Chapter 4 Access Control, Authentication, Authorization Flashcards
What is Access Control?
131
the act of allowing only authorized users into a system, and keeping people you don’t want in out.
Identification vs. Authentication
131
Identification is finding out who someone is. Authentication is proving it.
5 different forms of authentication
131
Something you know: password or PIN
something you have: smart card or token
Something you are: biometrics
Something you do: an action you take to complete authentication
Somewhere you are: geolocation (not so likely anymore)
Single-Factor Authentication
132
Just one form of authentication. Usually like a username and password.
Multifactor Authentication
133
Whenever you use more than one method of authentication
Layered Security and Defense In Depth
133
it essentially just means you should have more than one type of security present.
Tokens
135
Authenticate the user. Essentially just a sliver of information that tells the computer who you are.
Federations
135
A collection of networked computers that agree on communication standards
IM programs are an example of this
Transitive Access
136
When A trusts B and B trusts C, A and C might implicitly trust each other. This is taken care of with transitive trusts.
PAP
139
Password Authentication Protocol
-Legacy system that sends username and password to an authentication server in plain text.
SPAP
139
Shiva PAP
- Main difference between this and PAP is that the username and password are encrypted
- It is less secure than CHAP and is susceptible to replay attacks.
CHAP (139)
Challenge Handshake Authentication Protocol
- The connecting machine needs to generate a random number (usually a hash) and sends it to the server.
- The server will periodically ask for that number again, which prevents man-in-the-middle attacks.
TOTP
139
Time-Based One Time Password
- Uses a time-based factor to create unique passwords.
- Google Authenticator is a good example
HOTP
139
HMAC-Based OTP
-Uses Hash Message Authentication Code to authenticate
Password Length and Complexity
account policy enforcement, page 139
On Windows, enabling password complexity requires:
- Cannot contain parts of username over 3 consecutive characters
- Must be at least eight characters long
- Must contain an element from 3 of the following
- A-Z
- a-z
- 0-9
- !$%
Password Expiration
account policy enforcement, page 140
90 days is about standard, but Microsoft recommends 42 days. You should enable password history so they can’t just use the same password every time.
RADIUS
145
Remote Authentication Dial-In User Service
-Allows authentication of remote and other network connections. It was originally intended for use with Dial-Up, but it is still being kept state-of-the-art
-If there’s only one RADIUS server on a network, if it goes down the whole network will.
More RADIUS servers means more stability
TACACS
146
A good competitor for RADIUS. Cisco uses it as standard now. Unlike RADIUS, it combines Authentication and Authorization rather than separating them.
SAML
147
an XML based authentication, generally used by service providers authenticating those who are accessing their information.
Kerberos
148
Uses a Key Distribution Center (KDC) to authenticate the “principal” (user) and provides them with a ticket
- this ticket provides authentication.
- The weakness is the KDC going down
Single Sign-On
149
Gives the authenticated user instant access to everything they need. Passwords are generally stored on a server, which poses a significant security risk.
Mandatory Access Control (MAC)
151
High security and inflexible
Rights and privileges must be defined and, if need be, changed by the admin
Discretionary Access Control (DAC)
151
A little more flexible
Allows users to share information with each other dynamically.
Role-Based Access Control (RBAC)
152
Essentially just establishing group policy.
