Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

COMPTIA - Sec+ Textbook > Lesson 7: Managing Access Services and Accounts > Flashcards

Lesson 7: Managing Access Services and Accounts Flashcards

1
Q

authorization

A
  • process by which subjects (typically authenticated or computer accounts) are granted rights to access and modify resources
  • important functions in authorization:
  • The process of ensuring that only authorized rights are exercised (policy enforcement)
  • The process of determining rights (policy definition)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

implicit deny

A
  • Access controls are usually founded on the principle of implicit deny; that is, unless there is a rule specifying that access should be granted, any request for access is denied
  • can be seen clearly in firewall policies:
  • firewall filters access requests using a set of rules
  • rules are processed in order from top-to-bottom
  • if a request does not fit any of the rules, it is handled by the last (default) rule, which is to refuse the request
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

least privilege

A

means a user should be granted rights necessary to perform their job and no more

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Single Sign-On (SSO)

A
  • a user only has to authenticate to a system once to gain access to all the resources to which the user’s account has been granted rights
  • example
  • Kerberos authentication and authorization model
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

directory services

A
  • principal means of providing privilege management and authorization on an enterprise network
  • owner or systems administrator can share resources (folders, printers, and other resources) to make them available for network users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

authentication credentials

A

provided by each user at logon to gain access to a system-defined account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

server’s security database

A
  • contains authentication credentials (username and password, or other authentication data), and if both match (input to database), the user is authenticated
  • the server security service generates an access key for the user (contains the username and group memberships of the authenticated user)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Access Control List (ACL)

A
  • all resources on server-based systems that is used to control access to the resource
  • access list contains entries for all usernames and groups that have permission to use the resource )records also the level of access)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

directory

A
  • like a database, where an object is like a record, and things that you know about the object (attributes) are like fields
  • in order for products from different vendors to be interoperable, most directories are based on the same standard
  • principal directory standard is the X. 500 series of standards, developed by the International Telecommunications Union (ITU) in the 1980s
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Lightweight Directory Access Protocol (LDAP)

A
  • not a directory standard but a protocol used to query and update an X.500 directory or any type of directory that can present itself as an X.500 directory
  • runs over TCP and UDP port 389 by default
  • basic protocol provides no security and all transmissions are in plaintext, making it vulnerable to sniffing and Man-in-the-Middle (spoofing an LDAP server) attacks
  • a server that does not require clients to authenticate is vulnerable to overloading by DoS attacks
  • where LDAP can be queried from some sort of web application, the application design needs to prevent the possibility of LDAP injection attacks (a malicious user may enter a search string that includes extra search filters)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

distinguished name

A
  • unique identifier for any given resource within an X.500-like directory
  • distinguished name is made up of attribute=value pairs, separated by commas
  • most specific attribute is listed first, and successive attributes become progressively broader
  • most specific attribute is also referred to as the relative distinguished name, as it uniquely identifies the object within the context of successive (parent) attribute values
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

schema

A
  • types of attributes, what information they contain, and the way object types are defined through attributes (some of which may be required, and some optional) is described by the directory schema
  • some of the attributes commonly used include Common Name (CN), Organizational Unit (OU), Organization (O), Country (C), and Domain Component (DC)
  • example:
    CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=com
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

X.500 Directory Information Tree

A
  • X.500 directories are arranged in a hierarchy
  • each directory starts at the root and passes through several levels of container objects, such as country (optional), organization, and organizational units (also optional)
  • actual network resources, such as users, computers, printers, folders, or files, are referred to as leaf objects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

authentication (binding to server)

A
  • implementation:
  • no authentication—anonymous access is granted to the directory
  • simple authentication—the client must supply its DN and password, but these are passed as plaintext. This method could be secured if using IPSec for transport across the network
  • Simple Authentication and Security Layer (SASL)—the client and server negotiate the use of a supported security mechanism. Typically, this will mean the use of either Kerberos or TLS to provide strong certificate-based authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Remote Authentication Dial-in User Service (RADIUS)

A
  • standard is published as an Internet standard
  • RADIUS authentication process works as follows:
    1. the remote user connects to a RADIUS client, such as an access point, switch, or remote access server
  1. the RADIUS client prompts the user for their authentication details, such as a username and password or digital certificate. Certificate-based authentication is available if the RADIUS product supports EAP
  2. the remote user enters the required information. The RADIUS client uses this information to create an Access-Request packet. The packet contains the following data:
    - Username and password
    - Connection type (port)
    - RADIUS client ID (IP address)
    - Message authenticator
  3. the Access-Request packet is encapsulated and sent to the AAA server using UDP on port 1812 (by default)
  4. the AAA server decrypts the password (if the password cannot be decrypted, the server does not respond)
  5. the client checks an authenticator in the response packet; if it is valid and an Access-Accept packet is returned, the client authenticates the user. The client then generates an Accounting-Request (Start) packet and transmits it to the server (on port 1813). It then opens a session with the user
  6. the server processes the Accounting-Request and replies with an Accounting-Response
  7. when the session is closed (or interrupted), the client and server exchange Accounting-Request (Stop) and Response packets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Terminal Access Controller Access-Control System Plus (TACACS+)

A
  • similar protocol to RADIUS but designed to be more flexible and reliable
  • designed by Cisco
  • uses TCP communications (over port 49), and this reliable, connection-oriented delivery makes it easier to detect when a server is down
  • all the data in TACACS+ packets is encrypted (except for the header identifying the packet as TACACS+ data), rather than just the authentication data
  • more often used for device administration than for authenticating end user devices
  • allows centralized control of accounts set up to manage routers, switches, and firewall appliances, as well as detailed management of the privileges assigned to those accounts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

federation

A
  • the notion that a network needs to be accessible to more than just a well-defined group, such as employees
  • in business, a company might need to make parts of its network open to partners, suppliers, and customers, and likewise have parts of its network open to its staff
  • means that the company trusts accounts created and managed by a different network
  • in the consumer world, a user might want to use both Google Apps™ and Twitter; if Google and Twitter establish a federated network for the purpose of authentication and authorization, then the user can log on to Twitter using his or her Google credentials or vice versa
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

federated identity management

A

networks establish trust relationships so that the identity of a user (the principal) from network A (the identity provider) can be trusted as authentic by network B (the service provider)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

one-way trust

A
  • child trusts parent but parent does not trust child
  • example
  • Domain B might be configured to trust Domain A. Users from Domain A can be authorized to access resources on Domain B. Users from Domain B, however, are not trusted by Domain A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

two-way trust

A

domains are peers, and both trust one another equally

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

non-transitive trust

A

trust relationship remains only between those domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

transitive trust

A

trust extends to other trusted domains. For example, if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A also trusts Domain C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Security Association Markup Language (SAML)

A
  • developed by the Organization for the Advancement of Structured Information Standards (OASIS)
  • SAML authorizations (or SAML tokens) are written in eXtensible Markup Language (XML)
  • Communications are established using HTTP/HTTPS and the Simple Object Access Protocol (SOAP)
  • secure tokens are signed using the XML signature specification
  • the use of a digital signature allows the SP to trust the IdP
  • example of a SAML implementation
  • Amazon Web Services (AWS) can function as a SAML service provider (allows companies using AWS to develop cloud applications to manage their customers’ user identities and provide them with permissions on AWS without having to create accounts for them on AWS directly)
  1. The principal’s User Agent (typically a browser) requests a resource from the Service Provider (SP), making an assertion of identity
  2. If the user agent does not already have a valid session, the SP redirects the user agent to the Identity Provider (IdP)
  3. The user agent authenticates with the IdP. The IdP validates the supplied credentials and if correct, provides an authorization token
  4. The user agent presents the SP with the authorization token
  5. The SP verifies the token and if accepted, establishes a session and provides access to the resource.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Shibboleth

A
  • open source implementation of SAML
  • main components
  • Identity Provider—supports the authentication of users. The software can be integrated with LDAP, Kerberos, X.509, and other directory and authentication systems
  • Embedded Discovery Service—allows the user to select a preferred identity provider
  • Service Provider—processes calls for user authentication by contacting the user’s preferred identity provider and processing the authentication request and authorization response. The service provider can be used with the IIS and Apache web servers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

OpenID

A
  • standard underpinning early “sign on with” features of websites
  • an example of a “user-centric” version of federated identity management
  • allows a consumer website, referred to as the relying party (RP), to accept new users without having to go through an account creation step first, improving availability
  • take this hypothetical situation and fictional website: fantastic-holidays.com
  • fantastic-holidays.com wants to quickly accept authenticated users to participate in live chat with sales staff | does not want to force potential users to complete a sign-up form, which might act as a deterrent and reduce sales opportunities | Consequently, it becomes a relying party accepting Google.com or Live.com as identity providers | Later, if fantastic-holidays.com wins a sale and needs more information about the user, it can associate that identity with additional profile information, such as billing details
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

OAuth

A
  • protocol designed to facilitate this sort of transfer of information or resources between sites
  • user grants an OAuth (“auth” stands for “authorization,” NOT “authentication”) consumer site the right to access resources stored on an OAuth provider website
  • uses REST (Representational State Transfer) web services, rather than SOAP, and JSON (JavaScript Object Notation) message format and JSON Web Tokens (JWT), rather than XML
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

OpenID Connect (OIDC)

A
  • replaces OpenID to provide an identity management layer over the OAuth 2 protocol so that a site can request an “authentication service” only
28
Q

how to set up remote access authentication

A

To implement RADIUS authentication on an NPS in Windows Server 2016:

  1. In Server Manager, select Tools→Network Policy Server.
  2. In the Network Policy Server window, select RADIUS Clients and Servers.
  3. In the right pane, select Configure RADIUS Clients.
  4. Select Action→New.
  5. In the New RADIUS Client dialog box, in the Friendly name text box, type the name of your server.
  6. In the Address (IP or DNS) text box, type your server’s static IP address.
  7. In the Shared secret and Confirm shared secret text boxes, enter a password and select OK.
  8. In Server Manager, select Tools→Routing and Remote Access.
  9. In the Routing and Remote Access window, select your server and select Action→Properties.
  10. In the Properties window, select the Security tab.
  11. From the Authentication provider drop-down list, select RADIUS Authentication.
  12. Select Configure to display the RADIUS Authentication dialog box.
  13. In the RADIUS Authentication dialog box, select Add.
  14. In the Add RADIUS Server dialog box, in the Server name text box, type the name of your server to match the friendly name, and select Change.
  15. In the Change Secret dialog box, in the New secret and Confirm new secret text boxes, type the password you specified earlier.
  16. Select OK four times.
  17. If necessary, select Action→All Tasks→Restart to manually restart the server.
29
Q

access control or authorization models

A
  • how Access Control Lists (ACLs) are written
  • access control or authorization models are generally classed as one of the following:
  • Discretionary Access Control (DAC).
  • Role-based Access Control (RBAC).
  • Mandatory Access Control (MAC).
  • Attribute-based Access Control (ABAC).
30
Q

discretionary access control (DAC)

A
  • stresses the importance of the owner
  • most flexible model and is currently implemented widely in terms of computer and network security
  • weakest because it makes centralized administration of security policies the most difficult to enforce
  • file system security, model used by most UNIX/Linux distributions and by Microsoft Windows
31
Q

role-based access control (RBAC)

A
  • most commonly implemented system on computer networks, as it re-establishes centralized, administrative control over important resources
  • adds an extra degree of administrative control to the DAC model
  • set of organizational roles are defined, and users allocated to those roles
  • system is non-discretionary, as each user has no right to modify the ACL of a resource, even though they may be able to change the resource in other ways
  • users are said to gain rights implicitly (through being assigned to a role) rather than explicitly (being assigned the right directly)
32
Q

mandatory access control (MAC)

A
  • based on the idea of security clearance levels
  • rather than defining access control lists on resources, each object and each subject is granted a clearance level, referred to as a label
  • if the model used is a hierarchical one (that is, high clearance users are trusted to access low clearance objects), subjects are only permitted to access objects at their own clearance level or below. Alternatively, each resource and user can be labeled as belonging to a domain (compartmentalized)
  • user may only access a resource if they belong to the same domain (Need to Know)
  • non-discretionary (rules cannot be changed, except by the system owner)
  • type of access control is associated with military and secret service organizations, where the inconveniences forced on users are secondary to the need for confidentiality and integrity
33
Q

attribute-based access control (ABAC)

A
  • most fine-grained type of access control model
  • capable of making access decisions based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes
  • attributes could include information about the OS currently being used, the IP address, or the presence of up-to-date patches and anti-malware
  • flexible and can be made sensitive to different levels of risk or threat awareness by making access conditional on the acceptance of a wide range of different attribute values
34
Q

rule-based access control

A
  • can refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users
  • privileges are restricted regardless of the user’s identity
35
Q

file system security

A
  • each object in the file system has an ACL associated with it
  • ACL contains a list of accounts (principals) allowed to access the resource and the permissions they have over it
  • each record in the ACL is called an access control entry (ACE)
36
Q

database security

A
  • range of objects that can be secured with fine-grained permissions is wider
  • objects in a database schema include the database itself, tables, views, rows (records), and columns (fields)
  • different policies can be applied for statements, such as SELECT, INSERT, UPDATE, and DELETE
37
Q

account types

A
  • operating systems, network appliances, and network directory products usually create recognizable account types as the basis of a privilege management system
  • most PC operating systems assign two types of user accounts
  • standard users have limited privileges, typically with access to run programs and to create and modify files belonging only to their profile
  • administrative or privileged accounts are able to install and remove programs and drivers, change system-level settings, and access any object in the file system
  • each OS also typically has a default privileged account. In Windows, this account is called Administrator; in Linux, it is called root
  • in Windows, the privileges for these accounts are assigned to local group accounts (the Users and Administrators groups) rather than directly to the user account itself
38
Q

generic account prohibition

A
  • one or more accounts with administrative privileges are then created for named system admins (so that their actions can be audited). This makes it harder for attackers to identify and compromise an administrative account
39
Q

service accounts

A
  • often used by scheduled processes, such as maintenance tasks, or may be used by application software, such as databases, for account or system access
  • do not accept user interactive logons but can be used to run processes and background services:
  • System—has the most privileges of any Windows account. The System account creates the host processes that start Windows before the user logs on. Any process created using the System account will have full privileges over the local computer.
  • Local Service—has the same privileges as the standard user account. It can only access network resources as an anonymous user.
  • Network Service—has the same privileges as the standard user account but can present the computer’s account credentials when accessing network resources.
40
Q

user-assigned privileges

A
  • simplest (meaning the least sophisticated) type of privilege management
  • each user is directly allocated rights
41
Q

group-based privilege

A
  • privilege management simplifies and centralizes the administrative process of assigning rights by identifying sets of users that require the same rights
  • user inherits access rights from the group account to which he or she belongs
  • user can be a member of multiple groups and can, therefore, receive rights and permissions from several sources
  • determining effective permissions when those set from different accounts conflict can be a complex task
42
Q

role-based management

A
  • most network administrators define groups that are targeted on job functions a bit more tightly, but the principle of group management is still that groups are accretions of users
  • a user is only granted the access rights of a given role for the time that he or she actually performs that role
  • if a role-based system cannot be enforced, one alternative is to provision employees with multiple accounts
43
Q

shared account

A
  • where passwords (or other authentication credentials) are known to more than one person
  • simple SOHO networking devices do not allow for the creation of multiple accounts and a single “Admin” account is used to manage the device
  • breaks the principle of non-repudiation and makes an accurate audit trail difficult to establish
  • more likely that the password for the account will be compromised
  • guest account is a special type of shared account with no password
44
Q

Active Directory (AD)

A
  • in server-based Windows networks, the directory service is provided by Active Directory (AD)
  • AD implemented as a database stored on one or more servers called a Domain Controller
  • AD distinguishes between three scopes of groups: domain local, global, and universal
  • Domain Local groups can be used to assign rights to resources within the same domain only
  • Global groups can contain only user and global or universal group accounts from the same domain but can be used to assign rights to resources in any trusted domain (essentially the opposite of domain local scope)
  • Universal groups can contain accounts from any trusted domain and can also be used to grant permissions on any object in any trusted domain
45
Q

domains

A

in legacy Windows networks, domains provided the primary grouping of users, groups, and computers

46
Q

Organizational Units (OU)

A
  • provide a way of dividing a domain up into different administrative realms
  • you might create OUs to delegate responsibility for administering different company departments or locations
47
Q

standard naming convention

A
  • allows better administrative control over network resources
  • example
  • you may make the AD namespace a delegated subdomain of your public DNS domain name (for example, ad.widget.com). This solution isolates AD from the public Internet and means that the DNS servers supporting the public domain name (widget.com) do not need to support Active Directory
48
Q

user account

A
  • identifies the individual as he or she logs onto the computer network | can be linked to a profile that defines user settings for the workstation
  • processes involved in setting up user accounts are often called user provisioning
49
Q

onboarding

A

process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user. Appropriate privileges are usually determined by creating workflows for each function that the user or user role performs

50
Q

offboarding

A

process of withdrawing user privileges, either when the user stops performing in a certain role or within a project group, or leaves the organization completely

51
Q

account maintenance

A

creating an account, modifying account properties, disabling an account, changing an account’s password, and so on

52
Q

group-based access control

A

allows you to set permissions (or rights) for several users at the same time

53
Q

AGDLP (Accounts go into Global groups, which go into Domain Local groups, which get Permissions)

A

system recommends putting user accounts into one or more global groups based on their role(s) within the company

54
Q

security group

A
  • one use for groups is to assign permissions to access resources
  • can also configure distribution groups, used to send messages to lists of recipients. Distribution groups cannot be configured with access permissions
55
Q

least privilege

A
  • core principle of secure access management
  • policy means that a user, group, or role should be allocated the minimum sufficient permissions to be able to perform its job function and no more
56
Q

privilege bracketing

A

used when privileges are granted only when needed, then revoked as soon as the task is finished or the need has passed

57
Q

User Account Control (UAC)

A

prevent administrative privileges from being invoked without specific authorization

58
Q

Local Security Policy

A

on a standalone workstation, security policies for the local machine and for local accounts are configured via the Local Security Policy snap-in

59
Q

Group Policy Objects (GPOs)

A
  • a means of applying security settings (as well as other administrative settings) across a range of computers and users
  • can be used to configure software deployment, Windows settings, and, through the use of Administrative Templates, custom Registry settings
60
Q

Resultant Set of Policies (RSoP)

A
  • system of inheritance determines the Resultant Set of Policies (RSoP) that apply to a particular computer or user
61
Q

password management policy

A
  • instructs users on best practice in choosing and maintaining passwords
  • credential management policy should instruct users on how to keep their authentication method secure (whether this be a password, smart card, or biometric ID)
  • Password policy is achieved through hard (NOS rules) and soft (training) measures
  • User passwords should be changed every 60-90 days
  • Administrative passwords should be changed every 30 days
  • Passwords for mission critical systems should be changed every 15 days
62
Q

logging

A
  • accounting is generally performed by logging actions automatically
  • NOS and many applications and services can be configured to log events
  • take up a lot of disk space (when a log reaches its allocated size, it will start to overwrite earlier entries, this means that some system of backing up logs will be needed in order to preserve a full accounting record over time)
63
Q

improperly configured accounts

A
  • two different types of impact
  • setting privileges that are too restrictive creates a large volume of support calls and reduces productivity
  • granting too many privileges to users weakens the security of the system and increases the risk of things like malware infection and data breach
64
Q

permission auditing

A

system of permission auditing needs to be put in place so that privileges are reviewed regularly

65
Q

usage auditing

A

configuring the security log to record key indicators and then reviewing the logs for suspicious activity

COMPTIA - Sec+ Textbook (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions