Given a scenario, implement identity and account management controls

Question 1

Identity

Answer 1

Identity provider (IdP)
Attributes
Certificates
Tokens
SSH keys
Smart cards

Question 2

Identity provider (IdP)

Answer 2

The identity provider is the service that provisions the user account and processes authentication requests. On a private network, these identity directories and application authorization services can be operated locally. The same site operates both identity provision and application provision. Most networks now make use of third-party cloud services, however. In this scenario, various protocols and frameworks are available to implement federated identity management across web-based services. This means that a user can create a digital identity with a one provider, but other sites can use that identity to authorize use of an application.

Question 3

Attributes

Question 4

Certificates

Answer 4

The certificate contains the subject’s public key and is signed by the CA’s public key. These public keys allow third parties to verify the certificate and the signature.

Question 5

Tokens

Answer 5

It is inconvenient for users to authenticate to each application they need to use. In a single sign-on system, the user authenticates to an identity provider (IdP) and receives a cryptographic token. The user can present that token to compatible applications as proof they are authenticated, and receive authorizations from the application. With a token, there is always a risk that a malicious actor will be able to capture and replay it. The application protocol that makes use of tokens must be designed to resist this type of attack.

Question 6

SSH keys

Answer 6

Secure Shell (SSH) is a widely used remote access protocol. It is very likely to be used to manage devices and services. SSH uses two types of key pairs:

A host key pair identifies an SSH server. The server reveals the public part when a client connects to it. The client must use some means of determining the validity of this public key. If accepted, the key pair is used to encrypt the network connection and start a session.
A user key pair is a means for a client to login to an SSH server. The server stores a copy of the client’s public key. The client uses the linked private key to generate an authentication request and sends the request (not the private key) to the server. The server can only validate this request if the correct public key is held for that client.

Question 7

Smart cards

Answer 7

Alternatively, a user’s certificate and private key can be stored on a smart card or USB key and used to authenticate to different PCs and mobile devices.

Question 8

Account types

Answer 8

User account
Shared and generic accounts/credentials
Guest accounts
Service accounts

Question 9

User account

Question 10

Shared and generic accounts/credentials

Question 11

Guest accounts

Question 12

Guest accounts

Question 13

Service accounts

Question 14

Account policies

Answer 14

Password complexity
Password history
Password reuse
Network location
Geofencing
Geotagging
Geolocation
Time-based logins
Access policies
Account permissions
Account audits
Impossible travel time/risky login
Lockout
Disablement

Question 15

Password complexity

Question 16

Password history

Question 17

Password reuse

Question 18

Network location

Question 19

Geofencing

Question 20

Geotagging

Question 21

Geolocation

Question 22

Time-based logins

Question 23

Access policies

Question 24

Account permissions

Question 25

Account audits

Question 26

Impossible travel time/risky login

Question 27

Lockout

Question 28

Disablement