User Accounts and Permission Sets Flashcards

1
Q

What is the purpose of User Accounts in ePO?

A

The control who can access ePO, as well as how they access it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the difference between authentication and authorization?

A

Authentication is the process of determining whether or not a user is permitted to log on to ePO by verifying the user’s identity and matching the credentials supplied by the user to something the system trusts

Authorization is the process of determing what actions an authenticated user is permitted to perform in ePO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the types of User Authentication offered by ePO?

A

ePO authentication - The UN and Password are stored in ePO and ePO authenticates the user

Windows authentication - The Windows domain and user name details are stored in ePO, and the user is authenticated by a Windows domain controller. By default, ePO authenticates against the domain that the ePO server is a member of. Windows users who can’t authenticate by the parent domain can enable the Windows Authentication feature and specify the details of the untrusted domains

Certificate-based authentication - Enable certificate-based authentication to allow your users to access McAfee ePO with a valid client certificate instead of a user name and password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What settings need to be configured to automatically create Windows authentication users based on their Active Directory group membership?

A
  • The “Active Directory User Login” server setting must be enabled
  • At least one permission set must be mapped to the user’s Active Directory group
  • A registered LDAP server must be configured for the domain, so that the McAfee ePO can determine the user’s group membership
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does the Active Directory User Login work?

A

If ADUL is enabled when an unknown user tries to log on, ePO checks to see any permission sets mapped to AD groups for which the user is a member. If there are, ePO creates a Windows authentication user and assigns the mapped permission sets to it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

T/F Permission sets can be dynamically assigned to just some users in an AD group

A

False, they can be dynamically assigned only to an entire AD group

If you wanted to assign special permissions to an individual user, create an AD group that contains only that user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Does ePO support AD Universal Groups?

A

Partially, it restricts its communication to one domain when retrieving group information?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What can be done with the logon protection server setting?

A
  • Lock out users when they have too many failed log in attempts (configure how many attempts, lockout window reset, and amount of time locked out
  • Configure IP addresses to not allow log ins for, or to always allow log ins for. Also, enable automatic IP restriction after 10 failed login attempts within 60 seconds
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Where can you go to monitor logon attempts?

A

The audit log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What ePO function can you leverage to automatically alert admins when too many failed logons occur from an IP address, a blocked IP address attempts to log on, or a system blocks an IP address?

A

Automatic responses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What functions can you configure from the password policy server setting?

A
  • Control the Password Strength Criteria

- Control the Password Expiration Criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can you stop a user from being able to log into ePO without permanently deleting it (subsequently deleting all of the objects and policies that the user created)

A

Disable the account (the logon status)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of the Audit Log?

A

Records all of the actions taken by ePO users in your environment, allowing you to track actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does the Audit log relate to database performance?

A

Each action recorded in the Audit Log takes up space in the database. Therefore, entries in the audit log should be periodically purged (6 months best practice, or based on corporate retention rates) to prevent database from getting bogged down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are certificates?

A

Digital documents that combine identity information and public keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a certificate authority?

A

A trusted third party that digitally signs the certificates and verifies that the information is accurate

17
Q

How does certificate based authentication work in ePO?

A

When a user tries to access ePO using CBA, ePO checks the client certificate to make sure that it was signed. After the client certificate is verified, the user is granted access

18
Q

What are the two categories that ePO users can fall into?

A

Administrators - full rights throughout the system

Regular Users - can be assigned any number of permission sets to define their access levels in McAfee ePO

19
Q

What permissions in ePO are exclusive to administrators?

A
  • Create, edit, and delete source and fallback sites
  • Change server settings
  • Add and delete user accounts
  • Add, delete, and assign permission sets
  • Import events into ePO databases and limit events that are stored there
20
Q

What is a permission set?

A

A particular access profile definition, involves a combination of access levels to various parts of ePO.

21
Q

How can permission sets be assigned?

A

Either to individual users, or all users from specific active directory servers

22
Q

what are the four default permission sets?

A

Executive Reviewer - Provides view permissions to dashboards, events, contacts, and can view information that relates to the whole System Tree

Global Reviewer - Provides view access globally across functionality, products, and the system tree, except for extensions, multi-server roll up data, registered servers, and software

Global Admin - Provides view and change permissions across McAfee ePO features. Users that are assigned this permission set each need at least one more permission set that grants access needed products and groups of the system tree

Group Reviewer - Provides view permissions across ePO features. Users that are assigned this permission set each need at least one more permission set that grants access needed products and groups of the System Tree

23
Q

What is the fastest way to migrate permission sets?

A

exporting them, and then importing them

24
Q

What happens if a user has multiple permission sets assigned to him?

A

He will have the highest level of access rights afforded by each permission set.

Example: if he has 3 permission sets, with 2 only giving view permissions to dashboards, and 1 giving view and edit permissions to dashboards, in practice, the user will have the view and edit permissions