Security+ Domain 4.0: Identity and Access Management: Chapter 18

Chapter 18: Identity, Access and Accounts

Authentication, Access Control & Auditing

Know For The Security+ Test: The three “pillars” or “foundations” of information security are Authentication, Access Control and Auditing. (The mnemonic “AAA” may help you remember.)

Something You Know – A password, PIN, or mother’s maiden name

Something You Have – A key, SmartCard or ID card

Something You Are – Unique characteristics like a fingerprint or retina pattern

Something You Do

Somewhere You Are


Username and Password – (what you know)

This is the most common authentication method.

This is also the weakest.

Tokens (what you have)

This can be a plastic card with either a magnetic strip or an embedded chip, or a USB device, or a key-fob device like an RSA token.

Another type is the Proximity Card, which enables contactless authentication just by bringing the card near the reader.

Biometrics (what you are)

Fingerprint, retina, voice or other bodily characteristics

We mus point out that these characteristics can be stolen.

Digital Certificates (or simply Certificates) – (what you have)

A certificate proves identity.

A certificate provides identification.

A certificate is not a key; it does not encrypt information.

But it does contain the public key.

Certificates are issued by Certification Authorities (CAs).


Managing identities across systems and organizations


Single Sign-On: Kerberos

Let us introduce you to CBT Nuggets, a commercial channel that sells access to short video trainings. Depending on your needs, the price might be worth it to you. (One of their best trainers was Network Chuck, who now works from his channel by that name on YouTube.) This isn’t him, but it’s a very good explanation of Kerberos. Do note that when he says “password” he actually means “password hash”. This is a critical distinction, because your naked password is NOT passed over the network.

Element one is a KDC, or Key Distribution Center, which takes your username/password, token, or what have you, and issues you a Ticket Granting Ticket (TGT). Your computer will cache the TGT during your session.

Then, when you want access to an actual network resource, your computer presents its TGT back to the KDC. The KDC then gives you a session ticket. Then the server that controls that resource will accept your session ticket (if it’s valid) and give you access (if you have permission).


    • are encrypted
    • contain user identification information
    • expire

Transitive Trusts

Challenge Handshake Authentication Protocol (CHAP)

CHAP is more secure than password authentication.

    1. The user enters a username and password, which are sent to a server.
    2. The server returns a challenge message.
    3. The user’s computer creates a response using an algorythm, and sends it to the server.
    4. The server compares this response to its own algorythm-encrypted response to validate the user.

The server may require reauthentication at any time.

Mutual Authentication

Mutual Authentication helps prevent man-in-the-middle and replay attacks.

Each party is required to identify and authenticate themself to the other.

Multifactor Authentication

Put simply, this means requiring more than one method of authentication, e.g. both username/password authentication and a token or PIN.

Account Types

    • User
    • Shared / Generic Accounts / Credentials
    • Guest
    • Service
    • Privileged

General Concepts

Least Privilege

Onboarding / Offboarding

Permissions Auditing

In Windows, use the Security Configuration and Analysis Tool (SCAT), which uses templates to perform the compliance analysis.

Usage Auditing

Time-of-Day Restrictions


Standard naming conventions

Account Maintenance (auditing)

Account Policy Enforcement

      • Credential Management
      • Group Policy
      • Password Complexity
      • Expiration
      • Recovery (of passwords)
      • Disablement
      • Lockout
      • Password history
      • Password reuse
      • Password length