Security+ SY0-601: 3.8: Implement Authentication and Authorization Solutions

This entry is part 30 of 47 in the series [ Security+ SY0-601 ]

Chapter 24: Implement Authentication and Authorization Solutions

A lot of this material should look familiar from Chapter 12. The emphasis here is on actual implementation.

Authentication management

Password keys

Password vaults

TPM: Trusted platform module

HSM: Hardware security module

Knowledge-based authentication

Authentication / Authorization


CHAP: Challenge-Handshake Authentication Protocol


MS-CHAPv2: The industry-standard contemporary CHAP, used even by Cisco.

PAP: Password Authentication Protocol



SSO: Single sign-on

SAML: Security Assertion Markup Language

TACACS+: Terminal Access Controller Access Control System Plus

Remote Access





Open Authorization Standard


OpenID Connect


Access control comprises mechanisms for limiting access to information or resources, based on

      • user identity
      • membership in groups

Routers and operating systems store this information in an Access Control List (ACL).

An ACL consists of access control entries (ACEs).

A guide to understanding Cisco Access Control Lists:
Cisco Access Control Lists (ACL) at

Another example courtesy of JLSNet:

What these rules look like as Linux kernel firewall rules (thanks to the JustLinux Forums):

Access Control Models

ABAC: Attribute-based access control

RBAC: Role-based access control

All access is defined by a user’s specific role, for instance:

          • Manager
          • Accountant
          • HR

One user may have many roles.

RBAC (601) or RB-RBAC (501): Rule-based (role-based) access control (a concept almost entirely unique to CompTIA).

Yes, this is a thing. The Security+ test may ask about Rule-Based Access Control, or Rule-Based Role-Based Access Control (RB-RBAC). Think of this as a protocol where a rule-based mechanism like a router assigns a role to a user based on those rules.

MAC: Mandatory access control

This type of access control is used in government and military environments where objects are labelled as “Top Secret” or “Secret,” for example.

No subject can alter another subject’s access level.

All access is strictly defined at the object level:
-only members of a specific group have access.

and at the group level:
-access to an object requires membership in a certain group.

The restrictions of MAC are often described this way:
You cannot read up (above your security grade), and
You cannot save down (to below your security grade).


DAC: Discretionary access control (MS DOS and Windows for Workgroups)

This is the least restrictive model. Think of Windows workgroup permissions: the user of a PC shares a folder, assigns a password, and sets permission (for instance, read-only).

The user decides everything.

Conditional access

Privileged access management

Filesystem permissions

Securing File Systems

This is all about restricting user access, primary through Access Control Lists (ACLs).

In Windows

NTFS allows file and folder access permissions (though older versions only controlled folder permissions).

FAT32 provides no access control.

Active Directory provides domain-based management (and replaces the older NT Domain model).

The Microsoft Management Console (MMC) is a utility that can control almost every aspect of a system.

MMC accepts “snap-ins” for expanded functionality.

The Security Template snap-in organizes security attributes in one screen.

Groups of computers sharing a security configuration are Group Policy Objects.

Group Policy Settings define these configurations.

Domain-based settings, however, cannot be overridden by group policy settings.

Windows rights based on group membership are inherited rights. These may include:

        • Full Control
        • Modify
        • Read
        • List Contents
        • Execute
        • Write

In Linux

Basic file and folder permissions can be controlled at the operating system level.

Larger networks use domain services and directories:

      • Network Information Service (NIS)
      • Novell Directory Services
      • OpenLDAP: Sun, Netscape and other directory services

Cloud Authentication