4: 4 Account Management Flashcards
Accounts Management
Implement least privilege, separation of duty,, job rotation, and account lifecycle
Principle of least privilege
Minimum necessary permissions to perform duties
Separation of Duties
Sensitive functions should require action by two separate users
Job Rotation
Regularly move people between jobs to prevent fraud
Mandatory Vacation
Enforce periods of time when employee has no access to system, to ensure some frauds can come to light
Account Management Lifecycle
Provisioning new user access + entitlements, modifying entitlements when needed, reviewing access when needed, removing access, and deprovisioning.
User Account
Standard permissions and standard monitoring
Privileged accounts
Have administrative rights, require strong controls including logging every action
Guest accounts
Has limited permissions and temporary lifetimes
Shared accounts
Reduces accountability, should not be used.
Service Accounts
Provides access for internal server process, password shouldn’t be known by anyone.
GPO
Group Policy Object - applies configuration settings to users and computers
Password policy
Using requirements to ensure passwords are resistant to attacks - length requirements, different character types, password history/reuse requirements
Lockout Policy
Locks out accounts after a number of incorrect login accounts
Password recovery methods
Allows users to reset passwords on self-service basis, to alleviate burden on help-desks.
Inaccurate Permissions
Block work capabilities or violates least privilege
How do you protect against inaccurate permissions?
User Account Audit - pull list of permissions and review with managers, then make necessary adjustments
How do you protect against unauthorized use?
Use continuous account monitoring systems that watch for suspicious activities (impossible travel time logins, unusual network location logins, deviations in behavior/amount of data sent)
Geotagging
Tags logs with user location
Geofencing
Alerts administrators to devices leaving defined boundaries
Password Vaulting
Stores administrative passwords, so nobody knows the actual passwords of the privileged account
Command Proxying
Eliminates the need for direct server access by sending commands that are validated for authority
Emergency Access Workflow
When a user needing to bypass the privileged account manager, requiring approval, logging access and changing password afterword.
Provisioning
After onboarding an individual, creating authentication credentials and providing appropriate authorizations.
Deprovisioning
Remove credentials and authorizations at the appropriate time.
Routine Workflow
Disables accounts on scheduled basis for planned departures
