Implementing Access Control 5

Question 0

Describe LDAP

Answer 0

Lightweight Directory Access Protocol
A directory access protocol that runs over TCP/IP networks. The services schema defines the taskss the clients can and can’t perform while access a directory database, the form the directory query must take and how the directory server will respond.

Question 1

What is directory services

Answer 1

A network service that stores identify information about all the objects in a particular network. Provides user access control to directory objects and network resources. Can be used to centralize security and to control access to individual network resources
The structure of the directory is controlled by a schema that defines rules for how objects are created to support the specific needs of an organization

Question 2

Describe LDAPS

Answer 2

Secure LDAP
a method of implementing LDAP using Secure Sockets Layer/Transport Layer Security encryption protocols to prevent eavesdropping and man in the middle attacks. Forces both client and sever to establish a secure connection before transmissions can occur. Closes if connection is interrupted or dropped.

Question 3

List the most common directory services available

Answer 3

Microsoft Active Directory. Uses ACLs Access Control Lists find resources anywhere on the network

Sun Java System Directory Server.

openDS. Open source.

OpenLDAP. Free open source

Open Directory. Owned by Apple

Question 4

Describe remote access methods

Answer 4

RAS remote access server. gateway connection
Access as part of internal network

VPN remote access
Access through intermediate network like the Internet. Uses tunneling through encapsulate data to conceal the info of the packet inside.

Question 5

Common remote access protocols

Answer 5

PPP. Point to Point protocol.
PPTP. Point to point tunneling protocol. Not secure
L2TP layer 2 tunneling protocol used with IPSec to provide encryption.
SSTP. Secure socket tunneling protocol. Uses HTTP over SSL

Question 6

What is HOTP

Answer 6

HMAC-based One Time Password
An algorithm that generates one time passwords OTP using a hash based message authentication code HMAC to ensure the authenticity of a message.
Only invalidated after used successfully. An attacker could gain access to a password that isn’t used then the system can be compromised.

Question 7

What is TOTP

Answer 7

Timed HMAC based One Time Password
Improves upon HOTP algorithm by introducing a time based factor to the onetime password authentication. Addresses the HOTP security flaw by generating and invalidating new passwords in specific increments of time.

Question 8

What is PAP

Answer 8

Password Authentication Protocol
An authentication protocol that sends user IDs and passwords as plaintext
Used when a remote client is connecting to a non windows server that does not support strong password encryption.

Question 9

Describe CHAP

Answer 9

Challenge Handshake Authentication Protocol
Legacy encryption authentication protocol that is used to provide access control for remote access. Used to connect to non Microsoft servers.
Uses a combination of Message digest 5 hashing and a challenge response mechanism. No passwords sent over the network. Hash sent
More secure that PAP

Question 10

Guidelines for securing remote access

Answer 10

Set up a VPN for offsite employees to connect to your internal network through the Internet
Use secure tunneling protocols like L2TP with IPSec in VPN
avoid insecure tunneling protocols like PPTP
Implement one time password authentication for access to highly sensitive data
Implement TOTP to mitigate session hijacking.
Avoid using PAP and CHAP and other outdated remote access protocols with no adequate protection.

Question 11

What is PGP

Answer 11

Pretty Good Privacy
A publicly available email security and authentication utility that uses a variation of public key cryptography to encrypt emails.
The sender encrypts the email contents and encrypts the key used to encrypt the contents. Encrypted key sent with the email and the receiver decrypts the key function them uses the key to decrypt the contents.
Also used for digital signing

Question 12

What is GPG

Answer 12

Gnu Privacy Guard.

A free open source version of PGP that provides equivalent encryption authentication services. Email security

Question 13

Describe RADIUS

Answer 13

Remote authentication Dial In user service
Only encrypts passwords.
An Internet standard protocol that provides centralized remote access authentication authorization and auditing services.
The remote access server is known as Network Access Server NAS

Question 14

What is diameter

Answer 14

An authentication protocol that improves using RADIUS by strengthening its weaknesses. Is a stronger protocol but not widespread.

Question 15

Describe TACACS

Answer 15

Terminal Access Controller Access Control System
and
TACACS+
Protocols provide centralized authentication and authorization service for remote users. More secure and scalable that RADIUS. It accepts login requests and authenticates the access credentials of the user. Supports multi-factor authentication.
Process wide encryption for authentication

Question 16

Describe Kerberos

Answer 16

An authentication service based in a time sensitive ticket gaining system. Uses SSO single sign on
Used to manage access control to many different services using one centralized authentication server.

Question 17

What is SAML

Answer 17

Security Assertion Markup Language
Data format based on XML used to exchange authentication info between a service, an identity provider, and the requesting client.
Defines security request information.
Purpose is to provide web based SSO authentication across many different protocols.

Question 18

Describe the Kerberos Process

Answer 18

User logs on to the domain
User requests a TGT ticket granting ticket form authentication server
The authenticating server responds with a time stamped TGT
user present TGT Back to the authenticating server and requests a service ticket to access a specific resource
The authenticating server responds with a service ticket
The user presents the service ticket to the resource
The resource authenticates the user and allows access

Question 19

What is identity management

Answer 19

Created with Specific characteristics of individuals or resources
Assign identity with access controls
Prevent identity theft
Protection of personally identifiable information PII

Question 20

What is account management.

Answer 20

Refers to the processes, functions, and policies used to effectively manage user accounts within an organization with the proper controls in place

Question 21

What are account privileges

Answer 21

Permissions granted to users that allow them to perform actions and access systems and services on the network.
Can be assigned by user or group.
Keep privileges well documented.
User assigned privileges are unique to each user and configured to a specific job function
Group assigned privileges each user in the group have the same permissions. Best practice to assign by group.

Question 22

Describe an account policy

Answer 22

A document that includes an organizations requirements for account creation, account monitoring, and account removal.

Question 23

What is multiple accounts

Answer 23

Occur when one individual has several accounts for a system or resource. Accounts may differ depending on the level of access applied.

Question 24

Describe shared accounts

Answer 24

Accounts accessed by more than one user or resource. Associated with a specific role or purpose.
Can have anonymous and guest accounts
Temporary accounts
Admin accounts for multiple authorized professionals
Batch processing for easy automating.
Several risks
Lack of accountability and individual responsibility
Password changes

Question 25

What is account federation.

Answer 25

The practice of linking a single account and its characteristics across many different account management systems.
Provides a centralized account management structure and eliminates superfluous account info.

Question 26

To maintain and enforce the security needs of an organization strict account management security controls should be implemented and enforced.

Answer 26

User ID and password requirements
Account access restrictions
Account management guidelines 
Multiple account guidelines
Continuous monitoring

Question 27

Describe credential management

Answer 27

An application created to help users and organizations easily store and organize account user names and passwords.
Stored on an encrypted database on the local machine.
Only as strong as the passwords they store.
Should be used using multi factor authentication

Question 28

Describe group policy

Answer 28

Service in windows systems that proved several methods for managing security across a domain.Enforcing account password properties and lockout thresholds
Storing account passwords using reversible encryption.
Enforcing Kerberos
Auditing account management events
Assigning specific rights and controls to individual or group accounts