3.7 Implement identity & account management

Question 1

Identity controls: what is an IdP ?

Answer 1

Identity Provider. It’s a service that can vouch (se porte garant) for you: Authentication as a Service

Question 2

Identity controls: why is an IdP can be used ?

Answer 2

Commonly used by SSO applications or authentication process in cloud-based services

Question 3

Identity controls: what are the standard authentication methods of an IdP ?

Answer 3

SAML, OAuth, OpenID

Question 4

Identity controls: how IdP know a person identity ?

Answer 4

Thanks to certains attributes

Question 5

Identity controls: what is an attribute?

Answer 5

An identifier or property of an identity. It can be:
- personal attributes: name, email, phone, employee ID
- other attributes: department name, job title etc

1 or more attributes can be use for identification

Question 6

Identity controls: can public key cryptography can be use for identity?

Answer 6

Yes through the use of digital certificate

Question 7

Identity controls: what is a digital certificate ?

Answer 7

Digital certificate are assigned to a person/ device and allows to confirm that the owner of that certificate is someone that we can trust.
It requires an existing PKI to work

Question 8

Identity contols: how to authenticate to ssh ?

Answer 8

Use username+ password OR use public/private keys to authenticate

Question 9

Identity contols: is management of ssh key important ?

Answer 9

Yes

Question 10

Identity contols: how to create a public/ private key pair for ssh ?

Answer 10

1/ Use ssh-keygen command on linux to generate a key pair
2/ Copy the public key to the SSH server using: ssh-copy-id user@host
3/ Once copied use ssh user@host to connect to the serve (no password needed)

Question 11

Account types: what are the different types of accounts ?

Answer 11

• user account
• shared & generaic accounts
• service accounts
• privileged accounts

Question 12

Account types: what is a shared account ?

Answer 12

An account that is used by more than 1 user using no credentials

Question 13

Account types: what is the security issue w/ shared account ?

Answer 13

Very difficult to create an audit trail:
- there is no way to know exactly who was working
- it’s difficult to determine the proper privileges
- no password management

Question 14

Account types: what is a guest account ?

Answer 14

Access to a computer for guest with very limited access to settings, application etc. There is usually no password

Question 15

Account types: what is the security issue w/ guest account ?

Answer 15

Someone can escalate privilege to get full access to system. So guest account must be controlled

Question 16

Account types: what is a service account ?

Answer 16

Used exclusively by services running on a computer such as web server, database server etc
Access can be defined for a specific service (eg. web server right & permission)

Question 17

Account types: what is a privilege account ?

Answer 17

Admin (Windows) or root (Linux) account that have complete access to the system. They are often used to manage hardware, drivers and software.
Needs to be very secure: strong password + MFA

Question 18

Account policies: what are the differents policies that needs to be set up for an account ?

Answer 18

• Access to an account
• Authentication process
• Permission after login
• Paswword complexity & length
• Account lockout & disablement policy
• Location-based policies

Question 19

Account policies: what is password entropy ?

Answer 19

A way to measure how unpredictable a password might be: no single words, no obvious password, mix letters & nb