User Accounts and Permission Sets Flashcards
What is the purpose of User Accounts in ePO?
The control who can access ePO, as well as how they access it
What is the difference between authentication and authorization?
Authentication is the process of determining whether or not a user is permitted to log on to ePO by verifying the user’s identity and matching the credentials supplied by the user to something the system trusts
Authorization is the process of determing what actions an authenticated user is permitted to perform in ePO.
What are the types of User Authentication offered by ePO?
ePO authentication - The UN and Password are stored in ePO and ePO authenticates the user
Windows authentication - The Windows domain and user name details are stored in ePO, and the user is authenticated by a Windows domain controller. By default, ePO authenticates against the domain that the ePO server is a member of. Windows users who can’t authenticate by the parent domain can enable the Windows Authentication feature and specify the details of the untrusted domains
Certificate-based authentication - Enable certificate-based authentication to allow your users to access McAfee ePO with a valid client certificate instead of a user name and password
What settings need to be configured to automatically create Windows authentication users based on their Active Directory group membership?
- The “Active Directory User Login” server setting must be enabled
- At least one permission set must be mapped to the user’s Active Directory group
- A registered LDAP server must be configured for the domain, so that the McAfee ePO can determine the user’s group membership
How does the Active Directory User Login work?
If ADUL is enabled when an unknown user tries to log on, ePO checks to see any permission sets mapped to AD groups for which the user is a member. If there are, ePO creates a Windows authentication user and assigns the mapped permission sets to it
T/F Permission sets can be dynamically assigned to just some users in an AD group
False, they can be dynamically assigned only to an entire AD group
If you wanted to assign special permissions to an individual user, create an AD group that contains only that user
Does ePO support AD Universal Groups?
Partially, it restricts its communication to one domain when retrieving group information?
What can be done with the logon protection server setting?
- Lock out users when they have too many failed log in attempts (configure how many attempts, lockout window reset, and amount of time locked out
- Configure IP addresses to not allow log ins for, or to always allow log ins for. Also, enable automatic IP restriction after 10 failed login attempts within 60 seconds
Where can you go to monitor logon attempts?
The audit log
What ePO function can you leverage to automatically alert admins when too many failed logons occur from an IP address, a blocked IP address attempts to log on, or a system blocks an IP address?
Automatic responses
What functions can you configure from the password policy server setting?
- Control the Password Strength Criteria
- Control the Password Expiration Criteria
How can you stop a user from being able to log into ePO without permanently deleting it (subsequently deleting all of the objects and policies that the user created)
Disable the account (the logon status)
What is the purpose of the Audit Log?
Records all of the actions taken by ePO users in your environment, allowing you to track actions
How does the Audit log relate to database performance?
Each action recorded in the Audit Log takes up space in the database. Therefore, entries in the audit log should be periodically purged (6 months best practice, or based on corporate retention rates) to prevent database from getting bogged down
What are certificates?
Digital documents that combine identity information and public keys
