Chapter 18: Identity, Access and Accounts
Authentication, Access Control & Auditing
Know For The Security+ Test: The three “pillars” or “foundations” of information security are Authentication, Access Control and Auditing. (The mnemonic “AAA” may help you remember.)
Something You Know – A password, PIN, or mother’s maiden name
Something You Have – A key, SmartCard or ID card
Something You Are – Unique characteristics like a fingerprint or retina pattern
Something You Do
Somewhere You Are
Username and Password – (what you know)
This is the most common authentication method.
This is also the weakest.
Tokens (what you have)
This can be a plastic card with either a magnetic strip or an embedded chip, or a USB device, or a key-fob device like an RSA token.
Another type is the Proximity Card, which enables contactless authentication just by bringing the card near the reader.
Biometrics (what you are)
Fingerprint, retina, voice or other bodily characteristics
We mus point out that these characteristics can be stolen.
Digital Certificates (or simply Certificates) – (what you have)
A certificate proves identity.
A certificate provides identification.
A certificate is not a key; it does not encrypt information.
But it does contain the public key.
Certificates are issued by Certification Authorities (CAs).
Managing identities across systems and organizations
Single Sign-On: Kerberos
Let us introduce you to CBT Nuggets, a commercial channel that sells access to short video trainings. Depending on your needs, the price might be worth it to you. (One of their best trainers was Network Chuck, who now works from his channel by that name on YouTube.) This isn’t him, but it’s a very good explanation of Kerberos. Do note that when he says “password” he actually means “password hash”. This is a critical distinction, because your naked password is NOT passed over the network.
Element one is a KDC, or Key Distribution Center, which takes your username/password, token, or what have you, and issues you a Ticket Granting Ticket (TGT). Your computer will cache the TGT during your session.
Then, when you want access to an actual network resource, your computer presents its TGT back to the KDC. The KDC then gives you a session ticket. Then the server that controls that resource will accept your session ticket (if it’s valid) and give you access (if you have permission).
- are encrypted
- contain user identification information
Challenge Handshake Authentication Protocol (CHAP)
CHAP is more secure than password authentication.
- The user enters a username and password, which are sent to a server.
- The server returns a challenge message.
- The user’s computer creates a response using an algorythm, and sends it to the server.
- The server compares this response to its own algorythm-encrypted response to validate the user.
The server may require reauthentication at any time.
Mutual Authentication helps prevent man-in-the-middle and replay attacks.
Each party is required to identify and authenticate themself to the other.
Put simply, this means requiring more than one method of authentication, e.g. both username/password authentication and a token or PIN.
- Shared / Generic Accounts / Credentials
Onboarding / Offboarding
In Windows, use the Security Configuration and Analysis Tool (SCAT), which uses templates to perform the compliance analysis.
Standard naming conventions
Account Maintenance (auditing)
Account Policy Enforcement
- Credential Management
- Group Policy
- Password Complexity
- Recovery (of passwords)
- Password history
- Password reuse
- Password length