User Accounts and Permission Sets Flashcards
What is the purpose of User Accounts in ePO?
The control who can access ePO, as well as how they access it
What is the difference between authentication and authorization?
Authentication is the process of determining whether or not a user is permitted to log on to ePO by verifying the user’s identity and matching the credentials supplied by the user to something the system trusts
Authorization is the process of determing what actions an authenticated user is permitted to perform in ePO.
What are the types of User Authentication offered by ePO?
ePO authentication - The UN and Password are stored in ePO and ePO authenticates the user
Windows authentication - The Windows domain and user name details are stored in ePO, and the user is authenticated by a Windows domain controller. By default, ePO authenticates against the domain that the ePO server is a member of. Windows users who can’t authenticate by the parent domain can enable the Windows Authentication feature and specify the details of the untrusted domains
Certificate-based authentication - Enable certificate-based authentication to allow your users to access McAfee ePO with a valid client certificate instead of a user name and password
What settings need to be configured to automatically create Windows authentication users based on their Active Directory group membership?
- The “Active Directory User Login” server setting must be enabled
- At least one permission set must be mapped to the user’s Active Directory group
- A registered LDAP server must be configured for the domain, so that the McAfee ePO can determine the user’s group membership
How does the Active Directory User Login work?
If ADUL is enabled when an unknown user tries to log on, ePO checks to see any permission sets mapped to AD groups for which the user is a member. If there are, ePO creates a Windows authentication user and assigns the mapped permission sets to it
T/F Permission sets can be dynamically assigned to just some users in an AD group
False, they can be dynamically assigned only to an entire AD group
If you wanted to assign special permissions to an individual user, create an AD group that contains only that user
Does ePO support AD Universal Groups?
Partially, it restricts its communication to one domain when retrieving group information?
What can be done with the logon protection server setting?
- Lock out users when they have too many failed log in attempts (configure how many attempts, lockout window reset, and amount of time locked out
- Configure IP addresses to not allow log ins for, or to always allow log ins for. Also, enable automatic IP restriction after 10 failed login attempts within 60 seconds
Where can you go to monitor logon attempts?
The audit log
What ePO function can you leverage to automatically alert admins when too many failed logons occur from an IP address, a blocked IP address attempts to log on, or a system blocks an IP address?
Automatic responses
What functions can you configure from the password policy server setting?
- Control the Password Strength Criteria
- Control the Password Expiration Criteria
How can you stop a user from being able to log into ePO without permanently deleting it (subsequently deleting all of the objects and policies that the user created)
Disable the account (the logon status)
What is the purpose of the Audit Log?
Records all of the actions taken by ePO users in your environment, allowing you to track actions
How does the Audit log relate to database performance?
Each action recorded in the Audit Log takes up space in the database. Therefore, entries in the audit log should be periodically purged (6 months best practice, or based on corporate retention rates) to prevent database from getting bogged down
What are certificates?
Digital documents that combine identity information and public keys
What is a certificate authority?
A trusted third party that digitally signs the certificates and verifies that the information is accurate
How does certificate based authentication work in ePO?
When a user tries to access ePO using CBA, ePO checks the client certificate to make sure that it was signed. After the client certificate is verified, the user is granted access
What are the two categories that ePO users can fall into?
Administrators - full rights throughout the system
Regular Users - can be assigned any number of permission sets to define their access levels in McAfee ePO
What permissions in ePO are exclusive to administrators?
- Create, edit, and delete source and fallback sites
- Change server settings
- Add and delete user accounts
- Add, delete, and assign permission sets
- Import events into ePO databases and limit events that are stored there
What is a permission set?
A particular access profile definition, involves a combination of access levels to various parts of ePO.
How can permission sets be assigned?
Either to individual users, or all users from specific active directory servers
what are the four default permission sets?
Executive Reviewer - Provides view permissions to dashboards, events, contacts, and can view information that relates to the whole System Tree
Global Reviewer - Provides view access globally across functionality, products, and the system tree, except for extensions, multi-server roll up data, registered servers, and software
Global Admin - Provides view and change permissions across McAfee ePO features. Users that are assigned this permission set each need at least one more permission set that grants access needed products and groups of the system tree
Group Reviewer - Provides view permissions across ePO features. Users that are assigned this permission set each need at least one more permission set that grants access needed products and groups of the System Tree
What is the fastest way to migrate permission sets?
exporting them, and then importing them
What happens if a user has multiple permission sets assigned to him?
He will have the highest level of access rights afforded by each permission set.
Example: if he has 3 permission sets, with 2 only giving view permissions to dashboards, and 1 giving view and edit permissions to dashboards, in practice, the user will have the view and edit permissions
