Lesson 7: Managing Access Services and Accounts Flashcards

1
Q

Authorization

A

process by which subjects (typically authenticated user or computer accounts) are granted rights to access and modify resources. There are two important functions in authorization:

  • The process of ensuring that only authorized rights are exercised (policy enforcement).
  • The process of determining rights (policy definition).

The more privileges that you allocate to more users, the more you increase the risk that a privilege will be misused. Authorization policies help to reduce risk by limiting the allocation of privileges as far as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

implicit deny

A

Access controls are usually founded on the principle of implicit deny; that is, unless there is a rule specifying that access should be granted, any request for access is denied. This principle can be seen clearly in firewall policies. A firewall filters access requests using a set of rules. The rules are processed in order from top-to-bottom. If a request does not fit any of the rules, it is handled by the last (default) rule, which is to refuse the request.

File access controls work on the same principle. An account must be listed on the ACL to gain access. Any other request for access is denied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

least privilege

A

A complementary principle is that of least privilege. This means that a user should be granted rights necessary to perform their job and no more.

A core principle of secure access management is that of least privilege. This policy means that a user, group, or role should be allocated the minimum sufficient permissions to be able to perform its job function and no more. Each account should be configured from a template of the appropriate privileges. Deviations from the template should be monitored for increased risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Single Sign-On (SSO)

A

means that a user only has to authenticate to a system once to gain access to all the resources to which the user’s account has been granted rights. An example is the Kerberos authentication and authorization model. This means, for example, that a user authenticated with Windows® is also authenticated with the Windows domain’s SQL Server® and Exchange Server services. The advantage of single sign-on is that each user does not have to manage multiple user accounts and passwords. The disadvantage is that compromising the account also compromises multiple services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Directory services

A

the principal means of providing privilege management and authorization on an enterprise network. Depending on the sort of access control model used, the owner or systems administrator can share resources (folders, printers, and other resources) to make them available for network users. The resources can then be protected with a security system based around the authentication credentials provided by each user at logon to gain access to a system-defined account. Windows and UNIX/Linux systems all provide versions of this type of security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

security database

A

When logging on to the network, the user must supply logon credentials. This username and password (or other authentication data) are compared with the server’s security database, and if both match, the user is authenticated. The server security service generates an access key for the user. This contains the username and group memberships of the authenticated user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

resources

A

All resources on server-based systems have an Access Control List (ACL) that is used to control access to the resource. The access list contains entries for all usernames and groups that have permission to use the resource. It also records the level of access available for each entry. For example, an access list may allow a user named user1 to view the name of a file in a folder but not read the file contents. Whenever the user attempts to access a resource, his or her access key is provided as identification. The server’s security service matches username and group memberships from the access key with entries in the access list, and from this, it calculates the user’s access privileges.

All this information is stored in a directory. A directory is like a database, where an object is like a record, and things that you know about the object (attributes) are like fields. In order for products from different vendors to be interoperable, most directories are based on the same standard. The principal directory standard is the X. 500 series of standards, developed by the International Telecommunications Union (ITU) in the 1980s. As this standard is complex, most directory services are implementations of the Lightweight Directory Access Protocol (LDAP). LDAP is not a directory standard but a protocol used to query and update an X.500 directory or any type of directory that can present itself as an X.500 directory. LDAP is widely supported in current directory products, such as Windows Active Directory, NetIQ (Novell) eDirectory, Apple OpenDirectory, and the open source OpenLDAP. As well as enterprise networking directories, LDAP also provides a model for Internet directory access, such as providing contact lists for Instant Messaging (IM) applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

distinguished name

A

a unique identifier for any given resource within an X.500-like directory. A distinguished name is made up of attribute=value pairs, separated by commas. The most specific attribute is listed first, and successive attributes become progressively broader.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

relative distinguished name

A

The most specific attribute is listed first, and successive attributes become progressively broader. This most specific attribute is also referred to as the relative distinguished name, as it uniquely identifies the object within the context of successive (parent) attribute values.

The types of attributes, what information they contain, and the way object types are defined through attributes (some of which may be required, and some optional) is described by the directory schema. Some of the attributes commonly used include Common Name (CN), Organizational Unit (OU), Organization (O), Country (C), and Domain Component (DC). For example, the Distinguished Name of a web server operated by Widget in the UK might be:

CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

X.500 directories

A

arranged in a hierarchy called the directory information tree. Each directory starts at the root and passes through several levels of container objects, such as country (optional), organization, and organizational units (also optional). Actual network resources, such as users, computers, printers, folders, or files, are referred to as leaf objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Lightweight Directory Access Protocol (LDAP) Security

A

LDAP runs over TCP and UDP port 389 by default. The basic protocol provides no security and all transmissions are in plaintext, making it vulnerable to sniffing and Man-in-the-Middle (spoofing an LDAP server) attacks. Also, a server that does not require clients to authenticate is vulnerable to overloading by DoS attacks. Authentication (referred to as binding to the server) can be implemented in the following ways:

  • No authentication—anonymous access is granted to the directory.
  • Simple authentication—the client must supply its DN and password, but these are passed as plaintext. This method could be secured if using IPSec for transport across the network.
  • Simple Authentication and Security Layer (SASL)—the client and server negotiate the use of a supported security mechanism. Typically, this will mean the use of either Kerberos or TLS to provide strong certificate-based authentication.
  • There is also an unofficial way of securing LDAP using SSL (the older version of TLS) called LDAPS. This is very similar to HTTPS and works over TCP port 636. SSL/TLS also provide a means for the server to authenticate to the client, providing mutual authentication.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

LDAP Access

A

If secure access is required, anonymous and simple authentication access methods should be disabled on the server.

Generally, two levels of access will need to be granted on the directory: read-only access (query) and read/write access (update). This is implemented using an Access Control Policy, but the precise mechanism is vendor-specific and not specified by the LDAP standards documentation.

Unless hosting a public service, the LDAP directory server should also only be accessible from the private network. This means that LDAP ports (389 over TCP and UDP) should be blocked by a firewall from access over the public interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

LDAP injection attacks

A

Where LDAP can be queried from some sort of web application, the application design needs to prevent the possibility of LDAP injection attacks. For example, if the web application presents a search form to allow the user to query a directory, a malicious user may enter a search string that includes extra search filters. If the input string is not properly validated, this could allow the user to bypass authentication or inject a different query, possibly allowing the attacker to return privileged information, such as a list of usernames or even passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

enterprise authentication

A

Enterprise networks and ISPs potentially need to support hundreds or thousands of users and numerous different remote and wireless access technologies and devices. The problem arises that each remote access device needs to be configured with authentication information and this information needs to be synchronized between them. A scalable authentication architecture can be developed using the RADIUS or TACACS+ protocols. Under both these protocols, authentication, authorization, and accounting are performed by a separate server (the AAA server). Network access devices, such as switches, routers, VPN access servers, or wireless access points, function as client devices of the AAA server. Rather than storing authentication information, they pass this data between the AAA server and the remote user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Remote Authentication Dial-in User Service (RADIUS)

A

The Remote Authentication Dial-in User Service (RADIUS) standard is published as an Internet standard in RFC 2865. There are several RADIUS server and client products. Microsoft has the Network Policy Server (NPS) for Windows platforms and there are open source implementations for UNIX and Linux, such as FreeRADIUS, as well as third-party commercial products, such as Cisco’s Secure Access Control Server, Radiator, and Juniper Networks Steel-Belted RADIUS. Products are not always interoperable as they may not support the same authentication and accounting technologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The RADIUS authentication process works as follows:

A
  1. The remote user connects to a RADIUS client, such as an access point, switch, or remote access server.
  2. The RADIUS client prompts the user for their authentication details, such as a username and password or digital certificate. Certificate-based authentication is available if the RADIUS product supports EAP.
  3. The remote user enters the required information. The RADIUS client uses this information to create an Access-Request packet. The packet contains the following data:
  • Username and password (the password portion of the packet is encrypted using MD5). The RADIUS client and server must be configured with the same shared secret. This is used to hash the user password.
  • Connection type (port).
  • RADIUS client ID (IP address).
  • Message authenticator.
  1. The Access-Request packet is encapsulated and sent to the AAA server using UDP on port 1812 (by default).
  2. The AAA server decrypts the password (if the password cannot be decrypted, the server does not respond). It then checks the authentication information against its security database. If the authentication is valid, it responds to the client with an Access-Accept packet; otherwise, an Access-Reject packet is returned. Depending on the authentication method, there may be another step where the AAA server issues an Access-Challenge, which must be relayed by the RADIUS client.
  3. The client checks an authenticator in the response packet; if it is valid and an Access-Accept packet is returned, the client authenticates the user. The client then generates an Accounting-Request (Start) packet and transmits it to the server (on port 1813). It then opens a session with the user.
  4. The server processes the Accounting-Request and replies with an Accounting-Response.
  5. When the session is closed (or interrupted), the client and server exchange Accounting-Request (Stop) and Response packets.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Terminal Access Controller Access-Control System Plus (TACACS+)

A

similar protocol to RADIUS but designed to be more flexible and reliable. TACACS+ was developed by Cisco but is also supported on many of the other third-party and open source RADIUS server implementations. TACACS+ uses TCP communications (over port 49) and this reliable, connection-oriented delivery makes it easier to detect when a server is down. Another feature is that all the data in TACACS+ packets is encrypted (except for the header identifying the packet as TACACS+ data), rather than just the authentication data. TACACS+ is more often used for device administration than for authenticating end user devices. It allows centralized control of accounts set up to manage routers, switches, and firewall appliances, as well as detailed management of the privileges assigned to those accounts.

Note: A TACACS protocol was developed in the 1980s and upgraded by Cisco as the proprietary protocol XTACACS in the 1990s. TACACS+ is incompatible with both of these.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Federation

A

the notion that a network needs to be accessible to more than just a well-defined group, such as employees. In business, a company might need to make parts of its network open to partners, suppliers, and customers, and likewise have parts of its network open to its staff. The company can manage its staff accounts easily enough. Managing accounts for each supplier or customer internally may be more difficult. Federation means that the company trusts accounts created and managed by a different network. As another example, in the consumer world, a user might want to use both Google Apps™ and Twitter. If Google and Twitter establish a federated network for the purpose of authentication and authorization, then the user can log on to Twitter using his or her Google credentials or vice versa.

In these models, the networks perform federated identity management. The networks establish trust relationships so that the identity of a user (the principal) from network A (the identity provider) can be trusted as authentic by network B (the service provider). As well as trusts, the networks must establish the communications links and protocols that allow users to authenticate and be authorized with access permissions and rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Different kinds of trust relationships can be created to model different kinds of business or organizational relationships. Each network can be thought of as a domain. Domains can establish parent-child or peer relationships.

A
  • One-way trust—child trusts parent but parent does not trust child. For example, Domain B might be configured to trust Domain A. Users from Domain A can be authorized to access resources on Domain B. Users from Domain B, however, are not trusted by Domain A.
  • Two-way trust—the domains are peers, and both trust one another equally.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A trust relationship can also be non-transitive or transitive:

A
  • Non-transitive trust—the trust relationship remains only between those domains.
  • Transitive trust—the trust extends to other trusted domains. For example, if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A also trusts Domain C.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Security Association Markup Language (SAML)

A

With a federated network there is also the question of how to handle user identity assertions and transmit authorizations between the principal, the service provider, and the identity provider. One solution to this problem is the Security Association Markup Language (SAML). SAML was developed by the Organization for the Advancement of Structured Information Standards (OASIS). The standard is currently at version 2.0.

  1. The principal’s User Agent (typically a browser) requests a resource from the Service Provider (SP), making an assertion of identity.
  2. If the user agent does not already have a valid session, the SP redirects the user agent to the Identity Provider (IdP).
  3. The user agent authenticates with the IdP. The IdP validates the supplied credentials and if correct, provides an authorization token.
  4. The user agent presents the SP with the authorization token.
  5. The SP verifies the token and if accepted, establishes a session and provides access to the resource.

SAML authorizations (or SAML tokens) are written in eXtensible Markup Language (XML). Communications are established using HTTP/HTTPS and the Simple Object Access Protocol (SOAP). These secure tokens are signed using the XML signature specification. The use of a digital signature allows the SP to trust the IdP.

Note: An XML signature wrapping attack allows a malicious user to strip the signature from a token and use it with a different token. The SAML implementation must perform adequate validation of requests to ensure that the signed token is the one being presented.

As an example of a SAML implementation, Amazon Web Services (AWS) can function as a SAML service provider. This allows companies using AWS to develop cloud applications to manage their customers’ user identities and provide them with permissions on AWS without having to create accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Shibboleth

A

an open source implementation of SAML. The main components of Shibboleth are as follows:

  • Identity Provider—supports the authentication of users. The software can be integrated with LDAP, Kerberos, X.509, and other directory and authentication systems.
  • Embedded Discovery Service—allows the user to select a preferred identity provider.
  • Service Provider—processes calls for user authentication by contacting the user’s preferred identity provider and processing the authentication request and authorization response. The service provider can be used with the IIS and Apache web servers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

OpenID

A

the standard underpinning early “sign on with” features of websites. A solution such as SAML is typical of an enterprise-controlled federated identity management solution. OpenID is an example of a “user-centric” version of federated identity management. It allows users to select their preferred identity provider. This allows a consumer website, referred to as the relying party (RP), to accept new users without having to go through an account creation step first, improving availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

OpenID

A

With OpenID, the identity provider does not usually share any profile information or data with the relying party. This requires a different trust relationship to be established. To do so would require the user’s consent. OAuth is a protocol designed to facilitate this sort of transfer of information or resources between sites. With OAuth, the user grants an OAuth consumer site the right to access resources stored on an OAuth provider website.

Compared to SAML transactions, OAuth uses REST (Representational State Transfer) web services, rather than SOAP, and JSON (JavaScript Object Notation) message format and JSON Web Tokens (JWT), rather than XML.

In OAuth, the “auth” stands for “authorization,” not “authentication.” Strictly speaking, if authentication is required, the user authenticates with the OAuth provider, not with the OAuth consumer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

OpenID Connect (OIDC)

A

technical issues with OpenID (notably incompatibility with native mobile applications) limited adoption of that protocol too.

To resolve these issues, a new set of functions and communication flows was added to the OAuth protocol and called OpenID Connect (OIDC). OpenID Connect replaces OpenID to provide an identity management layer over the OAuth 2 protocol so that a site can request an “authentication service” only.

OIDC is likely to be the mainstream choice for developers implementing federated identity on web/cloud applications and mobile apps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

To implement RADIUS authentication on an NPS in Windows Server 2016:

A
  1. In Server Manager, select Tools→Network Policy Server.
  2. In the Network Policy Server window, select RADIUS Clients and Servers.
  3. In the right pane, select Configure RADIUS Clients.
  4. Select Action→New.
  5. In the New RADIUS Client dialog box, in the Friendly name text box, type the name of your server.
  6. In the Address (IP or DNS) text box, type your server’s static IP address.
  7. In the Shared secret and Confirm shared secret text boxes, enter a password and select OK.
  8. In Server Manager, select Tools→Routing and Remote Access.
  9. In the Routing and Remote Access window, select your server and select Action→Properties.
  10. In the Properties window, select the Security tab.
  11. From the Authentication provider drop-down list, select RADIUS Authentication.
  12. Select Configure to display the RADIUS Authentication dialog box.
  13. In the RADIUS Authentication dialog box, select Add.
  14. In the Add RADIUS Server dialog box, in the Server name text box, type the name of your server to match the friendly name, and select Change.
  15. In the Change Secret dialog box, in the New secret and Confirm new secret text boxes, type the password you specified earlier.
  16. Select OK four times.
  17. If necessary, select Action→All Tasks→Restart to manually restart the server.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Access control or authorization models are generally classed as one of the following:

A
  • Discretionary Access Control (DAC).
  • Role-based Access Control (RBAC).
  • Mandatory Access Control (MAC).
  • Attribute-based Access Control (ABAC).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Discretionary access control (DAC)

A

stresses the importance of the owner. The owner is originally the creator of the resource, though ownership can be assigned to another user. The owner is granted full control over the resource, meaning that he or she can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in terms of computer and network security. In terms of file system security, it is the model used by most UNIX/Linux distributions and by Microsoft Windows. As the most flexible model, it is also the weakest because it makes centralized administration of security policies the most difficult to enforce. It is also the easiest to compromise, as it is vulnerable to insider threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Role-based access control (RBAC)

A

adds an extra degree of administrative control to the DAC model. Under RBAC, a set of organizational roles are defined, and users allocated to those roles. Under this system, the right to modify roles is reserved to administrative accounts. Therefore, the system is non-discretionary, as each user has no right to modify the ACL of a resource, even though they may be able to change the resource in other ways. Users are said to gain rights implicitly (through being assigned to a role) rather than explicitly (being assigned the right directly).

Ideally, the rights of a role are set at design time and not changed under normal operating conditions. This means that administrators can focus on membership of different role groups, rather than what the roles can do. It also makes it harder for an attacker to “escalate” permissions gained through a hacked user account.

RBAC can be partially implemented in Windows through the concept of group accounts. RBAC is the most commonly implemented system on computer networks, as it re-establishes centralized, administrative control over important resources. To fully implement RBAC, you also need to define what tasks users can perform in a given application. Object-based ACLs are not flexible enough to do this. You also need to “turn off” the discretionary aspect of the underlying OS—not something that is currently supported by Windows.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Mandatory access control (MAC)

A

based on the idea of security clearance levels. Rather than defining access control lists on resources, each object and each subject is granted a clearance level, referred to as a label. If the model used is a hierarchical one (that is, high clearance users are trusted to access low clearance objects), subjects are only permitted to access objects at their own clearance level or below. Alternatively, each resource and user can be labeled as belonging to a domain (compartmentalized). A user may only access a resource if they belong to the same domain. This is an instance of a Need to Know policy put into practice. The labeling of objects and subjects takes place using pre-established rules. The critical point is that these rules cannot be changed (except by the system owner), and are, therefore, also non-discretionary. Also, a subject is not permitted to change an object’s label or to change his or her own label.

This type of access control is associated with military and secret service organizations, where the inconveniences forced on users are secondary to the need for confidentiality and integrity. The NSA developed Security Enhanced Linux (SELinux) as a means of implementing MAC. Novell’s AppArmor provides similar security mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Attribute-based access control (ABAC)

A

the most fine-grained type of access control model. As the name suggests, an ABAC system is capable of making access decisions based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes. As well as group/role memberships, these attributes could include information about the OS currently being used, the IP address, or the presence of up-to-date patches and anti-malware. An attribute-based system could monitor the number of events or alerts associated with a user account or with a resource, or track access requests to ensure they are consistent in terms of timing of requests or geographic location. It could be programmed to implement policies, such as M-of-N control and separation of duties.

This sort of system is flexible and can be made sensitive to different levels of risk or threat awareness by making access conditional on the acceptance of a wide range of different attribute values. The cost of this flexibility is considerable complexity in terms of defining the logical rules that allow or deny access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Rule-based access control

A

a term that can refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users. As such, RBAC, ABAC, and MAC are all examples of rule-based (or non-discretionary) access control. As well as the formal models, rule-based access control principles are increasingly being implemented to protect computer and network systems founded on discretionary access from the sort of misconfiguration that can occur through DAC.

One example is forcing applications such as web browsers to run in a “sandbox” mode to prevent malicious scripts on a website from using the privileges of the logged-on user to circumvent the security system. A key point is that privileges are restricted regardless of the user’s identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

file system security

A

An access control model can be applied to any type of data or software resource but is most closely associated with network, file system, and database security. With file system security, each object in the file system has an ACL associated with it. The ACL contains a list of accounts (principals) allowed to access the resource and the permissions they have over it.

34
Q

access control entry (ACE)

A

The ACL contains a list of accounts (principals) allowed to access the resource and the permissions they have over it. Each record in the ACL is called an access control entry (ACE). The order of ACEs in the ACL is important in determining effective permissions for a given account. ACLs can be enforced by a file system that supports permissions, such as NTFS, ext3/ext4, or ZFS.

Database security is similar, but the range of objects that can be secured with fine-grained permissions is wider. Objects in a database schema include the database itself, tables, views, rows (records), and columns (fields). Different policies can be applied for statements, such as SELECT, INSERT, UPDATE, and DELETE.

35
Q

account types

A

Operating systems, network appliances, and network directory products usually create recognizable account types as the basis of a privilege management system. Most PC operating systems assign two types of user accounts. Standard users have limited privileges, typically with access to run programs and to create and modify files belonging only to their profile. Administrative or privileged accounts are able to install and remove programs and drivers, change system-level settings, and access any object in the file system.

36
Q

Administrative or privileged account type

A

able to install and remove programs and drivers, change system-level settings, and access any object in the file system.

Each OS also typically has a default privileged account. In Windows, this account is called Administrator; in Linux, it is called root. It is best practice only to use these accounts to install the OS. Subsequently, they should be disabled or left unused. One or more accounts with administrative privileges are then created for named system admins (so that their actions can be audited). This makes it harder for attackers to identify and compromise an administrative account. This can be referred to as generic account prohibition.

Note: It is a good idea to restrict the number of administrative accounts as far as possible. The more accounts there are, the more likely it is that one of them will be compromised. On the other hand, you do not want administrators to share accounts, as that compromises accountability.

In Windows, the privileges for these accounts are assigned to local group accounts (the Users and Administrators groups) rather than directly to the user account itself. In Linux, privileged accounts are typically configured by adding either a user or a group account to the /etc/sudoers file.

37
Q

Service accounts

A

often used by scheduled processes, such as maintenance tasks, or may be used by application software, such as databases, for account or system access. Windows has several service account types. These do not accept user interactive logons but can be used to run processes and background services:

  • System—has the most privileges of any Windows account. The System account creates the host processes that start Windows before the user logs on. Any process created using the System account will have full privileges over the local computer.
  • Local Service—has the same privileges as the standard user account. It can only access network resources as an anonymous user.
  • Network Service—has the same privileges as the standard user account but can present the computer’s account credentials when accessing network resources.

Linux also uses the concept of service accounts to run applications such as web servers and databases. These accounts are usually created by the server application package manager. Users can be prevented from logging into these accounts (often by setting the password to an unknown value and denying shell access).

38
Q

user-assigned privileges

A

The simplest (meaning the least sophisticated) type of privilege management is user-assigned privileges. In this model, each user is directly allocated rights. This model is only practical if the number of users is small. This is typically true of discretionary access control.

39
Q

group-based privileges

A

Group-based privilege management simplifies and centralizes the administrative process of assigning rights by identifying sets of users that require the same rights. The administrator can then assign access rights to the group and membership of a group to a user. The user inherits access rights from the group account to which he or she belongs. A user can be a member of multiple groups and can, therefore, receive rights and permissions from several sources.

Determining effective permissions when those set from different accounts conflict can be a complex task. Generally, a user will have the most effective allow permissions from all the accounts to which he or she belongs but deny permissions (where the right to exercise a privilege is explicitly denied rather than just not granted) override allow permissions. Some of these complexities can be dealt with by implementing a role-based access control model.

40
Q

role-based management

A

An ordinary group may have members that perform different roles. This is self-evidently true of the two default groups in Windows (Users and Administrators), for example. Most network administrators define groups that are targeted on job functions a bit more tightly, but the principle of group management is still that groups are accretions of users. A role is a type of group where all the members perform the same function. Effectively, it means that there are more restrictive rules surrounding group membership. This is likely to require the creation of more groups than would be the case with ordinary group management, but allows fine-grained control over rights.

Another feature of a well-designed role-based access system is that a user is only granted the access rights of a given role for the time that he or she actually performs that role. Logically, a user can only have the rights for one role at a time. RBAC also includes the idea of restricting what tasks users can perform within an application. A limited example of this can be seen in Microsoft Word, which allows restrictions to be placed on word processing functions based on group membership.

If a role-based system cannot be enforced, one alternative is to provision employees with multiple accounts. A common use case for multiple accounts is for system administrators who have a user level account with typical user privileges for daily work such as preparing documents, using the Internet, and sending email; and an administrator-level account to use only to perform system procedures such as managing users or configuring servers. A user in this situation typically prefers to be able to use the same environment configuration, such as Windows desktop settings, document history, and web browser favorites lists, when switching between accounts. The management challenge is to enable the user to be able to access the elevated privileges of the administrative account when needed, without losing all the other environment settings that support productivity.

41
Q

shared account

A

one where passwords (or other authentication credentials) are known to more than one person. Typically, simple Small Office/Home Office (SOHO) networking devices do not allow for the creation of multiple accounts and a single “Admin” account is used to manage the device. Other examples include the default (or generic) OS accounts, such as Administrator and Guest in Windows or root in Linux. Shared accounts may also be set up for temporary staff.

A shared account breaks the principle of non-repudiation and makes an accurate audit trail difficult to establish. It makes it more likely that the password for the account will be compromised. The other major risk involves password changes to an account. Since frequent password changing is a common policy, organizations will need to ensure that everyone who has access to an account knows when the password will change, and what that new password will be. This necessitates distributing passwords to a large group of people, which itself poses a significant challenge to security. Shared accounts should only be used where these risks are understood and accepted.

42
Q

guest account

A

special type of shared account with no password. It allows anonymous and unauthenticated access to a resource. The Windows OS creates guest user and group accounts when installed, but the guest user account is disabled by default. Guest accounts are also created when installing web services, as most web servers allow unauthenticated access.

43
Q

Follow these guidelines when implementing an access control model:

A
  • Select an appropriate model from DAC, RBAC, ABAC, and MAC based on the security requirement and available resources.
  • A model like MAC, RBAC, or ABAC needs support in the underlying OS and applications software to implement, so identify how provisioning this software will affect the decision.
  • Identify user account types to implement within the model, such as standard users and types of privileged users.
  • Identify what service accounts will be needed and how they will be secured against misuse.
  • Identify group or role account types and how users will be allocated to them.
  • Ideally, eliminate any dependency on shared and generic account types.
44
Q

Active Directory (AD) Windows

A

In server-based Windows networks, the directory service is provided by Active Directory (AD). The following notes discuss some of the organizational and administrative principles of planning an AD network. The same principles can apply to networks based around other directory products.

45
Q

Domain Controller (DC) Windows

A

The Active Directory is implemented as a database stored on one or more servers called a Domain Controller (DC). Each server configured with AD maintains a copy of the domain database. The database is multi-master, which means that updates can be made to any copy and replicated to the other servers.

46
Q

Domains (Windows)

A

In legacy Windows networks, domains provided the primary grouping of users, groups, and computers. The simplest AD design is a single domain, representing the entire organization. Some organizations may require a more complex structure, however. These can be implemented using trees and forests.

47
Q

Organizational Units (OU) Windows

A

provide a way of dividing a domain up into different administrative realms. You might create OUs to delegate responsibility for administering different company departments or locations. For example, a “Sales” department manager could be delegated control with rights to add, delete, and modify user accounts but no rights to change account policies, such as requiring complex passwords or managing users in the “Accounts” OU.

48
Q

standard naming convention

A

allows better administrative control over network resources. The naming strategy should allow administrators to identify the type and function of any particular resource or location at any point in the directory information tree.

Using Active Directory as an example, one of the first decisions is to determine how your AD namespace will integrate with your public DNS records. For example, you may make the AD namespace a delegated subdomain of your public DNS domain name (for example, ad.widget.com). This solution isolates AD from the public Internet and means that the DNS servers supporting the public domain name (widget.com) do not need to support Active Directory.

49
Q

The naming strategy for Organizational Units does not need to be transparent to users, as only domain administrators will encounter it. OUs represent administrative boundaries. They allow the enterprise administrator to delegate administrative responsibility for users and resources in different locations or departments. Consider the following guidelines:

A
  • Do not create too many root level containers or nest containers too deeply (no more than five levels). Consider grouping root OUs by location or department:
  • Location—if different IT departments are responsible for services in different geographic locations.
  • Department—if different IT departments are responsible for supporting different business functions (sales and marketing, accounting, product development, fulfilment, and so on).
  • Within each root-level parent OU, use separate child OUs for different types of objects (server computers, client computers, users, groups). Use this schema consistently across all parent OUs.
  • Separate administrative user and group accounts from standard ones.
  • For each OU, document its purpose, its owner, its administrative users, the policies that apply to it, and whether its visibility should be restricted.
50
Q

user provisioning

A

The processes involved in setting up user accounts are often called user provisioning.

51
Q

user account

A

The purpose of a user account is to identify the individual as he or she logs on to the computer network. The user’s identity is used to determine his or her access to network resources. It is also used for accounting, as actions performed by the user on system settings and resources can be logged and audited. It can also be linked to a profile that defines user settings for the workstation.

52
Q

Account maintenance needs to be guided by organizational policies to ensure secure identity and access management (IAM). Some common policy statements include:

A
  • Who can approve account creation.
  • Who is allowed to use a resource.
  • Whether or not users can share accounts or have multiple accounts.
  • When and how an account should be disabled or modified after a user access review.
  • When and if a user account should expire after a period of non-use.
  • When to enforce general account prohibition.
  • What rules should be enforced for password history, password strength, and password reuse.
  • When to lock out an account in the event of a suspected incident or hijacking attempt.
  • When and how to recover an account after it has been compromised or deleted.
53
Q

Onboarding

A

the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user. Appropriate privileges are usually determined by creating workflows for each function that the user or user role performs.

54
Q

Offboarding

A

process of withdrawing user privileges, either when the user stops performing in a certain role or within a project group, or leaves the organization completely. It may not always be appropriate to delete the account as this may make some types of data created by the user inaccessible or incomplete (encrypted data, audit logs, and so on). The alternative is to disable the account (perhaps temporarily before final deletion). Ongoing monitoring should be put in place to ensure the account is not re-enabled or misused.

55
Q

account maintenance

A

creating an account, modifying account properties, disabling an account, changing an account’s password, and so on

56
Q

Windows Active Directory Domain

A

In a Windows Active Directory Domain environment, before you can manage accounts, you must normally log in as a user with membership of the Domain Admins or Account Operators groups (or have been delegated equivalent permissions). Changes to the domain security database can be made from any machine, but a domain controller must be available to accept the updates.

A new user account is created by selecting the New User option from the context menu in Active Directory Users and Computers. If appropriate, a new user may be copied from an existing user or template account.

There are also local users and groups stored in the computer’s Security Accounts Manager (SAM), which is part of the Registry. These accounts are managed using the Local Users and Groups tool or, if Simple File Sharing is enabled, the User Accounts applet in Control Panel/Windows Settings. Local accounts can only access resources on the computer and have no permissions for Active Directory resources.

57
Q

Group-based access control

A

allows you to set permissions (or rights) for several users at the same time. Users are given membership to the group and then the group is given access to the resource or allowed to perform the action. A user can be a member of multiple groups and can therefore receive rights and permissions from several sources.

58
Q

Active Directory distinguishes between three scopes of groups: domain local, global, and universal. The scope of a group determines both the types of accounts that can be members of the group and where the group can be added to an object’s ACL:

A
  • Domain Local groups can be used to assign rights to resources within the same domain only. Accounts or universal and global groups from any trusted domain can be a member of a domain local group.
  • Global groups can contain only user and global or universal group accounts from the same domain but can be used to assign rights to resources in any trusted domain (essentially the opposite of domain local scope).
  • Universal groups can contain accounts from any trusted domain and can also be used to grant permissions on any object in any trusted domain.

Microsoft’s AGDLP (Accounts go into Global groups, which go into Domain Local groups, which get Permissions) system recommends putting user accounts into one or more global groups based on their role(s) within the company. The global groups are then assigned to domain local groups, which are assigned permissions over local resources, such as file shares and printers. This model provides scalability (in case additional domains are added later) and security (it is simpler to audit rights for users based on the role they have within the company).

Smaller organizations, especially those that know they will never have to support multiple domains, may find it simpler just to use global groups and assign both users and permissions to them. AGDLP is useful where the administrative function of assigning users to roles is separate from the administrative function of providing resources for each role.

59
Q

security group

A

One use for groups is to assign permissions to access resources, as described earlier. This is referred to as a security group. You can also configure distribution groups, used to send messages to lists of recipients. Distribution groups cannot be configured with access permissions.

60
Q

Active Directory Users and Computers tool or Local Users and Groups

A

Groups can be created using either the Active Directory Users and Computers tool or Local Users and Groups. A user’s group memberships can also be viewed and modified by selecting the Member Of tab on the User Properties dialog box.

It is wise to develop a naming scheme to structure groups and keep them organized. Microsoft recommends distinguishing security and distribution groups and recording the scope of the group within the label. For example, DIST-DLG-sales would refer to a distribution list for sales used at the domain level; SEC-GLO-accounts would refer to a global security group for accounts staff. For local and domain local groups, which should be used to assign permissions to resources, use the server name, file share, and permissions granted. For example, SEC-DLG-CX0001-data-read would represent a domain local group granted read permissions on a Data folder shared on a server named CX0001.

61
Q

privilege bracketing

A

The term privilege bracketing is used when privileges are granted only when needed, then revoked as soon as the task is finished or the need has passed. One of the long-standing problems with computer security is that of administrators using accounts with elevated privileges for tasks that do not require those privileges, such as web browsing, email, and so on. The latest versions of Windows use User Account Control (UAC) to prevent administrative privileges from being invoked without specific authorization. In older versions, administrators could use the Run As shortcut menu or command line option to access administrative privileges for a particular program. UNIX and Linux use the su or sudo commands. su could stand for “super user” or “set user”. su allows the current user to act as root and is authenticated against the root password. sudo allows the user to perform commands configured in /etc/sudoers and is authenticated against the user’s own password.

62
Q

Local Security Policy

A

On a standalone workstation, security policies for the local machine and for local accounts are configured via the Local Security Policy snap-in. Under Windows Server, they can be configured via Group Policy Objects (GPOs). GPOs are a means of applying security settings (as well as other administrative settings) across a range of computers and users. GPOs are linked to network administrative boundaries in Active Directory, such as sites, domains, and Organizational Units (OU). GPOs can be used to configure software deployment, Windows settings, and, through the use of Administrative Templates, custom Registry settings. Settings can also be configured on a per-user or per-computer basis. A system of inheritance determines the Resultant Set of Policies (RSoP) that apply to a particular computer or user. GPOs can be set to override or block policy inheritance where necessary.

Windows ships with several default security templates to provide the basis for GPOs (configuration baselines). These can be modified using the Group Policy Editor or Group Policy Management Console. GPOs can be linked to objects in Active Directory using the object’s property sheet.

63
Q

Location-based policies

A

Location-based policies are also often used as a part of Network Access Control (NAC) to determine whether access to the network itself should be granted.

64
Q

password management policy

A

Password-based authentication methods are prone to user error. A password management policy instructs users on best practice in choosing and maintaining passwords. More generally, a credential management policy should instruct users on how to keep their authentication method secure (whether this be a password, smart card, or biometric ID). The credential management policy also needs to alert users to different types of social engineering attacks.

The soft approach to training users can also be backed up by hard policies defined on the network. System-enforced policies can help to enforce credential management principles by stipulating particular requirements for users. Password protection policies mitigate against the risk of attackers being able to compromise an account and use it to launch other attacks on the network. Compliance can be enforced by “ethical” hacker methods. These use personnel and software to try to simulate different network attacks, such as scanning for unsecure passwords.

65
Q

Password policy

A

achieved through hard (Network Operating System NOS rules) and soft (training) measures. Note again that many organizations will be moving away from purely password-based authentication over the next few years.

66
Q

User education is one of the key functions of a security policy and is particularly important in the realm of helping users to exhibit good password selection and management. You might want to discuss a few “schemes” for generating strong but easy to remember passwords, such as:

A
  • Using selected characters from a longer phrase
  • Using mathematical formulae
  • Using at least one character from an extended character set (can make entering the password more difficult, though)

Of course, the problem with organization-wide password schemes is that if an attacker discovers the scheme, there is the possibility (perhaps remote in most environments) that they can modify the password cracker to target that scheme. The other frustration that is commonly encountered with schemes is that many sites do not allow users to select strong passwords. For example, many websites only accept alphanumerics.

67
Q

The following rules enforce password complexity and make them difficult to guess or compromise:

A
  • Length—the longer a password, the stronger it is:
  • A typical strong network password should be 12-16 characters.
  • A longer password or passphrase might be used for mission critical systems or devices where logon is infrequent.
  • Complexity—varying the characters in the password makes it more resistant to dictionary-based attacks:
  • No single words—better to use word and number/punctuation combinations.
  • No obvious phrases in a simple form—birthday, username, job title, and so on.
  • Mix upper and lowercase (assuming the software uses case-sensitive passwords).
  • Use an easily memorized phrase—underscored characters or hyphens can be used to represent spaces if the operating system does not support these in passwords.
  • Do not write down a password or share it with other users.

Note: If users must make a note of passwords, at the very least they must keep the note physically secure. They should also encode the password in some way. If the note is lost or stolen it is imperative that the password be changed immediately, and the user account closely monitored for suspicious activity.

  • History and aging—change the password periodically (password aging) and do not reuse passwords:
  • User passwords should be changed every 60-90 days.
  • Administrative passwords should be changed every 30 days.
  • Passwords for mission critical systems should be changed every 15 days.

Note: Another concern is personal password management. A typical user might be faced with having to remember tens of logons for different services and resort to using the same password for each. This is unsecure, as your security becomes dependent on the security of these other (unknown) organizations. Users must be trained to practice good password management (at the least not to re-use work passwords).

Note: The cartoon at https://xkcd.com/936 sums up password management quite well.

68
Q

recovery agent

A

On a domain, if a user forgets a password, an administrator can reset it. Windows local accounts allow the user to make a password recovery disk. The user needs to remember to update this whenever the password is changed, of course.

Note: If the user has encrypted files, a password reset will make them inaccessible. The user will need to change the password back to the original one to regain access or the files or key will have to be recovered by a recovery agent (as long as one has been configured).

If the domain administrator password is forgotten, it can be reset by booting the server in Directory Service Restore Mode (this requires knowledge of the DSRM administrator password set when Active Directory was installed).

On the web, password recovery mechanisms are often protected either by challenge questions or by sending a recovery link to a nominated email address or smartphone number. Notification of changes to the account are usually automatically sent to any previously registered email address to alert an owner of any possible misuse of the recovery mechanism.

69
Q

Follow these guidelines when managing accounts:

A
  • Implement the principle of least privilege when assigning user and group account access.
  • Draft an account policy and include all account policy requirements.
  • Verify that account request and approval procedures exist and are enforced.
  • Verify that account modification procedures exist and are enforced.
  • Draft a password policy and include requirements to ensure that passwords are resistant to cracking attempts.
  • Implement account management security controls like maintenance, auditing, and location/time-based restrictions.
70
Q

logging

A

Accounting is generally performed by logging actions automatically. All NOS and many applications and services can be configured to log events. The main decision is which events to record. Logs serve the following two general purposes:

  • Accounting for all actions that have been performed by users. Change and version control systems depend on knowing when a file has been modified and by whom. Accounting also provides for non-repudiation (that is, a user cannot deny that they accessed or made a change to a file). The main problems are that auditing successful access attempts can quickly consume a lot of disk space, and analyzing the logs can be very time-consuming.
  • Detecting intrusions or attempted intrusions. Here records of failure-type events are likely to be more useful, though success-type events can also be revealing if they show unusual access patterns.

Obviously, the more events that are logged, the more difficult it is to analyze and interpret the logs. Also, logs can take up a large amount of disk space. When a log reaches its allocated size, it will start to overwrite earlier entries. This means that some system of backing up logs will be needed in order to preserve a full accounting record over time. It is also critical that the log files be kept secure so that they cannot be tampered with. Insider threats are particularly pertinent here, as rogue administrators could try to doctor the event log to cover up their actions.

71
Q

Improperly configured accounts

A

Where many users, groups, roles, and resources are involved, managing access privileges is complex and time-consuming. Improperly configured accounts can have two different types of impact. On the one hand, setting privileges that are too restrictive creates a large volume of support calls and reduces productivity. On the other hand, granting too many privileges to users weakens the security of the system and increases the risk of things like malware infection and data breach.

72
Q

recertification

A

if a user has moved to a new job, old privileges may need to be revoked and new ones granted. This process is referred to as recertification. Managing these sorts of changes efficiently and securely requires effective Standard Operating Procedures (SOPs) and clear and timely communication between departments (between IT and HR, for instance).

Note: The phrase “authorization creep” refers to an employee who gains more and more access privileges the longer they remain with the organization.

A user may be granted elevated privileges temporarily (escalation). In this case, some system needs to be in place to ensure that the privileges are revoked at the end of the agreed period.

73
Q

permission auditing

A

A system of permission auditing needs to be put in place so that privileges are reviewed regularly. Auditing would include monitoring group membership and reviewing access control lists for each resource plus identifying and disabling unnecessary accounts.

74
Q

Usage auditing

A

means configuring the security log to record key indicators and then reviewing the logs for suspicious activity. Behavior recorded by event logs that differs from expected behavior may indicate everything from a minor security infraction to a major incident. This type of log review is one of the primary methods you can use to uncover account access violations, such as inappropriately shared credentials or unauthorized account creations.

75
Q

Determining what to log is one of the most considerable challenges a network administrator can face. For Active Directory, Microsoft has published audit policy recommendations for baseline requirements and networks with stronger security requirements. Some typical categories include:

A
  • Account logon and management events.
  • Process creation.
  • Object access (file system/file shares).
  • Changes to audit policy.
  • Changes to system security and integrity (anti-virus, host firewall, and so on).
76
Q

Anomalous log entries may include:

A
  • Multiple consecutive authentication failures—although a legitimate user may forget their password, this could also indicate a password cracking attempt by an unauthorized user.
  • Unscheduled changes to the system’s configuration—an attacker may try to adjust the system’s configuration in order to open it up to additional methods of compromise, like adding a backdoor for the attacker to exfiltrate data.
  • Excessive or unexplained critical system failures or application crashes—malware often interferes with the functionality of legitimate software and may cause those applications to crash, or even the system itself.
  • Excessive consumption of bandwidth recorded in network device logs—while spikes in traffic are normal every now and then, a sustained increase in bandwidth may indicate the spread of malware or the exfiltration of data.
  • Sequencing errors or gaps in the event log—an attacker may try to cover their tracks by deleting portions of the log or modifying the log so that it appears to tell a different story than what actually happened.
77
Q

Permissions issues might derive from misconfiguration, either where users don’t have the proper permissions needed to do their jobs, or where they have more permissions than they need:

A
  • Check for configuration changes to authorization mechanisms that support wired and wireless networks.
  • Ensure that users are in the proper groups that provide an appropriate level of read/write access.
  • Ensure that resource objects are supporting the relevant permissions to their subjects.
  • Design user permissions to adhere to the principle of least privilege.
78
Q

You might also detect permissions issues from usage auditing and review:

A
  • Ensure that users and groups are not being granted access to resources they shouldn’t have access to.
  • Check the directory structure for unknown or suspicious accounts.
  • Check to see if an account’s privileges have been elevated beyond the intended level. If they have, try to discover the cause (were the privileges elevated via a configuration change, is malware involved, or is the access control system faulty?).
79
Q

Most authentication issues involve users not being able to sign in. To troubleshoot this kind of issue, complete the following checks:

A
  • Check for configuration changes to authentication mechanisms that support wired and wireless networks or remote access.
  • Ensure that authentication servers are connected to the network and can communicate with other resources.
  • Ensure that users are given the proper access rights, and/or are placed in the appropriate access groups.
  • Check to see if the credentials the authentication mechanism accepts align with the credentials the user presents.
  • Verify that date/time settings on servers and clients are synchronized.
80
Q

If a credential is ever stored or transmitted in cleartext, the account can no longer be considered secure. The account must be re-secured as soon as this sort of policy violation is detected, but prevention is better than cure:

A
  • Ensure that you are using secure remote protocols like Secure Shell (SSH).
  • Ensure that you are using SSL/TLS to secure communications with any compatible protocol (HTTP, email, VoIP, FTP, and so on).
  • Ensure that users know not to store passwords in unencrypted text, spreadsheet, or database files.
  • Ensure that any custom apps you develop employ encryption for data at rest, in transit, and in use.