3.7 Given a scenario, implement identity and account management controls Flashcards
What is an identity provider IdP?
The identity provider is the service that provisions the user account and processes authentication requests. On a private network, these identity directories and application authorization services can be operated locally. The same site operates both identity provision and application provision. Most networks now make use of third-party cloud services, however. In this scenario, various protocols and frameworks are available to implement federated identity management across web-based services. This means that a user can create a digital identity with one provider, but other sites can use that identity to authorize use of an application.
What does least privelege mean?
Least privilege means that a user is granted sufficient rights to perform his or her job and no more. This mitigates risk if the account should be compromised and fall under the control of a threat actor. Authorization creep refers to a situation where a user acquires more and more rights, either directly or by being added to security groups and roles. Least privilege should be ensured by closely analyzing business workflows to assess what privileges are required and by performing regular account audits.
What is a default account?
A default account is one that is created by the operating system or application when it is installed. The default account has every permission available. In Windows, this account is called Administrator; in Linux, it is called root. This type of account is also referred to as a superuser.
What is a good practice for generic administrator account management?
Superuser accounts directly contradict the principles of least privilege and separation of duties. Consequently, superuser accounts should be prohibited from logging on in normal circumstances. The default superuser account should be restricted to disaster recovery operations only. In Windows, the account is usually disabled by default and can be further restricted using group policy (docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-h–securing-local-administrator-accounts-and-groups). The first user account created during setup has superuser permissions, however.
What is a guest account?
A guest account is a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource. The Windows OS creates guest user and group accounts when installed, but the guest user account is disabled by default. Guest accounts are also created when installing web services, as most web servers allow unauthenticated access.
What is a service account?
Service accounts are used by scheduled processes and application server software, such as databases. Windows has several default service account types. These do not accept user interactive logons but can be used to run processes and background services:
System—has the most privileges of any Windows account. The local system account creates the host processes that start Windows before the user logs on. Any process created using the system account will have full privileges over the local computer.
Local Service—has the same privileges as the standard user account. It can only access network resources as an anonymous user.
Network Service—has the same privileges as the standard user account but can present the computer’s account credentials when accessing network resources
What are account attributes?
A user account is defined by a unique security identifier (SID), a name, and a credential. Each account is associated with a profile. The profile can be defined with custom identity attributes describing the user, such as a full name, email address, contact number, department, and so on. The profile may support media, such as an account picture.
As well as attributes, the profile will usually provide a location for storing user-generated data files (a home folder). The profile can also store per-account settings for software applications.
What are group policy objects?
On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.
What are two mechanisms of geolocation?
IP address—these can be associated with a map location to varying degrees of accuracy based on information published by the registrant, including name, country, region, and city. The registrant is usually the Internet service provider (ISP), so the information you receive will provide an approximate location of a host based on the ISP. If the ISP is one that serves a large or diverse geographical area, you will be less likely to pinpoint the location of the host Internet service providers (ISPs). Software libraries, such as GeoIP (maxmind.com/en/geoip-demo), facilitate querying this data.
Location Services—these are methods used by the OS to calculate the device’s geographical position. A device with a global positioning system (GPS) sensor can report a highly accurate location when outdoors. Location services can also triangulate to cell towers, Wi-Fi hotspots, and Bluetooth signals where GPS is not supported.
What is geofencing?
Geofencing refers to accepting or rejecting access requests based on location. Geofencing can also be used for push notification to send alerts or advice to a device when a user enters a specific area. Geotagging refers to the addition of location metadata to files or devices. This is often used for asset management to ensure devices are kept with the proper location.
What are time-based restrictions?
1.) A time of day policy establishes authorized logon hours for an account.
2.) A time-based login policy establishes the maximum amount of time an account may be logged in for.
3.) An impossible travel time/risky login policy tracks the location of login events over time. If these do not meet a threshold, the account will be disabled. For example, a user logs in to an account from a device in New York. A couple of hours later, a login attempt is made from LA, but this is refused and an alert raised because it is not feasible for the user to be in both locations.
What information is gained from doing account audits?
1.) Accounting for all actions that have been performed by users. Change and version control systems depend on knowing when a file has been modified and by whom. Accounting also provides for non-repudiation (that is, a user cannot deny that they accessed or made a change to a file). The main problems are that auditing successful access attempts can quickly consume a lot of disk space, and analyzing the logs can be very time-consuming.
2.) Detecting intrusions or attempted intrusions. Here records of failure-type events are likely to be more useful, though success-type events can also be revealing if they show unusual access patterns.
What is discretionary access control?
Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).
As the most flexible model, it is also the weakest because it makes centralized administration of security policies the most difficult to enforce. It is also the easiest to compromise, as it is vulnerable to insider threats and abuse of compromised accounts.
What is role-based access control?
Role-based access control (RBAC) adds an extra degree of centralized control to the DAC model. Under RBAC, a set of organizational roles are defined, and subjects allocated to those roles. Under this system, the right to modify roles is reserved to a system owner. Therefore, the system is non-discretionary, as each subject account has no right to modify the ACL of a resource, even though they may be able to change the resource in other ways. Users are said to gain rights implicitly (through being assigned to a role) rather than explicitly (being assigned the right directly).
An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
What is the command that is used to change permissions to a file?
Read (r)—the ability to access and view the contents of a file or list the contents of a directory.
Write (w)—the ability to save changes to a file, or create, rename, and delete files in a directory (also requires execute).
Execute (x)—the ability to run a script, program, or other software file, or the ability to access a directory, execute a file from that directory, or perform a task on that directory, such as file search.
These permissions can be applied in the context of the owner user (u), a group account (g), and all other users/world (o). A permission string lists the permissions granted in each of these contexts:
chmod u=rwx,g=rx,o=rx home
The string above shows that for the directory (d), the owner has read, write, and execute permissions, while the group context and other users have read and execute permissions.
The chmod command is used to modify permissions. It can be used in symbolic mode or absolute mode. In symbolic mode, the command works as follows:
chmod g+w,o-x home