access. 5. The SS accepts the ticket and allows access.

Smart Card Benefits and Weaknesses

Key benefits of smart cards include the following: > They provide tamper-resistant storage for a user's private key and other personally identifying information (PII). > They isolate security-related operations from the rest of the system. > They allow security credentials to be portable. Smart cards are subject to the following weaknesses: > Microprobing - this is the process of accessing the chip surface directly to observe, manipulate, and interfere with the circuit. > Software attacks - these exploit vulnerabilities in the card's protocols or encryption methods. > Eavesdropping - this captures transmission data produced by the card as it is used. > Fault generation - this deliberately induces malfunctions in the card.

Generic container

Like OUs, generic containers are used to organize Active Directory objects. Generic container objects: > Are created by default > Cannot be moved, renamed, or deleted > Have very few properties you can edit

ulimit

Limits computer resources used for applications launched from the shell. Limits can be hard or soft limits. Soft limits can be temporarily exceeded up to the hard limit setting. Users can modify soft limits, but only the root user can modify hard limits. Options include: > -c limits the size of a core dump file. The value is in blocks. > -f limits the file size of files created using the shell session. The value is in blocks. > -n limits the maximum number of files that can be open. > -t limits the amount of CPU time a process can use. This is set in seconds. > -u limits the number of concurrent processes a user can run. > -d limits the maximum amount of memory a process can use. The value is in kilobytes. > -H sets a hard resource limit. > -S sets a soft resource limit. > -a displays current limits. The default shows soft limits.

User Files

Linux is extremely flexible regarding where user and group information is stored. The options for storing the information are: > Local file system > LDAP-compliant database > Network Information System (NIS). NIS allows many Linux computers to share a common set of user accounts, group accounts, and passwords. > A Windows domain

Group Policy Objects (GPOs) are applied in which of the following orders?

Local Group Policy, GPO linked to site, GPO linked to domain, GPO linked to organizational unit (highest to lowest). Group Policy Objects (GPOs) are applied in the following order: > The Local Group Policy on the computer. > GPOs linked to the site. > GPOs linked to the domain that contains the User or Computer object. > GPOs linked to the organizational unit (OU) that contains the User or Computer object (from the highest-level OU to the lowest-level OU).

Match each Active Directory term on the left with its corresponding definition on the right.

Logical organization of resources Organizational unit Collection of network resources Domain Collection of related domain trees Forest Network resource in the directory Object Group of related domains Tree The Active Directory structure includes the following components: > A tree is a group of related domains that share the same contiguous DNS namespace. > A forest is a collection of related domain trees. > A domain is an administratively defined collection of network resources that share security policies and a common directory database. > An organizational unit (OU) is like a folder. > An OU subdivides and organizes network resources within a domain. > An object is a network resource as identified within Active Directory.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

MS-CHAP is Microsoft's version of CHAP. > MS-CHAP encrypts the shared secret on each system so that it is not saved in cleartext. > MS-CHAP v2 allows for mutual authentication, in which the both the server and the client authenticate. Mutual authentication helps to prevent man-in-the-middle attacks and server impersonation.

6.8.4 Add Users to a Group Lab

Maggie Brown (mbrown) and Corey Flynn (cflynn) have recently been hired in the human resources department. You have already created their user accounts. In this lab, your task is to: > Add the hr group as a secondary group for the mbrown and cflynn user accounts. > When you're finished, view the /etc/group file or use the groups command to verify the changes. *When the -g switch is used with the usermod command, it sets the primary group membership, not the secondary group membership. Complete this lab as follows: 1. Add users to the hr group. a. At the prompt, type usermod -G hr mbrown and press Enter. b. Use usermod -G hr cflynn and press Enter. 2. Verify the group membership for the users added to each group. a. Use groups mbrown and press Enter. b. Use groups cflynn and press Enter.

Mary, a user, is attempting to access her OneDrive from within Windows and is unable to. Which of the following would be the MOST likely cause?

Mary needs to log in with a Microsoft account. Microsoft accounts use a single sign-on system. This means that you can sign into different systems while maintaining the same user settings and password. You can even access your favorites websites. Microsoft accounts also provide synchronized access to other Microsoft services, such as Office 365, Outlook, Skype, OneDrive, Xbox Live, Bing, and Microsoft Store. A local user account can be created and used to sign in and access a Windows 10 computer instead of using a Microsoft account. When a local account is used, some features offered to Microsoft accounts are not available. These include Microsoft's OneDrive and synced settings. Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is similar to on-premises Active Directory except that Azure AD runs in Microsoft's Azure cloud.

Member servers

Member servers are servers in the domain that do not have the Active Directory database.

Which of the following account types uses a single sign-on system that lets you access Windows, Office 365, Xbox Live, and more?

Microsoft Microsoft accounts use a single sign-on system. This means that you can sign into different systems while maintaining the same user settings and password. You can even access your favorites websites. Microsoft accounts also provide synchronized access to other Microsoft services, such as Office 365, Outlook, Skype, OneDrive, Xbox Live, Bing, and Microsoft Store. Administrator is a local user account that has complete control of a system. Domain accounts are created and stored in Active Directory on a domain controller server. This provides central management of users and groups. Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is similar to on-premises Active Directory except that Azure AD runs in Microsoft's Azure cloud.

RADIUS

Microsoft servers use RADIUS for centralized remote access administration. When using RADIUS, be aware that RADIUS: > Combines authentication, authorization, and accounting. All three must be implemented through the RADIUS system. > Allows for the separation of accounting to different servers. However, authentication and authorization remain combined on a single server. > Supports PPP, CHAP, and PAP. > Uses a challenge-response method for authentication. > Does not transmit passwords in cleartext between the RADIUS client and the RADIUS server. - A shared secret is used between the RADIUS server and the RADIUS client. - The password is hashed and the hash is added to the password before it is transmitted. - RADIUS encrypts only the password using MD5. > Uses UDP ports 1812 and 1813 and can be vulnerable to buffer overflow attacks. > Often uses vendor-specific extensions. RADIUS solutions from different vendors might not be compatible. When configuring a RADIUS solution, configure a server as a RADIUS server to provide AAA services. Then, configure all remote access servers as RADIUS clients.

usermod

Modifies group membership for the user account. Be aware of the following options: - g assigns a user to a primary group. - G assigns a user to a secondary group (or groups). Follow the command with a comma-separated list of groups. - aG assigns a user to a secondary group (or groups) by appending the group to any groups the user already belongs to. Follow the command with a comma-separated list of groups. - G "" removes the user from all secondary group memberships. Do not include a space between the quotes.

groupmod

Modifies the existing group. Be aware of the following options: groupname prompts for a new password. - r removes a group password.

groupdel

Modifies the system account files by deleting all entries that refer to the specified group. The named group must exist. *You cannot remove the primary group of any existing user. You must remove the user before you remove the group.

Trees and forests

Multiple domains are grouped together in the following relationship: > A tree is a group of related domains that share the same contiguous DNS namespaces. > A forest is the highest level of the organization hierarchy and is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.

Which of the following is a feature of MS-CHAP v2 that is not included in CHAP?

Mutual authentication MS-CHAP v2 allows mutual authentication, in which the server authenticates to the client. Both CHAP and MS-CHAP use a three-way handshake process for authenticating users with usernames and passwords. The password (or shared secret) value is hashed. The hash is sent for authentication, not the shared secret.

Objects

Objects are data, applications, systems, networks, and physical space.

Windows

On Windows hosts, you can use Credential Manager to manage authentication credentials. Credential Manager stores account credentials for network resources, such as file servers and websites. Credential Manager: > Saves authentication credentials in the Windows Vault. > Uses saved account credentials when the user accesses a particular network resource. > Stores account credentials from Windows Explorer, Internet Explorer, or the Remote Desktop client. > Allows account credentials to be added to the vault using one of the following methods: - The Remember My Credentials link in the Windows Security dialog allows the credentials to be added when accessing the resource. - The Add a Windows credential link allows the credentials to be added without accessing the resource. When using this option, you must enter the internet or network address of the resource. > Allows saved credentials to be edited or deleted. > Does not display passwords for saved credentials.

Anonymous

Only a user name (no password) is required to authenticate.

Open Authorization(OAuth)

Open Authorization (OAuth) is an open standard for token-based authentication and authorization on the internet. It allows access tokens to be issued to third-party clients by an authorization server with the approval of the resource owner. The third party uses the access token to access the protected resources hosted by the resource server. This mechanism is used by companies like Google, Facebook, Microsoft, and Twitter, to permit users to share information about their accounts with third-party applications or websites. OAuth specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. It is designed to work with the Hypertext Transfer Protocol (HTTP). OAuth is a service that is complementary to and distinct from OpenID.

Which of the following authentication protocols transmits passwords in cleartext and, therefore, is considered too unsecure for modern networks?

PAP Password Authentication Protocol (PAP) is considered unsecure because it transmits password information in cleartext. Anyone who sniffs PAP traffic from a network can view the password information from a PAP packet with a simple traffic analyzer. Challenge Handshake Protocol (CHAP) uses a three-way handshake to authenticate users. During this handshake, a hashed value is used to authenticate the connection. Extensible Authentication Protocol (EAP) is an enhanced authentication protocol that can use a variety of authentication methods, including digital certificates and smart cards. Remote Authentication Dial-In User Service (RADIUS) is an authentication system that allows the centralization of remote user account management.

Match the authentication factor types on the left with the appropriate authentication factor on the right. Each authentication factor type may be used more than once.

PIN Something You Know Smart Card Something You Have Password Something You Know Retina Scan Something You Are Fingerprint Scan Something You Are Hardware Token Something You Have Passphrase Something You Know Voice Recognition Something You Are Wi-Fi Triangulation Somewhere You Are Typing Behaviors Something You Do Something You Know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of Something You Know authentication controls include: > Passwords, codes, or IDs > PINs > Passphrases (long multi-word passwords) Something You Have (also called token-based authentication) is authentication based on something users have in their possession. Examples of Something You Have controls include: > Swipe cards > Photo IDs > Smart cards > Hardware tokens Something You Are authentication uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. Biometric systems are the most expensive and least accepted system type, but are generally considered the most secure form of authentication. Common attributes used for biometric systems include: > Fingerprints > Hand topology (side view) or geometry (top-down view) > Palm scans > Retina scans > Iris scans > Facial scans > Voice recognition Somewhere You Are authentication (also known as geolocation) is a supplementary authentication factor that uses physical location to verify a user's identity. Examples of implementations include: > An account is locked unless the user has passed through the building's entrance using an ID card. > If the user is within RFID range of the workstation, authentication requests are allowed. > GPS or Wi-Fi triangulation location data is used to determine a device's location. If the user and the device are in a specified location, authentication requests are allowed. If not, the device is locked. Something You Do is a supplementary authentication factor that requires an action to verify a user's identity. Example implementations include: > Analyzing a user's handwriting sample against a baseline sample before allowing authentication. > Analyzing a user's typing behaviors against a baseline sample before allowing authentication.

Point-to-Point Protocol (PPP)/Point-to-Point Protocol over Ethernet (PPPoE)

PPP and PPPoE use the data link layer. PPP is less common because it typically uses dial-up connections. PPPoE normally requires a static IP from the ISP and sometimes a username and a password to authenticate with the ISP.

Public Switch Telephone Network (PSTN)

PSTN uses modems to connect to a remote access server. This, however, is an outdated method because of slow connection speeds.

What type of password is maryhadalittlelamb?

Passphrase A passphrase is a password long enough to be a phrase, such as maryhadalittlelamb. Cognitive passwords relate to things that people know, such as a mother's maiden name or a pet's name, A static password is created by a user and overseen by an administrator. Composition passwords are created by the system and are usually two or more unrelated words divided by symbols on the keyboard.

Which of the following identifies the type of access that is allowed or denied for an object?

Permissions Permissions define the rights and access users and groups have with objects. Permissions are applied to objects such as files and folders. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time. A system access control list (SACL) is used by Microsoft for auditing in order to identify past actions performed by users on an object.

Which of the following are differences between RADIUS and TACACS+?

RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers. TACACS+ provides three protocols (one each for authentication, authorization, and accounting). This allows each service to be provided by a different server. In addition, TACACS+: > Uses TCP > Encrypts the entire packet contents > Supports more protocol suites than RADIUS

You often travel away from the office. While traveling, you would like to use your laptop computer to connect directly to a server in your office and access files. You want the connection to be as secure as possible. Which type of connection do you need?

Remote access Use a remote access connection to connect directly to a server at a remote location. You could use a virtual private network (VPN) connection through the internet to connect to the server security. However, the connection would involve connecting first to the internet through a local ISP and then establishing a VPN connection to the server. While the VPN connection through the internet is secure, it is not as secure as a direct remote connection to the server. An intranet is an internal network that only internal users can access.

Remote Access

Remote access allows a host to connect to a server, or even a private network, and access resources on that remote system as if the host was connected locally. Business users typically use remote access connections to connect to the office from home or while traveling. Authorization is the process of identifying the resources that you can access via the remote access connection. Remote access protocols determine how devices connect with, verify, and communicate with one another. Remote access policies are commonly used to restrict access. Authorization can restrict access based on: > Time of day > Type of connection, for example, PPP/PPPoE, wired, or wireless. > Location of the resource to restrict access to specific servers.

What does a remote access server use for authorization?

Remote access policies Authorization is the process of identifying the resources that a user can access over a remote access connection. Authorization is controlled through the use of network policies (remote access policies) and access control lists (ACLs). Authorization can restrict access based on: > Time of day > Type of connection (PPP or PPPoE, wired or wireless) > Location of the resource (restrict access to specific servers) Authentication is the process of proving identity. Common protocols used for remote access authentication include PAP, CHAP, MS-CHAP, or EAP. Usernames and passwords are used during identification and authentication as authentication credentials. SLIP and PPP are remote access connection protocols that are used to establish and negotiate parameters used for remote access.

Remote access policies

Remote access policies are used to restrict access. The policies identify authorized users, conditions, permissions, and connection parameters such as time of day, authentication protocol, caller id, etc.

Remote Access Policies

Remote access policies identify users who can connect and specifies if the connection is allowed or denied. These policies can be defined on the remote access server itself. When the remote user connects, the remote access server checks the policies to find out the type of restrictions to be apply. If the demand for remote access grows beyond the capacity of a single remote access server to support all of the remote clients, an authentication, authorization, and accounting (AAA) server can be used. Accounting is the process of keeping track of what was done during a connection. For instance, you might need to keep track of how long clients were connected so you can bill a department based on connection time. Accounting is also the process of keeping track of the connection characteristics. With an AAA server, policies are defined once on the AAA server instead of on each individual remote access server. When an authentication request is sent to a remote access server, the authentication request is forwarded to the AAA server where the credentials and the policies are consulted to identify whether the access should be allowed or denied. There are two common solutions for providing this type of authentication mechanism:

userdel

Remove the user from the system. Be aware of the following options: > userdel [username] (without options) removes the user account. > -r removes the user's home directory. > -f forces the removal of the user account even when the user is logged into the system.

Replication

Replication is the process of copying changes to Active Directory on the domain controllers.

Which account type in Linux can modify hard limits using the ulimit command?

Root Only the root user in Linux can modify hard limits using the ulimit command. Standard and administrator are Windows user types. Users can modify soft limits but not hard limits using the ulimit command.

Which of the following is used by Microsoft for auditing in order to identify past actions performed by users on an object?

SACL A system access control list (SACL) is used by Microsoft for auditing in order to identify past actions performed by users on an object. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time. Permissions define the rights and access users and groups have with objects. Permissions are applied to objects such as files and folders.

You want to use Kerberos to protect LDAP authentication. Which authentication mode should you choose?

SASL Choose SASL (Simple Authentication and Security Layer) authentication mode to use Kerberos with LDAP. SASL is extensible and lets you use a wide variety of protection methods. Lightweight Directory Access Protocol (LDAP) authentication modes include anonymous, simple, and SASL authentication modes. EAP is an extensible authentication protocol for remote access. It is not used in conjunction with LDAP.

Simple Authentication andSecurity Layer (SASL)

SASL is an extensible mechanism for protecting authentication.

Simple Network Management Protocol Version 3(SNMPv3)

SNMPv3 is a protocol used to monitor and manage devices on a network. SNMPv3 provides authentication and encryption.

6.7.8 Change a User's Password Lab

Salman Chawla (schawla) forgot his password and needs access to the resources on his computer. You are logged on as wadams. The password for the root account is 1worm4b8. In this lab, your task is to: > Change the password for the schawla user account to G20oly04 (0 is a zero). > Make sure the password is encrypted in the shadow file. *Do not use the usermod -p command to change the password, as this stores the unencrypted version of the password in the /etc/shadow file. Complete this lab as follows: 1. Change Salman Chawla's password a. .At the prompt, type su -c "passwd schawla", then press Enter. b. Type 1worm4b8, then press Enter. This is the password for the root user. c. At the New password prompt, type G20oly04, then press Enter. This is the new password for the schawla user account. d. At the Retype new password prompt, type G20oly04, then press Enter.

Which type of group can be used for controlling access to objects?

Security Only security groups can be used for controlling access to objects. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). Distribution groups cannot be used for controlling access to objects. Authorization is the process of controlling access to resources such as computers, files, or printers.

change

Set user passwords to expire. Be aware of the following options: > -M sets the maximum number of days before the password expires. > -W sets the number of days before the password expires that a warning message displays. > -m sets the minimum number of days that must pass after a password has been changed before a user can change the password again.

What is the effect of the following command? chage -M 60 -W 10 jsmith

Sets the password for jsmith to expire after 60 days and gives a warning 10 days before expiration. Using chage -M 60 -W 10 jsmith sets the password for jsmith to expire after 60 days and gives a warning 10 days before expiration. Using chage sets user passwords to expire. Be aware of the following options: -M sets the maximum number of days before the password expires. -W sets the number of days before the password expires that a warning message displays. -m sets the minimum number of days that must pass after a password change before a user can change the password again.

Lori Redford, who has been a member of the Project Management group, was recently promoted to manager of the team. She has been added as a member of the Managers group. Several days after being promoted, Lori needs to have performance reviews with the team she manages. However, she cannot access the performance management system. As a member of the Managers group, she should have the Allow permission to access this system. What is MOST likely preventing her from accessing this system?

She is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions. The most likely cause of this problem is that Lori is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions. Allow permissions do not override Deny permissions unless the Allow permission is explicitly assigned and the Deny permission is inherited. It is unlikely that her user object has been assigned an explicit Deny permission to the performance management system since best practice is to assign permissions to groups, not to users.

Smart cards

Similar in appearance to credit cards, smart cards have an embedded memory chip that contains encrypted authentication information. These cards are used for authentication.

Which of the following are examples of Something You Have authentication controls? (Select two.)

Smart card Photo ID Something You Have authentication controls include physical items that you have on your possession, such as a smart card, photo ID, token device, or swipe card. Something You Know authentication requires you to provide a password, PIN, pass phrase, or the answer to a cognitive question (such as your mother's maiden name). Something You Are authentication uses a biometric system, such as a fingerprint, retina scan, voice recognition, keyboard, or writing recognition.

Smart Cards

Smart cards are plastic cards similar to credit cards that have an embedded memory chip that contains encrypted authentication information. Be aware that smart cards: > Use public key infrastructure (PKI) technology to store digital signatures, cryptography keys, and identification codes. > Can authenticate a user when used in conjunction with a smart card reader connected to a computer system. Typically have RAM, ROM, programmable ROM, and a microprocessor integrated within the card itself. > Have their own processor, allowing the card to perform its own cryptographic functions. > Use a serial interface to connect to the card reader. > Are powered externally by the smart card reader. > Are generally considered to be tamper-proof. > Can be divided into two categories: - Contact smart cards: these cards use a gold-plated contact pad that must physically touch the contact pad on a smart card reader. - Contactless smart cards: these cards do not require physical contact with the reader device. Instead, these cards use Radio Frequency Identification (RFID) technology to communicate with the smart card reader. An antenna is wound around the edge of the card and activated when the card is within proximity of the card reader.

Match each smart card attack on the left with the appropriate description on the right.

Software attacks Exploits vulnerabilities in a card's protocols or encryption methods Eavesdropping Captures transmission data produced by a card as it is used Fault generation Deliberately induces malfunctions in a card Microprobing Accesses the chip's surface directly to observe, manipulate, and interfere with a circuit Smart cards are subject to the following weaknesses: > Microprobing is the process of accessing a chip's surface directly to observe, manipulate, and interfere with the circuit. > Software attacks exploit vulnerabilities in the card's protocols or encryption methods. > Eavesdropping captures transmission data produced by the card as it is used. > Fault generation deliberately induces malfunctions in a card.

Standard User

Standard users have limited permission. For example, standard users can: > Use applications (but they cannot install them) > Change some settings that apply only to them Standard users cannot run applications in an elevated state.

Subjects

Subjects are users, applications, or processes that need access to objects.

You are teaching new users about security and passwords. Which of the following is the BEST example of a secure password?

T1a73gZ9! The most secure password is T1a73gZ9! because it is eight or more characters in length and combines uppercase and lowercase characters, special symbols, and numbers. The least secure password is 8181952 because it appears to be a birthday. JoHnSmITh is not secure because it is still a name. Stiles_2031 is more secure but not as secure as random numbers and letters.

Terminal Access Controller Access-Control System Plus (TACACS+)

TACACS and the updated version, TACACS+: > Separate authentication, authorization, and accounting into different services. > Allow the services to be on the same server or split between different servers. > Use Transmission Control Protocol (TCP) instead of UDP.

Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.)

TACACS+ RADIUS Both RADIUS and TACACS+ are protocols used for centralized authentication, authorization, and accounting with remote access. Remote access clients send authentication credentials to remote access servers. Remote access servers are configured as clients to the RADIUS or TACACS+ servers and forward the authentication credentials to the servers. The servers maintain a database of users and policies that control access for multiple remote access servers. AAA stands for authentication, authorization, and accounting. AAA is a generic term that describes the functions performed by RADIUS and TACACS+ servers. A public key infrastructure (PKI) is a system of certificate authorities that issue certificates. 802.1x is an authentication mechanism for controlling port access. EAP is an authentication protocol that enables the use of customized authentication methods.

TACACS+

TACACS+ was originally developed by Cisco for centralized remote access administration. TACACS+: > Provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server. > Uses TCP port 49. > Encrypts the entire packet contents, not just authentication packets. The client-server dialogs are also encrypted. > Supports more protocol suites than RADIUS. > Requires remote access servers to become TACACS+ clients to the backend TACACS+ server, similar to a RADIUS solution. TACACS was originally developed in 1984 by BBN Technologies. The current version of the protocol standard, TACACS+, was developed by Cisco Systems but is supported by many vendors, such as BlueCat Networks, IBM, Netgear, and more. TACACS and Extended Terminal Access Controller Access-Control System (XTACACS) are older protocols developed before TACACS+. While they sound similar, they are different and less-secure protocols.

6.7.6 Delete a User Lab

Terry Haslam (thaslam) was dismissed from the organization. His colleagues have harvested the files they need from his home and other directories. Your company security policy states that upon dismissal, users accounts should be removed in their entirety. In this lab, your task is to: > Delete the thaslam user account and home directory from the system. > When you're finished, view the /etc/passwd file and /home directory to verify the account's removal. Complete this lab as follows: 1. Delete the Terry Haslam account and home directory. a. At the prompt, type userdel -r thaslam and press Enter. 2. Verify the account's removal. a. Type cat /etc/passwd and press Enter. b. Type ls /home and press Enter to verify that the account was removed.

/etc/default/useradd

The /etc/default/useradd file contains default values used by the useradd utility when creating a user account, including: > Group ID > Home directory > Account expiration > Default shell > Secondary group membership

/etc/login.defs

The /etc/login.defs file contains: > Values used for the group and user ID numbers > Parameters for password encryption in the shadow file > Password expiration values for user accounts

/etc/passwd

The /etc/passwd file contains the user account information. Each user's information is stored in a single line on this file. There are two types of accounts in a Linux system: > Standard accounts (these are user accounts). > System user accounts (these are used by services).

/etc/shadow

The /etc/shadow file contains the users' passwords in an encrypted format. The shadow file is linked to the /etc/passwd file. There are corresponding entries in both files, and they must stay synchronized. There are password and user management utilities provided by the system that allow you to edit the files and keep them synchronized. You can use the following commands to identify errors and synchronize the files: > pwck verifies each line in the two files and identifies discrepancies. > pwconv adds the necessary information to synchronize the files.

/etc/skel

The /etc/skel directory contains a set of configuration file templates that are copied into a new user's home directory when it is created, including the following files: > .bashrc > .bash_logout > .bash_profile > .kshrc

Replication

The Active Directory database can be replicated to other systems. This eliminates the need to manually recreate user accounts on every system to which a user may need to access.

The Hide Programs and Features page setting is configured for a specific user as follows: | Policy - Setting | Local Group Policy - Enabled Default Domain Policy GPO - Not Configured GPO Linked to the user's organizational unit - Disabled After logging in, the user is able to see the Programs and Features page. Why does this happen?

The GPO linked to the user's organizational unit is applied last, so this setting takes precedence. The GPO linked to the user's organizational unit is applied last. With this in mind, the setting that disables the policy to hide the Programs and Features page takes precedence. In this question's scenario, Local Group Policy enables the policy to hide the Programs and Features page. When the Default Domain Policy GPO is applied, this policy is set to Not configured. It doesn't change anything. When the GPO linked to the user's organizational unit is applied, the setting for this policy is disabled. This reverses the setting in the Local Group Policy and makes the Programs and Features page visible to the user. The Local Group Policy is applied first. GPOs linked to the user's domain are applied second and take precedence over settings in the Local Group Policy. GPOs linked to the user's organizational unit are applied last and take precedence over any preceding policy settings.

Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol (LDAP) is a lightweight protocol that allows users and applications to read from and write to an LDAP-compliant directory service, such as Active Directory, eDirectory, and OpenLDAP. The LDAP client must bind (authenticate) to the directory service before reading/writing to the database. The LDAP server can also authenticate to the client. This is known as mutual authentication. LDAP supports the following authentication modes when binding to a directory service:

6.7.4 Create a User Account Lab

The VP of marketing has told you that Paul Denunzio will join the company as a market analyst in two weeks. You need to create a new user account for him. In this lab, your task is to: > Create the pdenunzio user account. > Include the full name, Paul Denunzio, as a comment for the user account. > Set eye8cereal as the password for the user account. > When you're finished, view the /etc/passwd file to verify the creation of the account. > Answer the question. Q1What is Paul's user ID? Correct answer: 510 Complete this lab as follows: 1. Create the Paul Denunzio account and comment. a. From the Linux prompt, type useradd -c "Paul Denunzio" pdenunzio and press Enter. 2. Create a password for Paul. a. Type passwd pdenunzio and press Enter. b. Type eye8cereal as the password and press Enter. c. Retype eye8cereal as the password and press Enter. 3. Verify that the account was created. a. Type cat /etc/passwd and press Enter. 4. Answer the question. a. In the top right, select Answer Questions. b. Select the correct answer. c. Select Score Lab.

Account Maintenance

The following list provides best practices for account maintenance: > Delete an employee's account when the employee leaves the organization. > Disable inactive accounts. > Use automatic account expiration when applicable. > Restrict remote access only to authorized clients (filtering by IP address).

Limit Remote Access

The following precautions should be taken when administering remote access: > Allow remote access to the network only for those users who need it to perform their duties (not standard for all users). > Do not allow remote access clients to connect directly to the internal network. Allow remote access clients to connect to a DMZ and then monitor the traffic. > Restrict remote access only to authorized clients . You can filter by IP address.

Cumulative permissions

The following suggestions will help you plan permissions and mitigate issues related to cumulative permissions: > Identify the users and their access needs (the actions each user needs to be able to perform). > Create a group for each type of users with similar needs. Then, make the users members of the appropriate group. > Assign each group (not user) the permissions appropriate to the group's data access needs. Grant only the permissions that are necessary. > Take inheritance into account as you assign permissions. Inheritance means that permissions granted to a parent container object flow down to child objects within the container. Set permissions as high as possible on the parent container and allow each child container to inherit the permissions. > Override inheritance on a case-by-case basis when necessary.

User Security Commands

The following table describes Linux commands used to promote user security and restrictions:

Authentication Management Tools

The following tools can be used to manage authentication credentials:

Which of the following defines the crossover error rate for evaluating biometric systems?

The point where the number of false positives matches the number of false negatives in a biometric system. The crossover error rate, or the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. A false negative (or Type I error) occurs when a person who should be allowed access is denied access. A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated.

You are attempting to delete the temp group but are unable to. Which of the following is the MOST likely cause?

The primary group of an existing user cannot be deleted. You cannot remove the primary group of any existing user. You must remove the user before you remove the group. Deleting all users would not prevent a group from being deleted. Groups can be deleted using the groupdel command. Secondary groups of a user can be deleted. This event would not prevent a group from bring deleted.

Microprobing

The process of accessing a smart cards chip surface directly to observe, manipulate, and interfere with the circuit.

Authorization

The process of controlling access to resources, such as computers, files, or printers.

Radio frequency identification (RFID)

The wireless, non-contact use of radio frequency waves to transfer data.

Linux

There are a variety of credential management systems available for Linux systems. One commonly used package is KWalletManager, which stores account credentials for network resources, such as file servers and websites. KWalletManager: > Saves the account credentials in a secure "wallet." > Stores authentication credentials used to connect to network servers as well as secure websites. > Uses saved account credentials when the user accesses a particular network resource. > Offers two encryption options, Blowfish and GPG, for protecting credentials stored in the wallet. > Does not display passwords for saved credentials. > Uses KDE Wallet Manager application to add, remove, or modify saved credentials. KDE Wallet Manager can also back up the contents of the wallet by exporting it to an encrypted .kwl file.

6.5.4 Active Directory Facts

This lesson covers the following topics: > Active Directory > Active Directory components

6.9.4 RADIUS and TACACS+ Facts

This lesson covers the following topics: > Authentication, authorization, and accounting (AAA) server > Remote Authentication Dial-in User Service (RADIUS) > Terminal Access Controller Access-Control System Plus (TACACS+)

6.3.3 Authorization Facts

This lesson covers the following topics: > Authorization > Access control lists (ACLs) > Permissions, privileges, and roles

6.10.8 Credential Management Facts

This lesson covers the following topics: > Credential management systems > Authentication management tools

6.5.9 Group Policy Facts

This lesson covers the following topics: > Group Policy > GPO structure

6.6.9 Hardening Authentication Facts

This lesson covers the following topics: > Hardening authentication methods > Hardening authentication best practices

6.4.8 Windows User Management Facts

This lesson covers the following topics: > Local user accounts > Workgroup membership > Microsoft account sign-in > Domain account sign-in > Azure Active Directory account sign-in

6.10.2 Network Authentication Facts

This lesson covers the following topics: > Network authentication overview > Network authentication protocols

6.9.2 Remote Access Facts

This lesson covers the following topics: > Remote access > Remote access protocols > Remote access policies

6.6.12 Smart Card Authentication Facts

This lesson covers the following topics: > Smart cards > Smart card benefits and weaknesses

6.7.3 Linux User Commands and Files

This lesson covers the following topics: > User files > User management commands

6.7.12 Linux User Security and Restriction Facts

This lesson covers the following topics: > User security > User security commands

6.8.2 Linux Group Commands

This lesson covers the topic of Linux group commands.

When using Kerberos authentication, which of the following terms is used to describe the token that verifies the user's identity to the target system?

Ticket The tokens used in Kerberos authentication are known as tickets. Tickets perform a number of functions, including notifying the network service of the user who has been granted access and authenticating the identity of that person when he or she attempts to use the network service. The terms coupon and voucher are not associated with Kerberos or any other commonly implemented network authentication system. The term hashkey is sometimes used to describe a value that has been derived from some piece of data when that value is then used to access a service. This term is not associated with Kerberos.

A user has just authenticated using Kerberos. Which object is issued to the user immediately following login?

Ticket-granting ticket Kerberos functions as follows: 1. The client sends an authentication request to the authentication server. 2. The authentication server validates the user's identity and grants a ticket-granting ticket (TGT). The TGT validates the user's identity and is good for a specific ticket-granting server. 3. When the client needs to access a resource, it submits its TGT to the ticket-granting server (TGS). The TGS validates that the user is allowed access and issues a client-to-server ticket. 4. The client connects to the service server and submits the client-to-server ticket as proof of access. 5. The SS accepts the ticket and allows access.

Windows Settings App

To create a local account on a computer not joined to a domain: 1. Right-click Start, select Settings, and then choose Accounts. 2. Select Family & other users (or Other users if the computer is joined to a domain). Then select Add someone else to this PC. 3. Follow the remaining steps to enter the name and password for the new user.

Computer Management

To create a local account: 1. Right-click Start and then select Computer Management. 2. From Computer Management, expand Local Users and Groups. 3. Right-click Users and then select New User. 4. Complete the required options and click Create. With this tool you are not required to use security questions. This method also gives you the ability to: > Force users to change the password at the next sign-in > Restrict the user from changing the password > Allow the password to never expire > Disable/enable an account

Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take? (Select two. Each response is part of a complete solution.)

Train sales employees to use their own user accounts to update the customer database. Delete the account that the sales employees are currently using. You should prohibit the use of shared user accounts. Allowing multiple users to share an account increases the likelihood of the account being compromised. Because the account is shared, users tend to take security for the account less seriously. In the scenario, the following tasks need to be completed: > The existing shared user account needs to be deleted. Until you delete the account, users can continue to use it for authentication. You could just change the password on the account, but there is a high chance that the new password would be shared again. > Train sales employees to use their own user accounts to update the customer database. Ensure that these accounts have the level of access required for users to access the database. Applying time-of-day login restrictions in a Group Policy object does not address the issue in this scenario.

Your LDAP directory-services solution uses simple authentication. What should you always do when using simple authentication?

Use SSL Protect LDAP simple authentication by using SSL to protect authentication traffic. LDAP simple authentication uses cleartext for username and password exchange. Protect this exchange with SSL. While you can protect authentication using SASL, this requires changing the authentication mode of LDAP from simple to SASL. When using SASL, you can use a wide range of solutions, such as TLS, Kerberos, IPsec, or certificates.

Linux Group Commands

Use the following commands to manage group accounts and group membership:

usermod

Used to modify an existing user account; usermod uses several of the same switches as useradd. Be aware of the following switches: > -c changes the description for the account. > -l renames a user account. > -L locks the user account. This command inserts a ! before the password in the /etc/shadow file, effectively disabling the account. > -U unlocks the user account.

Which security mechanism uses a unique list that meets the following specifications: > The list is embedded directly in the object itself. > The list defines which subjects have access to certain objects. > The list specifies the level or type of access allowed to certain objects.

User ACL A user ACL (user access control list) is a security mechanism that defines which subjects have access to certain objects and the level or type of access allowed. This security mechanism is unique for each object and embedded directly in the object itself. Mandatory access control (MAC) is an access control system based on classifications of subjects and objects to define and control access. Conditional access is a way to enforce access control while also encouraging users to be productive wherever they are. Hashing is a cryptographic tool that creates an identification code that is employed to detect changes in data.

User Configuration

User policies are enforced for specific users and are applied when the user logs on. User Policy settings include: > Software that should be installed for a specific user > Scripts that should run at logon or logoff > Internet Explorer user settings (such as favorites and security settings) > Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree) User policies are initially applied as the user logs on and customizes Windows based on his or her preferences.

Which of the following is a privilege or action that can be taken on a system?

User rights On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time. User rights apply to the entire system. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). Microsoft uses a system access control list (SACL) for auditing in order to identify past actions performed by users on an object. Permissions define the rights and access users and groups have with objects. Permissions are applied to objects such as files and folders.

Which of the following identification and authentication factors are often well known or easily discovered by others on the same network or system?

Username The username is typically the least protected identification and authentication factor. Therefore, usernames are often well known or easy to discover, especially by others on the same network or system. The key to maintaining a secure environment is to keep authentication factors secret. Often, usernames are constructed using a standard naming convention, such as first and middle initials plus the full last name, or the first name and last name separated by a period. If these simple construction conventions are known, building usernames from an employee list is very simple. Passwords, your PGP secret key, and your biometric reference profile are less likely to be well known or easy to discover.

You have just configured the password policy and set the minimum password age to 10. What is the effect of this configuration?

Users cannot change the password for 10 days. The minimum password age setting prevents users from changing the password too frequently. After the password is changed, it cannot be changed again for at least 10 days. The maximum password age setting determines how frequently a password must be changed. The minimum password length setting controls the minimum number of characters that must be in the password. Password history is used to prevent previous passwords from being reused.

Multifactor authentication

Using more than one method to authenticate users.

Voice

Voice recognition systems analyzes a person's voice for things like pitch, intensity, and cadence. These systems can be text dependent or text independent. Text-dependent authentication requires a specific phrase to be spoken. This could be a pre-determined phrase, or it could be randomly generated. Text-independent authentication uses any speech content.

User Security

When considering user security, keep the following in mind: > Users should be trained to use secure passwords. > > Secure passwords use numbers and letters and are more than seven characters in length. > Passwords should expire periodically but not too often. > Administrators can limit the resources that the user can access.

Hardening Authentication Best Practices

When controlling user account and password security, be aware of the following: > For large environments, implement a password management system with a self-service password reset management system. This allows a user to change his or her own password and ensures that only he or she knows it. In a system where administrators hand out passwords that users cannot change, passwords lack security. In this type of arrangement, no matter how complex the password is, more than one person knows what it is. This can affect the security of the system. > Implement account auditing to track incorrect login attempts. Small numbers of incorrect logon attempts occur naturally as users mistype or forget passwords. Large numbers of incorrect login attempts could identify a potential hacker trying to guess passwords. > Scan systems to identify unused user accounts or accounts with blank passwords.

Multifactor Authentication

When possible, multifactor authentication should be used. This means using more than one method to authenticate your users. End users can be authenticated using three types of factors: > Something you know > Something you have > Something you are Robust authentication processes use two or more of these factors.

Which of the following are disadvantages of biometrics? (Select two.)

When used alone, they are no more secure than a strong password. They have the potential to produce numerous false negatives. When a biometric is used by itself, it is no more secure than a strong password. A single successful attack can subvert a biometric in much the same way that a single successful attack can subvert a password. Biometric attacks need not be based on physical harm (such as cutting off a finger), but can include a wide variety of realistic reproductions that fool the biometric reader device. When a biometric device's sensitivity is set too high, it results in numerous false rejections (when authorized users are not recognized and are therefore rejected). The advantage of biometrics is that no two people have the same biometric characteristics. Most characteristics, such as retinal patterns, are unique, even among identical twins. A password can be discovered using a brute force attack, but there is no such attack against biometrics.

Workgroup Membership

When working in an environment where multiple computers are connected on a network, one method of sharing resources between computers is to use a workgroup. A workgroup is Microsoft's implementation of peer-to-peer networking. Although using domains is the preferred method, workgroups can be useful in small environments of about two to eight computers. Anything larger than that begins to be an administrative challenge.

Microsoft Account Sign-In

With Windows 10, Microsoft's preferred method of signing onto a system is to use a Microsoft account. Microsoft accounts use a single sign-on system. This means that you can sign into different systems while maintaining the same user settings and password. You can even access your favorites websites. Microsoft accounts also provide synchronized access to other Microsoft services such as Office 365, Outlook, Skype, OneDrive, Xbox Live, Bing, and Microsoft Store. Microsoft accounts can be created using an existing email address or by signing up for a Microsoft email address. You can also use a phone number instead of an email address. If your Windows system was originally configured to sign in using a local account, you can switch to a Microsoft account by doing the following: 1. Select the Start menu and go to Settings > Accounts > Your info. 2. Select Sign in with a Microsoft account instead. (Note: if you see Sign in with a local account instead, you're already using your Microsoft account.) 3. Follow the prompts to switch to your Microsoft account. If needed, you can create a Microsoft account at this time. To switch from a Microsoft account back to a local account, right-click Start and go to Settings > Accounts > Your info. Then select Sign in with a local account instead and follow the prompts.

Stand-Alone Model

With a stand-alone model, each Windows system functions independently of other systems. This means that you cannot transmit information directly from one host to another. The only way to transmit data between these systems is through a public network, such as the internet. In this model, the computers are not connected by a network.

Object

Within Active Directory, each resource is identified as an object. Common objects include: > Users > Groups > Computers > Shared folders Each object contains additional information about the shared resource that can be used for locating and securing resources. Groups are composed of other directory objects that have a common level of access. The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the objects. In Active Directory, each user is assigned a Security Account Manager (SAM) account name; therefore, each user name must be unique.

Which networking model is based on peer-to-peer networking?

Workgroup A workgroup model is based on peer-to-peer networking. In the workgroup model: > No hosts in a workgroup have a specific role. - All hosts can function as both workstations and servers. - All hosts in a workgroup can provide network services or consume network services. > Hosts are linked together by some type of local network connection. > Hosts in the same workgroup can access shared resources on other hosts. > No specialized software is required. In a standalone model, each Windows system functions independently of other systems. In the client-server model, each host has a specific role in the network. Servers provide services such as file storage, user management, security configuration, and printing. Clients request services from servers.

You are a contract support specialist managing the computers in a small office. You see that all the computers are only using local user accounts. Which of the following models could this office be using? (Select two.)

Workgroup Standalone The standalone and workgroup models can only use local user accounts for storing usernames and passwords. Active Directory is used to create client-server networks where domains are used to organize network resources. On these networks, user account information is stored in a centralized database on a network server. Azure AD is similar to Active Directory, but the domain is hosted on Microsoft servers in the cloud. This is where user account information would also be stored.

6.5.14 Create Global Groups Lab

You are the IT Administrator for the CorpNet.local domain. You are in the process of implementing a group strategy for your network. You have decided to create global groups as shadow groups for specific departments in your organization. Each global group will contain all users in the corresponding department. In this lab, your task is to: > Create the following global security groups on the CorpDC server in their corresponding OUs: | OU Creation Location | New Group Name | > Add all user accounts in the corresponding OUs and sub-OUs as members of the newly created groups. Complete this lab as follows: 1. Access Active Directory Users and Computers on the CorpDC server. a. From Hyper-V Manager, select CORPSERVER. b. From the Virtual Machines pane, double-click CorpDC. c. From Server Manager's menu bar, select Tools > Active Directory Users and Computers. d. Maximize the window for better viewing. e. From the left pane, expand CorpNet.local. 2. Create the groups. a. Right-click the OU where the new group is to be added and select New > Group. b. In the Group name field, enter the name of the group. c. Make sure the Global Group scope is selected. d. Make sure the Security Group type is selected. e. Click OK. 3. Add users to groups. a. In the right pane, right-click the user account(s) and select Add to a group. (Use the Ctrl or Shift keys to select and add multiple user accounts to a group at one time.) b. In the Enter the object names to select field, enter the name of the group. c. Select Check Names and verify that the object name was found. d. Click OK to accept the groups added. e. Click OK to acknowledge the change. f. If a sub-OU with users exist, double-click on the sub-OU and then repeat step 3. Do this for each sub-group. 4. Repeat steps 2 - 3 for additional groups and users.

6.5.6 Delete OUs Lab

You are the IT administrator for a corporate network. You have just installed Active Directory on a new Hyper-V guest server named CorpDC. You have created an Active Directory structure based on the company's departmental structure. While creating the structure, you added a Workstations OU in each of the departmental OUs. After further thought, you decide to use one Workstations OU for the entire company. As a result, you need to delete the departmental Workstations OUs. In this lab, your task is to delete the following OUs on CorpDC: > Within the Marketing OU, delete the Workstations OU. > Within the Research-Dev OU, delete the Workstations OU. > Within the Sales OU, delete the Workstations OU. Complete this lab as follows: 1. Access the CorpDC server. a. From Hyper-V Manager, select CORPSERVER. b. From the Virtual Machines pane, double-click CorpDC. 2. Delete the applicable OUs. a. From Server Manager, select Tools > Active Directory Users and Computers. b. Select View > Advanced Features. *This enables the Advanced feature, allowing you to disable the OU from accidental deletion. c. From the left pane, expand CorpNet.local > the_parent OU. d. Right-click the OU that needs to be deleted and then select Properties. e. Select the Object tab. f. Clear Protect object from accidental deletion and then select OK. g. Right-click the OU to be deleted and then click Delete. h. Click Yes to confirm the OU's deletion. i. Repeat steps 2c - 2h to delete the remaining OUs. 3. From the Active Directory Users and Computers menu bar, select View > Advanced Features to turn off the Advanced Features view.

6.6.8 Enforce User Account Control Lab

You are the IT administrator for a small corporate network. The company has a single Active Directory domain named CorpNet.xyz. You need to increase the domain's authentication security. You need to make sure that User Account Control (UAC) settings are consistent throughout the domain and in accordance with industry recommendations. In this lab, your task is to configure the following UAC settings in the Default Domain Policy on CorpDC as follows: | User Account Control | Setting | *User Account Control policies are set in a GPO linked to the domain. In this scenario, edit the Default Domain Policy and configure settings in the following path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Complete this lab as follows: 1. On CorpDC, access the CorpNet.local domain for Group Policy Management. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC. c. From Server Manager, select Tools > Group Policy Management. d. Maximize the window for easy viewing. e. Expand Forest: CorpNet.local > Domains > CorpNet.local. 2. Configure the UAC settings. a. Right-click Default Domain Policy and select Edit. b. Maximize the window for easier viewing. c. Under Computer Configuration, expand and select Policies > Windows Settings > Security Settings > Local Policies > Security Options. d. From the right pane, double-click the policy you want to edit. e. Select Define this policy setting. f. Select Enable or Disable as necessary. g. Edit the value for the policy as needed and then click OK. h. Repeat steps 2d-2g for each policy setting.

6.5.5 Create OUs Lab

You are the IT administrator for a small corporate network. You have just installed Active Directory on a new Hyper-V guest server named CorpDC. Now you need to create an Active Directory organizational unit (OU) structure based on the company's departmental structure. In this lab, your task is to create the following organizational units (OUs) on the CorpDC server and ensure that each is protected from accidental deletion as follows: > Beneath the CorpNet.local domain, create the following OUs: - Accounting - Admins - Marketing - Research-Dev - Servers - Support - Workstations - Sales Within the Sales OU, create the following OUs: - SalesManagers - TempSales Complete this lab as follows: 1. Access the CorpDC server. a. From the left pane of Hyper-V Manager, select CORPSERVER. b. From the Virtual Machines pane, double-click CorpDC. 2. Create the Active Directory organizational units (OUs) beneath the CorpNet.local domain. a. From Server Manager's menu bar, select Tools > Active Directory Users and Computers. b. From the left pane, right-click CorpNet.local and then select New > Organizational Unit. *You can also create OUs by selecting the Create a new organizational unit in the current container icon () located in the Active Directory Users and Computers ribbon. c. Enter the name of the OU to be created. d. Ensure that Protect container from accidental deletion is selected and then select OK. e. Repeat steps 2b - 2d until all the required domain OUs are created. 3. Create the OUs within the Sales OU. a. From the left pane, select CorpNet.local > Sales. b. From the menu bar, select the Create a new organizational unit in the current container icon. c. Enter the name of the OU to be created. d. Ensure that Protect container from accidental deletion is selected and then select OK. e. Repeat steps 3a - 3d to create the remaining OU.

6.5.12 Manage User Accounts Lab

You are the IT administrator for a small corporate network. You recently added an Active Directory domain on the CorpDC server to manage network resources centrally. Organizational units in the domain represent departments. User and computer accounts are in their respective departmental OUs. Over the past few days, several personnel changes have occurred that require changes to user accounts. In this lab, your task is to use the following information to make the necessary user account changes on CorpDC: > Mary Barnes from the Accounting Department has forgotten her password, and now her account is locked. - Unlock the account. - Reset the password to asdf1234$. - Require a password change at the next logon. > Mark Woods has been fired from the accounting department. Disable his account. > Pat Benton is returning to the Research-Dev department from maternity leave. Her account is disabled to prevent logon. Enable her account. > Andrea Simmons from the Research-Dev department has recently married. - Rename the account Andrea Socko. - Change the last name to Socko. - Change the display name to Andrea Socko. - Change the user logon and the pre-Windows 2000 user logon name to asocko > For all users in the Support OU (but not the SupportManagers OU), allow logon only to the Support computer.. Complete this lab as follows: 1. Access Active Directory Users and Computers on the CorpDC server. a. From Hyper-V Manager, select CORPSERVER.From the Virtual Machines pane, double-click CorpDC. b. From Server Manager's menu bar, select Tools > Active Directory Users and Computers. c. Maximize the window for better viewing. 2. From the left pane, expand CorpNet.local. 3.Unlock the Mary Barnes account. a. From the left pane, select Accounting. b. Right-click Mary Barnes and select Reset Password. c. In the New password field, enter asdf1234$. d. In the Confirm password field, enter asdf1234$. e. Make sure User must change password at next logon is selected. f. Make sure Unlock the user's account is selected. g. Select OK. h. Select OK to confirm the changed. 4. Disable the Mark Woods account. a. From the right pane, right-click Mark Woods and select Disable Account. b. Select OK to confirm the change. 5. Enable Pat Benton's account. a. From the left pane, select Research-Dev. b. From the right pane, right-click Pat Benton and select Enable Account. c. Select OK to confirm the change. 6. Rename the Andrea Simmons account. a. Right-click Andrea Simmons and select Rename. b. Enter Andrea Socko and press Enter. This opens the Rename User dialog. c, In the Last name field, enter Socko. d. In the User logon name field, replace the old name with asocko. e. Select OK. 7. Configure user account restrictions. a. From the left pane, select Support. b. From the right pane, press Ctrl and select both the Tom Plask and Janice Rons users to edit multiple users at the same time. *From the left pane, select Support. c. Right-click the user accounts and select Properties. d. Select the Account tab. e. Select Computer restrictions. f. Select Log On To. g. Select The following computers. h. In the Computer name field, type Support. i. Select Add. j. Select OK. k. Select OK.

6.5.11 Create User Accounts Lab

You are the IT administrator for a small corporate network. You recently added an Active Directory domain to the CorpDC server to manage network resources centrally. You now need to add user accounts in the domain. In this lab, your task is to create the following user accounts on CorpDC: | User | Job Role | Departmental OU | Use the following user account naming standards and specifications as you create each account: > Create the user account in the departmental OU corresponding to the employee's job role. > User account name: First name + Last name > Logon name: firstinitial + [email protected] > Original password: asdf1234$ (must change after the first logon) > Configure the following for the temporary sales employee: - Limit the logon hours to allow logon only from 8:00 a.m. to 5:00 p.m., Monday through Friday. - Set the user account to expire on December 31st of the current year. Complete this lab as follows: 1. Access Active Directory Users and Computers on the CorpDC server. a. From Hyper-V Manager, select CORPSERVER. b. From the Virtual Machines pane, double-click CorpDC. c. From Server Manager's menu bar, select Tools > Active Directory Users and Computers. d. Maximize the window for better viewing. 2. Create the domain user accounts. a. From the left pane, expand CorpNet.local. b. Browse to the appropriate OU. c. Right-click the OU and select New > User. d. In the First name field, enter the user's first name. e. In the Last name field, enter the user's last name. f. In the User logon name field, enter the user's logon name (use firstinitial + [email protected]). g. Select Next. h. In the Password field, enter asdf1234$. i. In the Confirm password field, enter asdf1234$. j. Make sure User must change password at next logon is selected and then click Next. k. Select Finish to create the object. l. Repeat steps 3e-3m to create the additional users. 3. Modify user account restrictions for the temporary sales employee. a. Right-click Borey Chan and select Properties. b. Select the Account tab. c. Select Logon hours. d. From the Logon Hours dialog, select Logon Denied to clear the allowed logon hours. e. Select the time range of 8:00 a.m. to 5:00 p.m., Monday through Friday. f. Select Logon Permitted to allow logon. g. Select OK. h. Under Account expires, select End of. i. In the End of field, use the drop-down calendar to select 31 December of the current year. j. Select OK.

6.5.13 Create a Group Lab

You are the IT administrator for the CorpNet domain. You have decided to use groups to simplify the administration of access control lists. Specifically, you want to create a group containing the department managers. In this lab, your task is to use Active Directory Users and Computers to complete the following actions on the CorpDC server: > In the Users container, create a group named Managers. Configure the group as follows: - Group scope: Global - Group type: Security > Make the following users members of the Managers group: | Organization Unit | Username | Complete this lab as follows: 1. Access Active Directory Users and Computers on the CorpDC server. a. From Hyper-V Manager, select CORPSERVER. b. From the Virtual Machines pane, double-click CorpDC. c. From Server Manager's menu bar, select Tools > Active Directory Users and Computers. d. Maximize the window for better viewing. 2. In the Users container, create a group named Managers. a. From the left pane, expand and select CorpNet.local > Users. b. Right-click the Users container and select New > Group *You can also create a new group by selecting the Create a new group in the current container icon found in the ribbon. c. In the Group name field, enter Managers. *A pre-Windows 2000 group name is created automatically, but it can be changed. d. Under Group scope, make sure Global is selected. e. Under Group type, make sure Security is selected and select OK. 3. Add user accounts to the Managers group. a. From the left pane, ensure that the Users container is still selected. b. From the right pane, right-click Managers and select Properties. c. Select the Members tab. d. Select Add. e. In the Enter the object names to select field, enter all the usernames. Use a semicolon to separate each name. *Example: Steve Hoffer; Peter Williams; Princess Diana f. Select Check Names. g. Select OK to add the users and close the dialog. h. Select OK to close the Managers Properties dialog. *You can also add individual users to a group by right-clicking the user and selecting Add to a group.

6.10.6 Configure Kerberos Policy Settings Lab

You are the IT security administrator for a small corporate network that has a single Active Directory domain named CorpNet.local. You are working on increasing the authentication security of the domain. In this lab, your task is to configure the Kerberos policy settings in the Default Domain Policy using Group Policy Management with the following settings: | Security Setting | Value | Complete this lab as follows: 1. Access the CorpNet.local Default Domain Policy. a. From Server Manager, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. Expand Forest: CorpNet.local > Domains > CorpNet.local. 2. Edit the Default Domain Policy to configure the Kerberos policy for computer configurations. a. Right-click Default Domain Policy and then select Edit. b. Maximize the window for better viewing. c. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Account Policies. d. Select Kerberos Policy. e. From the right pane, double-click the policy you want to edit. f. Configure the policy setting and then select OK. g. Repeat steps 2e - 2f for each policy setting.

6.6.6 Restrict Local Accounts Lab

You are the IT security administrator for a small corporate network. You are working to increase the authentication security of the domain. You need to make sure that only authorized users have administrative rights to all local machines. Local users and groups can be controlled through a GPO linked to the domain. In this lab, your task is to edit the Default Domain Policy and configure the Local Users and Groups policy settings as follows: > Create a policy to update the built-in Administrator local group. > Delete all member users. > Delete all member groups. > Add BUILTIN\Administrator to the group. > Add %DOMAINNAME%\Domain Admins to the group. *The policy you create should remove all members of the built-in Administrators group and then add only the members specified. Use BUILTIN\Administrator and %DOMAINNAME%\Domain Admins in the policy to indicate which accounts to add. Complete this lab as follows: 1. Access the CorpNet.local domain under Group Policy Management. a. From Server Manager, select Tools > Group Policy Management. b. Maximize the windows for better viewing. c. Expand Forest: CorpNet.local > Domains > CorpNet.local. 2. Create a policy to update the built-in Administrator local group. a. Right-click Default Domain Policy and select Edit. b. Maximize the windows for better viewing. c. Under Computer Configuration, expand Preferences > Control Panel Settings. d. Right-click Local Users and Groups and select New > Local Group. e. Using the Group name drop-down, select Administrators (built-in). f. Select Delete all member users to remove all member users. g. Select Delete all member groups to remove all member groups. h. Select Add. i. In the Name field, enter BUILTIN\Administrator and then select OK. j. Select Add. k. In the Name field, enter %DOMAINNAME%\Domain Admins and then select OK. l. Select OK to save the policy.

6.5.10 Create and Link a GPO Lab

You are the IT security administrator for a small corporate network. You would like to use Group Policy to enforce settings for certain workstations on your network. You have prepared and tested a security template file that contains policies that meet your company's requirements. In this lab, your task is to perform the following on CorpDC: > Create a GPO named Workstation Settings in the CorpNet.local domain. > Link the Workstation Settings GPO to the following organizational units (OUs): - Marketing > TempMarketing - Sales > TempSales - Support > Import the ws_sec.inf template file, located in C:\Templates, to the Workstation Settings Group Policy object. Complete this lab as follows: 1. Access the CorpNet.local domain. a. From Server Manager, select Tools > Group Policy Management. b. Expand Forest: CorpNet.local > Domains > CorpNet.local. c. Maximize the window for better viewing. 2. Create the Workstation Settings GPO and link it to the CorpNet.local domain. a. Right-click the Group Policy Objects OU and select New. b. In the Name field, enter the Workstation Settings and then click OK. 3. Link OUs to the Workstation Settings GPO. a. Right-click the OU and select Link an Existing GPO. b. Under Group Policy Objects, select Workstation Settings from the list and then click OK. c. Repeat step 3 to link the additional OUs. 4. Import the ws_sec.inf security policy template. a. Expand Group Policy Objects. b. Right-click Workstation Settings and select Edit. c. Under Computer Configuration, expand Policies > Windows Settings. d. Right-click Security Settings and select Import Policy. e. Browse to the C:\Templates. f. Select ws_sec.inf and then click Open.

6.6.4 Configure Account Password Policies Lab

You have been asked to perform administrative tasks for a computer that is not a member of a domain. To increase security and prevent unauthorized access to the computer, you need to configure specific password and account lockout policies. In this lab, your task is to use the Local Security Policy to configure the following password and account lockout policies: > Configure password settings so that the user must: - Cycle through 10 passwords before reusing an old one. - Change the password every 90 days. - Keep the password at least 14 days. - Create a password at least eight characters long. - Create a password that meets complexity requirements, such as using uppercase letters, lowercase letters, numbers, or symbols. > Configure the account lockout policy to: - Lock out any user who enters five incorrect passwords. - Unlock an account automatically after 60 minutes. - Configure the number of minutes that must elapse after a failed logon attempt to 10 minutes. Complete this lab as follows: 1. Using Windows Administrative Tools, access the Local Security Policy. a. Select Start. b. Locate and expand Windows Administrative Tools. c. Select Local Security Policy. d. Maximize the window for easier viewing. 2. Configure the password policies. a. From the left pane, expand Account Policies and then select Password Policy. b. From the center pane, expand the Policy column. c. Double-click the policy to be configured. d. Configure the policy settings. e. Click OK. f. Repeat steps 2c-2e to configure the additional password policies. 3. Configure the account lockout policies. a. From the left pane, select Account Lockout Policy. b. From the center pane, expand the Policy column. c. Double-click the policy to be configured. d. Configure the policy settings (if needed, answer any prompts shown). e. Click OK. f. Repeat steps 3c-3e to configure the additional lockout policies.

6.7.7 Change Your Password Lab

You use a special user account called Administrator to log on to your computer. However, you think someone has learned your password. You are logged on as Administrator. In this lab, your task is to change your password to r8ting4str. The current Administrator account uses 7hevn9jan as the password. As you type in the password, the cursor will not move. Continue entering the password anyway. Complete this lab as follows: 1. Change your password. a. At the prompt, type passwd and press Enter. b. When prompted, enter 7hevn9jan and press Enter. This is the current password. c. At the New password prompt, enter r8ting4str and press Enter. d. Retype r8ting4str as the new password and press Enter.

6.6.11 Configure Smart Card Authentication Lab

You work as the IT administrator for a growing corporate network. The Research and Development Department is working on product enhancements. Last year, some secret product plans were compromised. As a result, the company decided to implement smart cards for logon to every computer in the Research and Development Department. No user should be able to log onto the workstation without using a smart card. In this lab, your task is to perform the following on CorpDC: > Enforce the existing Research-DevGPO linked to the Research-Dev OU. > Edit the Research-DevGPO and configure the following local security setting policies located in the Computer Configuration section: | Policy | Setting | *Certificate auto-enrollment has already been enabled for the domain. Complete this lab as follows: 1. Access the CorpDC server. a. In Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC. 2. Enforce the existing Research-DevGPO. a. From Server Manager, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. From the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. d. From the left pane, select the Research-DevGPO. e. From the Scope tab under Links, right-click Research-Dev and then select Enforced. 3. Edit Research-DevGPO polices. a. From the left pane, right-click Research-DevGPO and then select Edit. b. Maximize the window for better viewing. c. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. d. Select Security Options. e. From the right pane, double-click the policy and select Properties. f. Select Define this policy setting. g. Select additional parameters to configure the policy setting. h. Select OK. i. Repeat steps 3e-3h to configure the additional policy setting.

6.6.7 Secure Default Accounts Lab

You work as the IT security administrator for a small corporate network. You are improving office computers' security by renaming and disabling default computer accounts. In this lab, your task is to perform the following on the Office1 computer: Rename the Administrator account Yoda. Disable the Guest account. Verify that Password never expires is not selected for any local users. This forces them to change their passwords regularly. Delete any user accounts with User must change password at next logon selected. This indicates that a user has never logged in. Complete this lab as follows: 1. Access the computer's Computer Management tool. a. Right-click Start and select Computer Management. b. Under System Tools, expand Local Users and Groups. c. Select Users. 2. Rename the Administrator account. a. From the center pane, right-click Administrator and select Rename. b. Enter Yoda and press Enter. 3. Disable the Guest account. a. Right-click Guest and select Properties. b. Select Account is disabled and click OK. c. Remove Password never expires option if it is selected. d. Right-click a user and select Properties. e. Deselect Password never expires (if selected) and then select OK. f. Repeat step 4 for each user. 4. Delete any unused accounts. a. Right-click the user that has User must change password at next logon selected and select Delete. b. Click Yes to confirm deletion of the account.

You have a group named Research on your system that needs a new password because a member of the group has left the company. Which of the following commands should you use?

gpasswd Research Use gpasswd Research to be prompted to enter a new password for the Research group. Group names are case-sensitive, so gpasswd research won't change the password for the Research group. The groupmod command does not have a switch that can be used to change passwords. The newpasswd option is not a valid Linux command.

Which of the following commands creates a new group and defines the group password?

groupadd -p The groupadd -p command creates a new group while defining the group password. The groupadd -g command creates a new group while defining the GUID. The groupadd -r command creates a new system group. The groupadd -c command is not a valid command.

You are the administrator for a small company, and you need to add a new group of users to the system. The group's name is sales. Which command accomplishes this task?

groupadd sales Use the groupadd utility to add a group to the system. By default, the group is added with an incrementing number above those reserved for system accounts. If you use the -r option, the account is added as a system account (with a reserved group id number). Because this is a group that is created for users, the -r option should not be used.

You have a group named temp_sales on your system. The group is no longer needed, so you should remove it. Which of the following commands should you use?

groupdel temp_sales Use groupdel to delete a group from a Linux system. The newgroup command logs the user into a group with the group password, but this command does not contain a -R option. The groupmod command modifies the existing group. Be aware of the following options: -A adds specified users to the group (SUSE distribution). -R removes specified users from the group (SUSE distribution). -n changes the name of a group.

You want to see which primary and secondary groups the dredford user belongs to. Enter the command you would use to display group memberships for dredford.

groups dredford To display the primary and secondary group membership for a specified user account, use the groups command. In this case, you would enter: groups dredford

Which of the following commands is used to change the current group ID during a login session?

newgrp The newgrp command is used to change the current group ID during a login session. If the optional - flag is given, the user's environment is reinitialized as though the user had logged in. Otherwise, the current environment (including the current working directory) remains unchanged. You can use this when working in a directory in which all the files must have the same group ownership. The usermod command modifies group membership for a user account. The groups command displays the primary and secondary group membership for the specified user account. The groupmod command modifies the existing group.

Which of the following utilities could you use to lock a user account? (Select two.)

passwd usermod Use the following utilities to lock a user account: > passwd -l disables (locks) an account. This command inserts !! before the password in the /etc/shadow file. > usermod -L disables (locks) an account. This command inserts ! before the password in the /etc/shadow file. The useradd command creates new user accounts, and userdel deletes user accounts from the system. The ulimit command is used to limit computer resources.

You suspect that the gshant user account is locked. Enter the command you would use in Command Prompt to show the status of the user account.

passwd -S gshant Use passwd -S gshant to display the status of the gshant user account. > LK indicates that the user account is locked. > PS indicates that the user account has a password. Viewing the /etc/shadow file also displays whether the user account is disabled. The second field for each entry in the /etc/password file is the password field: > $ preceding the password identifies the password as an encrypted entry. > ! or !! indicates the account is locked and cannot be used to log in. > * indicates a system account entry, which cannot be used to log in.

Which of the following commands would you use to view the current soft limits on a Linux machine?

ulimit -a The ulimit -a command displays the current limits. The default shows soft limits. The ulimit -c command limits the size of a core dump file. The ulimit -n command limits the maximum number of files that can be open. The ulimit -u command limits the number of concurrent processes a user can run.

An employee named Bob Smith, whose username is bsmith, has left the company. You have been instructed to delete his user account and home directory. Which of the following commands would produce the required outcome? (Select two.)

userdel bsmith;rm -rf /home/bsmith userdel -r bsmith The userdel -r command deletes a user's home directory and user account. The userdel command by itself does not delete a user's home directory and user account. Executing rm -rf on the user's home directory after executing userdel removes the home directory. The userdel -h command displays the syntax and options for the userdel command.

Which of the following commands removes a user from all secondary group memberships?

usermod -G "" usermod - G "" removes the user from all secondary group memberships. Do not include a space between the quotes. usermod -g assigns a user to a primary group. usermod -G assigns a user to a secondary group. usermod -aG assigns a user to a secondary group (or groups) by appending the group to any which the user already belongs to. Follow the command with a comma-separated list of groups.

You have performed an audit and found an active account for an employee with the username joer. This user no longer works for the company. Which command can you use to disable this account?

usermod -L joer Use usermod -L joer to lock the user's password. Doing so disables the account. The usermod -l joer command changes the account's login name. The -d flag is used for changing the account's home directory. The -u flag is used for changing the account's numeric ID.

Which of the following commands assigns a user to a primary group?

usermod -g The usermod -g command assigns a user to a primary group. The usermod -G command assigns a user to a secondary group. The groupadd -g command creates a new group while defining the GUID. The groupadd -r command creates a new system group.

One of your users, Karen Scott, has recently married and is now Karen Jones. She has requested that her username be changed from kscott to kjones with no other values changed. Which of the following commands would accomplish this?

usermod -l kjones kscott Use the usermod command to modify user settings. Use the -l flag to signal a change to the username. The correct syntax requires the new username value be given, followed by the old username. The -u flag changes the UID number.