Implementing Access Control 5 Flashcards
Describe LDAP
Lightweight Directory Access Protocol
A directory access protocol that runs over TCP/IP networks. The services schema defines the taskss the clients can and can’t perform while access a directory database, the form the directory query must take and how the directory server will respond.
What is directory services
A network service that stores identify information about all the objects in a particular network. Provides user access control to directory objects and network resources. Can be used to centralize security and to control access to individual network resources
The structure of the directory is controlled by a schema that defines rules for how objects are created to support the specific needs of an organization
Describe LDAPS
Secure LDAP
a method of implementing LDAP using Secure Sockets Layer/Transport Layer Security encryption protocols to prevent eavesdropping and man in the middle attacks. Forces both client and sever to establish a secure connection before transmissions can occur. Closes if connection is interrupted or dropped.
List the most common directory services available
Microsoft Active Directory. Uses ACLs Access Control Lists find resources anywhere on the network
Sun Java System Directory Server.
openDS. Open source.
OpenLDAP. Free open source
Open Directory. Owned by Apple
Describe remote access methods
RAS remote access server. gateway connection
Access as part of internal network
VPN remote access
Access through intermediate network like the Internet. Uses tunneling through encapsulate data to conceal the info of the packet inside.
Common remote access protocols
PPP. Point to Point protocol.
PPTP. Point to point tunneling protocol. Not secure
L2TP layer 2 tunneling protocol used with IPSec to provide encryption.
SSTP. Secure socket tunneling protocol. Uses HTTP over SSL
What is HOTP
HMAC-based One Time Password
An algorithm that generates one time passwords OTP using a hash based message authentication code HMAC to ensure the authenticity of a message.
Only invalidated after used successfully. An attacker could gain access to a password that isn’t used then the system can be compromised.
What is TOTP
Timed HMAC based One Time Password
Improves upon HOTP algorithm by introducing a time based factor to the onetime password authentication. Addresses the HOTP security flaw by generating and invalidating new passwords in specific increments of time.
What is PAP
Password Authentication Protocol
An authentication protocol that sends user IDs and passwords as plaintext
Used when a remote client is connecting to a non windows server that does not support strong password encryption.
Describe CHAP
Challenge Handshake Authentication Protocol
Legacy encryption authentication protocol that is used to provide access control for remote access. Used to connect to non Microsoft servers.
Uses a combination of Message digest 5 hashing and a challenge response mechanism. No passwords sent over the network. Hash sent
More secure that PAP
Guidelines for securing remote access
Set up a VPN for offsite employees to connect to your internal network through the Internet
Use secure tunneling protocols like L2TP with IPSec in VPN
avoid insecure tunneling protocols like PPTP
Implement one time password authentication for access to highly sensitive data
Implement TOTP to mitigate session hijacking.
Avoid using PAP and CHAP and other outdated remote access protocols with no adequate protection.
What is PGP
Pretty Good Privacy
A publicly available email security and authentication utility that uses a variation of public key cryptography to encrypt emails.
The sender encrypts the email contents and encrypts the key used to encrypt the contents. Encrypted key sent with the email and the receiver decrypts the key function them uses the key to decrypt the contents.
Also used for digital signing
What is GPG
Gnu Privacy Guard.
A free open source version of PGP that provides equivalent encryption authentication services. Email security
Describe RADIUS
Remote authentication Dial In user service
Only encrypts passwords.
An Internet standard protocol that provides centralized remote access authentication authorization and auditing services.
The remote access server is known as Network Access Server NAS
What is diameter
An authentication protocol that improves using RADIUS by strengthening its weaknesses. Is a stronger protocol but not widespread.
Describe TACACS
Terminal Access Controller Access Control System
and
TACACS+
Protocols provide centralized authentication and authorization service for remote users. More secure and scalable that RADIUS. It accepts login requests and authenticates the access credentials of the user. Supports multi-factor authentication.
Process wide encryption for authentication
Describe Kerberos
An authentication service based in a time sensitive ticket gaining system. Uses SSO single sign on
Used to manage access control to many different services using one centralized authentication server.
What is SAML
Security Assertion Markup Language
Data format based on XML used to exchange authentication info between a service, an identity provider, and the requesting client.
Defines security request information.
Purpose is to provide web based SSO authentication across many different protocols.
Describe the Kerberos Process
User logs on to the domain
User requests a TGT ticket granting ticket form authentication server
The authenticating server responds with a time stamped TGT
user present TGT Back to the authenticating server and requests a service ticket to access a specific resource
The authenticating server responds with a service ticket
The user presents the service ticket to the resource
The resource authenticates the user and allows access
What is identity management
Created with Specific characteristics of individuals or resources
Assign identity with access controls
Prevent identity theft
Protection of personally identifiable information PII
What is account management.
Refers to the processes, functions, and policies used to effectively manage user accounts within an organization with the proper controls in place
What are account privileges
Permissions granted to users that allow them to perform actions and access systems and services on the network.
Can be assigned by user or group.
Keep privileges well documented.
User assigned privileges are unique to each user and configured to a specific job function
Group assigned privileges each user in the group have the same permissions. Best practice to assign by group.
Describe an account policy
A document that includes an organizations requirements for account creation, account monitoring, and account removal.
What is multiple accounts
Occur when one individual has several accounts for a system or resource. Accounts may differ depending on the level of access applied.
