Ch3 Identity and Access Management Flashcards
Authentication is
proving you have rights to a system
Authorization is
proving which rights you have to a system
the main 3 Authentication factors are _____ another two are ___
something you know, something you have, something about you; something you do and somewhere you are
combining different types of authorization is called ____ authorization
multifactor
_______ is a system where a central authority decides that since you are trusted on one system, you can be trusted on another
Federated Trust
______ are things you can do that have been assigned to you
Permissions
_____ are things that everyone on a system can do
rights and privileges
the idea that just because you need access to data doesn’t mean you need to be able to delete it is an example of _____
least privilege
having one person in charge of recording earnings and a different person in charge of payroll is an example of ____
separation of duties
_____ access control might use a label, such as “top secret”
mandatory
in ____ access control the owner of the data decides who has access to what
discretionary
_____ access control defines access according to rules for groups of people
role-based (RBAC)
____ means assuming you are not permitted to do something unless you are listed
implicit deny
a good password security policy will address which 3 topics?
complexity, expiration and history
in windows ___ you can set rules for passwords, logins and lockouts
local security policy
windows ___ are like local security policy, but can work across an active directory in windows network server
group policy objects
in Linux, use the command ___ to see the permissions for all the files in a directory
“ls -l”
in Linux, permission rights for an object are shown by the three characters ___ repeated 3 times for the ___, ___ and ___ respectively
rwx; owner; group; everyone else
to give full permissions in Linux to the owner, but only read permissions to groups and others, use the alphabetical command _____ or the numeric command _____
chmod g=r FileName; chmod 744 FileName
to change the ownership in Linux of a file, use the command ___
sudo chown NewOwner FileName
to change the password of a file in Linux, use the command ___
sudo passwd [and wait for prompt]
in a Windows system, create users and groups with different permissions through the ___ system
Computer Management
When you change the permissions for a file in Windows, this change is automatically applied to all files in the folder, and subfolders, this is called ___
inheritance
to override security permissions inheritance for a file, use the _____
deny checkbox in the file properties
security settings are lost if a file is ___ in the same drive or moved to a ___ drive
copied; non-NTFS
what happens to file security permissions if you move or copy the file onto another NTFS drive?
the file takes on the permissions of the folder you place it into
continually monitor ___ and ___ of users in general
login/logoff; file access
if someone needs to have multiple accounts, then make sure their ___ and ___ are different, and be sure to exercise the principle of ___
username; passwords; least privilege
in general, enforce non-repudiation by avoiding ___ accounts and ___ usernames
shared; generic
what is the AAA of access?
authentication; authorization; accounting
the ___ network security protocol was originally developed for dial-up connections, but is now used for wireless networks
Remote Authentication Dial-in User Service (RADIUS)
the weakness of RADIUS authentication is that is doesn’t perform ___
authorization
the user attempting to get authenticated in a RADIUS network is called the ___
supplicant
RADIUS systems can use up to ___ UDP ports
4
the ___ system performs both authentication and authorization for networks
Terminal Access Controller Access-Control System Plus (TACACS Plus)
TACACS systems use TCP port ___
49
___ is the oldest authentication system, not used anymore because is uses no encryption
Password Authentication Protocol (PAP)
in a ___ authentication system, the server sends a hash of its key, the client’s key and a question to be answered
Challenge Handshake Authentication Protocol (CHAP)
a windows ___ authentication system is like a CHAP system done from both sides
NT LAN Manager
a ___ authentication system works with a windows domain controller between the client and server
Kereberos
in a Kereberos authentication system, the domain server acts as a ___, granting tickets for access
Key Distribution Center (KDC)
a Kereberos authentication system uses TCP and UDP port ___
88
in a Kereberos authentication system, a ___ is used to get a session key
Ticket Granting Ticket (TGT)
a ___ authentication system is used primarily for web applications, or to access devices that are physically spread out - not for file sharing
Security Assertion Markup Language (SAML)
___ is not really an authentication protocol, but is used to access someone else’s directory, and uses TCP/UDP port ___
Lightweight Directory Access Protocol (LDAP); 389
to establish single sign-on to a network of computers, usually you will want to use ___ even if they aren’t running Windows
windows active directory
to use Windows Active Directory on a network, you must first install ___, then establish a ___
Windows Server; Domain
the ___ authorization model is based on data labels
mandatory access control (MAC)
