Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CompTIA Security+ SY0-501 - Based on Objectives > 4.4 Given a scenario, differentiate common account management practices. > Flashcards

4.4 Given a scenario, differentiate common account management practices. Flashcards

1
Q

Account Types

A

When controlling access to resources, you typically should start by defining user accounts for each individual within your organization. It is important to know that there are different reasons to have user accounts, and as a result, there are different types of account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Account Types - User Account

A

Each employee within your organization should have a separate user account assigned to them that they use to access the network and systems. This user account should not be used by anyone else, as it represents that specific user and controls what resources the employee will have access to. You will also monitor employee activities by logging what actions the user account performs, so stress to employees not to share the password for their account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Account Types - Shared and Genetic Accounts/Credentials

A

From time to time you may consider creating an account that is shared by multiple employees because they share the same job role.

For example, Sue is the accounting clerk in the morning, while in the afternoon Bob is the accounting clerk. Instead of creating multiple accounts, you may consider creating a shared account called AccountingClerk and have each employee use that account. Keep in mind, however, from a security point of view, security professionals try to avoid having multiple employees share an account.

For purposes of monitoring and auditing, being able to log which actions Bob performed and which actions Sue performed is highly preferred. Having an entry in your logs that states AccountingClerk deleted a file does not help you determine who performed the action. Beware of shared or generic accounts!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Account Types - Guest Accounts

A

A guest account is an account that can be used to access a system if a person does not have an account. This allows an individual to gain temporary access to a resource without requiring you to create an account for them. Most operating systems have a guest account, but it is disabled by default, which means if someone wants to access the system, they require that an account be created for them. It is a security best practice to keep the guest account disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Account Types - Service Accounts

A

Secure operating systems such as Windows and Linux require that everything authenticates to the system, whether it is a user or a piece of software. When software runs on the system, it needs to run as a specific user so that the software can be assigned permissions. The user account that you associate with a piece of software is known as a service account because it is a feature that is used by services running within the operating systems as well. When creating a service account (the user account that the software application will be configured to use), you typically configure the service account with a strong password and specify that the password never expires.

Ensure that the service account does not have administrative capabilities, because otherwise if the service were compromised by an attack such as a buffer overflow attack, the attacker would have the same credentials as the account associated with the service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Account Types - Privileged Accounts

A

A privileged account is an account that has extra permissions outside of what is assigned to a typical user. Privileged accounts typically are authorized to make configuration changes to a system or perform an action not normally performed by a regular employee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

General Concepts

A

.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

General Concepts - Least Privilege

A

The first principle of security that you should always follow when giving users and network administrators access to resources such as systems or files is the concept of least privilege. Least privilege means that you give a user only the minimum level of permissions needed to perform their tasks or duties. You do not want to give more permissions than needed because then the user or administrator can do more than what is expected with the resource.

For example, if Bob is responsible for doing the backups of a Windows server, you do not want to place him in the Administrators group because he would have the capability to do more than backups—he could make any change to the system he wants. In this example, you want to place him in the Backup Operator group so that his scope is limited to performing backups.

Another example involves file permissions. If a user only needs to be able to read the contents of a file, be sure to give them just the read permission and no more, because otherwise, they could accidentally delete content out of the file. If this were to happen, who do you think would be at fault—the person who deleted the content or the person who gave the privilege to delete the content?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

General Concepts - Onboarding/Offboarding

A

Onboarding refers to the interview and orientation process new hires go through and includes all of the steps right from the candidate selection process for the job. Once an employee is hired, the onboarding process should continue with ensuring the employee has an account and has access to all resources needed for the job. The onboarding process should also include training for the specific job role so that the employee is geared for success within your organization from the start.

Offboarding is the process that needs to be followed when an employee leaves the organization. This includes an exit interview, reminding them of the nondisclosure agreement (NDA) they signed when they were hired (if applicable), disabling their account, and collecting any assets of the organization they may have.

In a different context:
When allowing personal devices that need access to your systems and network, you will need to ensure that you have procedures in place for adding those personal devices to the identity and access management system (IAM). This system is used to identify persons or devices outside the company and to control access to the system. The process of adding the new device to the system is known as onboarding while removing a device from the system is known as offboarding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

General Concepts - Permission Auditing and Review

A

Permission auditing and reviews, which involve continuous monitoring of the permissions configured on your different assets within the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

General Concepts - Usage Auditing and Review

A

Usage auditing and reviews to determine what users are doing on the systems and in software applications on a regular basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

General Concepts - Time-of-day Restrictions

A

Another example of a restriction that can be placed on a user account is a time of day restriction for account logons. Most environments allow you to specify as a property of the user account what hours the employee is allowed to be logged on to the system. The benefit of this is that you can ensure the employee is not accessing network resources after hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

General Concepts - Recertification

A

Accounts go through a certification process to determine if they are required. Recertification is the process of reevaluating on a regular basis whether user accounts are still needed.

For example, you may have a recertification policy that states that accounts must be recertified every 90 days. If the account is deemed unnecessary, or if the owner of the account does not respond to the recertification request, the account is suspended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

General Concepts - Standard Naming Convention

A

When it comes to user accounts, be sure to create a standard naming convention for your accounts. Some companies go with firstname.lastname as the username convention, such as glen.clarke, while others use lastname plus first initial, such as clarkeg, or some other convention. Having a standard naming convention can help you detect rogue accounts if they are created without following the organization’s naming convention. The same applies to computer accounts—be sure to have a naming convention in place for workstations and servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

General Concepts - Account Maintenance

A

Perform regular account maintenance, such as ensuring that users change their password regularly, backing up user home folders, and disabling unnecessary accounts on a regular basis. These could be accounts of users who have left the organization or have gone on leave.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

General Concepts - Group-based Access Control

A

Group-based access control (GBAC) is when the security of the environment is based on the groups the user is a member of.

For example, you could have application code that checks to see if a user is in the Finance group before allowing that user to call the Deposit method:

@GroupsAllowed("Finance")
public void Deposit() {
   // Only Finance group can call this method
   // Code placed here
}
17
Q

General Concepts - Location-based Policies

A

Location-based policies are rules that control access to a resource based on the user’s location. Access control systems determine a location based on the GPS coordinates or cell tower proximity of the user’s mobile device that is connected to a mobile network. The administrator builds location-based access control rules
that determines whether access should be granted or not.

18
Q

Account Policy Enforcement

A

.

19
Q

Account Policy Enforcement - Credential Management

A

Ensure that you have a central credential management tool and a policy surrounding how frequently users must change passwords.

20
Q

Account Policy Enforcement - Group Policy

A

Group policies should be used to deploy security settings to all the servers and clients on the network.

21
Q

Account Policy Enforcement - Password Complexity

A

Ensure you are using complex passwords for any accounts on systems and for network access. These passwords are harder to crack than noncomplex passwords.

22
Q

Account Policy Enforcement - Expiration

A

Overview:
Ensure that passwords expire after a period of time and that users must set new passwords. Also, make sure you set the expiration date of any temporary user accounts that are created.

Example:
You can also implement account expiration with the account if the account is for a temporary employee. For example, an accounting firm may decide to hire a new temporary accountant for the tax season, but when tax season is over the employee is let go. When creating this account on your network, be sure to set the account expiration date so that when the day of departure arrives, the account is no longer valid.

23
Q

Account Policy Enforcement - Recovery

A

Ensure that you are able to recover any accounts that are deleted or can reset any passwords that are for forgotten.

24
Q

Account Policy Enforcement - Disablement

A

It is important as a security professional that you stress to the network administrators that unused accounts should be disabled so that they cannot be used. This will help protect the account from unauthorized use by employees or even hackers. Be sure to disable accounts when employees go on leave, are suspended from duty, or are terminated.

25
Q

Account Policy Enforcement - Lockout

A

It is critical when implementing restrictions on your user accounts that you look at implementing an account lockout policy. An account lockout policy specifies that after a certain number of failed logon attempts, the account will be locked so it cannot be used. In the policy, you also specify how long the account is locked—you can set a time in minutes or specify to have the account locked until the administrator unlocks the account

26
Q

Account Policy Enforcement - Password History

A

An important password setting to configure is the password history option—ensure that your systems are preventing users from using the same passwords by keeping previous passwords in a history.

27
Q

Account Policy Enforcement - Password Reuse

A

Determine what your organization’s policy is on reusing passwords and be sure to configure the password history to enforce that policy.

28
Q

Account Policy Enforcement - Password Length

A

Most organizations require a minimum password length of eight characters.

CompTIA Security+ SY0-501 - Based on Objectives (45 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions