ID & Access Management Flashcards
Define Identification
An assertion or claim to an identity
Define Authentication
Offered proof of identification
Define Authorization
Verified identity against access or permissions
Define AAA
Authentication
Authorization
Accounting
Authentication Factors
Something you know (Type 1) Something you have (Type 2) Something you are (Type 3) Something you do Somewhere you are
Define FAR
False Acceptance Rate
Define FRR
False Rejection Rate
Define CER
Crossover Error Rate; balance between FRR and FAR
Define MFA
Multi-Factor Authentication; must combine two separate factor categories
Token Types
Physical
Software
Hardware
Define HOTP
Single use password;
uses shared secret and a counter
Define TOTP
Time based password utilizing synchronized clocks
Authentication Protocols
PAP (insecure) CHAP MS-CHAP (insecure) MS-CHAP2 PPP
Authentication Protocol Process
Challenge
Response Hash
Compare Hash
Authorize
Define SSO
Federated ID management for multiple system accounts
Trust Authentication Factors
One-way verses Two-way
Transitive verses Intransitive
Define Transitive Trust
If organization A trust organization B, then organization A trust any other organization which B trusts
Define One-Way Authentication
Organization A can authenticate for organization B, but organization B cannot authenticate for organization A
Define RADIUS
Remote Access Dialed in User Service:
UDP
Encrypts only the password
Combines authentication and authorization
Define TACACS
Terminal Access Controller Access Control System;
TCP
Encrypt whole session
KERBEROS Process
Client authentication request KDC checks the client's credentials KDC creates a ticket granting ticket (TGT) Client uses TGT to request access KDC creates a file server ticket Client uses file ticket to authenticate
KERBEROS Benefits
Ease and Quality
Scalability
Policy Enforcement and Audit-ability
*not peer-to-peer
KERBEROS Port Number
88
LDAP Port Number
389
SLDAP Port Number
636
NTLM Issues
Weak encryption
Pass the hash
Define NTLM
New Technology LAN Manager
Define SAML
Secure Assertion Markup Language; SSO web browsing service
SAML Actors
Principle ID Provider (IDP) Service Provider (SP)
Define OAuth
SSO Authorization service
Define OpenID
Authentication provider for OAuth
Asymmetric Authentication Process
Encrypt with private key, decrypt with public key
Authorization Key Principles
Least Privilege
Separation of Duties
Define Privilege Creep
User gaining excess privileges as a result of shifting roles within an organization
Define MBAC
Mandatory Based Access Controls; required controls by regulations
Define DBAC
Discretionary Based Access Controls; administrator assigned privileges
Define ACL
Access Control List; database of personal or group privileges
ACL Categories
Full
Read
Write
Modify
Define RBAC
Role Based Access Control; user assigned permissions based on position
Define ABAC
Attribute Based Access Control; situation based privileges such as location or time
Account Types
User Privileged Guest Shared Service/systems Executive
Octal Value of No Permissions
0
Octal Value of Execute Permissions
1
Octal Value of Write Permissions
2
Octal Value of Read Permissions
4
Federated RADIUS Features
Common authentication and credentials
Individual members retain administrative control
Share same level of trust
Define DIAMETER
Upgrade to RADIUS, supports EAP
AAA Protocol over LTE and IMS Networks
Reliable messages over TCP or SCTP
Secure messages using TLS or IPSec
Guest Account Settings
Prevent network usage
Secure password enabled
Prevent from system shutdown
Prevent viewing log information
Active Directory SSO Concerns
8 character limit on legacy systems
Easy to guess usernames
Duplicate usernames
When are GPO Updated
User log in
Define Decentralized Privilege Management
User accounts are defined on individual systems (i.e. work group) rather then centralized access control servers
GPO Copy Transfers
Individual permissions do not transfer
Group permissions do transfer
Define Security Configuration and Analysis Snap-in
Apply or compare a template to existing security settings on a computer, used for auditing
Default Permissions Priority
Deny trumps allow permissions
Define Active Directory
A centralized database that contains user account and security information
Define an Active Directory Domain Controller
Server that holds a copy of the database
Define an Active Directory Organizational Unit
Folder that subdivides and organizes network resources within the domain
Define an Active Directory Domain
An admin defined collection of network resources sharing a common directory database and security policy
Define an Active Directory Object
A computing element which identifies resources in the database
Hierarchical Database Benefits
Organization
Delegation
Replication
Scalability
usermod/userdel flags
- I: change user name
- u: change UID number
- L: lock user password
- d: change account’s home directory
- r: remove user and delete home directory
Account Locked Indicator
! or !!
passwd -S gshant
Display status of user account
gpasswd X
Prompt new password for group X
chage command flags
- M: password expiration max
- W: days before expiration warning
- m: minimum age
/etc/security/limits.conf File Contents
Limit of concurrent logins for a specific user
TACACS+ Features
AAA
Uses TCP
Encrypts entire packet
Supports more protocol suites then RADIUS
TACAS Port Number
49
Define Remote Access
Private and remote host connection to server or network resources
Difference between MS-CHAPv2 and CHAP
Mutual Authentication
SASL Authentication Mode Solutions
TLS
Kerberos
IPsec
Certificates
Explain LANMAN
Divides password by units of seven and creates separate hashes for each portion (insecure)
Define Biometric Template Original
Components of the human body
Disadvantages of Biometrics
False negatives
No stronger then a strong password when used alone
Purpose of Granular Password Policies
Individualize password policy for different users or groups in ADSI
Granular Password Policy Steps
Create PSO with necessary settings,
Edit the msDS-PSOAppliesTo property to ID the groups or users applicable,
If policy was applied to a group, add users to the group
Smart Card Benefits
Own processor
Store digital signatures, keys, and ID codes
Generally tamper proof
Define an Object in the Context of Access Control
Data, Applications, Systems, Networks, Physical Space