Scribd
Upload
678 views38 pages

Lesson 8: Implementing Identity and Account Management Controls

Uploaded by

Phan Sư Ýnh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
678 views38 pages

Lesson 8: Implementing Identity and Account Management Controls

Uploaded by

Phan Sư Ýnh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Lesson 8

Implementing Identity and Account Management


Controls
Topic 8A
Implement Identity and Account Types

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered

• 3.7 Given a scenario, implement identity and account management


controls
• 5.3 Explain the importance of policies to organizational security

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Identity Management Controls

• Certificates and smart cards


• Public key cryptography
• Subject identified by a public key, wrapped in digital certificate
• Private key must be kept secure
• Tokens
• Authorizations issued under single sign-on
• Avoids need for user to authenticate to each service
• Identity provider
• Provisions and manages accounts
• Processes authentication
• Federated identity management

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Background Check and Onboarding Policies

• Human resources (HR) and personnel policies


• Recruitment (hiring)
• Operation (working)
• Termination/separation (firing or retiring)
• Background check
• Onboarding
• Welcoming a new employees or contractors to the organization
• Account provisioning
• Issuing credentials
• Asset allocation
• Training/policies
• Non-disclosure Agreement (NDA)

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Personnel Policies for Privilege Management

• Mitigate insider threat


• Separation of duties
• Standard operating procedures (SOPs)
• Shared authority
• Least privilege
• Assign sufficient permissions only
• Reduce risk from compromised accounts
• Job rotation
• Distributes institutional knowledge and expertise
• Reduces critical dependencies
• Mandatory vacations

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Offboarding Policies

• Identity and access management checks


• Disable the user account and privileges
• Ensure integrity and availability of information assets managed by the employee
• Retrieving company assets
• Returning personal assets
• Consider shared/generic accounts, security procedures that must be
changed

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Security Account Types and Credential Management

• Standard users
• Limited privileges
• Should not be able to change the system configuration
• Restricted to account profile
• Credential management policies for personnel
• Password policy
• Protect access to the account and prevent compromise
• Educate risks from reusing credentials and social engineering
• Guest accounts
• Account with no credentials (anonymous logon)
• Unauthenticated access to hosts and websites
• Must have very limited privileges or be disabled

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Security Group-Based Privileges

• User-assigned privileges
• Assign privileges directly to user
accounts
• Unmanageable if number of users
is large
• Group-based privileges
• Assign permissions to security
groups and assign user accounts
to relevant groups
• Issues with users inheriting
multiple permissions
Images © 123RF.com.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Administrator/Root Accounts

• Privileged/administrative accounts
• Can change system configuration
• Generic administrator/root/superuser
• User account with full control over system
• Key target for attackers
• Often disabled or usage restricted after install
• Administrator credential policies
• Create specific accounts with least privileges (generic account
prohibition)
• Enforce multifactor authentication
• Default security groups
• Administrators/sudoers

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Service Accounts

• Windows service accounts


• System
• Local Service
• Network Service
• Linux accounts to run services
(daemons)
• Deny shell access
• Managing shared service
account credentials
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Shared/Generic/Device Accounts and Credentials

• Shared accounts
• Accounts whose credentials are known to more than one person
• Generic accounts
• Accounts created by default on OS install
• Only account available to manage a device
• Might use a default password
• Risks from shared and generic accounts
• Breaks principle of non-repudiation
• Difficult to keep credential secure
• Credential policies for devices
• Privilege access management software

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Secure Shell Keys and Third-party Credentials

• Secure Shell (SSH) used for remote


access
• Host key identifies the server
• User key pair used to authenticate to
server
• Server holds copy of valid users’
public keys
• Keys must be actively managed
• Third-party credentials
• Passwords and keys to manage
cloud services
• Highly vulnerable to accidental
Screenshot used with permission from Amazon.com.
disclosure

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Topic 8B
Implement Account Policies

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Syllabus Objectives Covered

• 3.7 Given a scenario, implement identity and account management


controls

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Account Attributes and Access Policies

• Account attributes
• Security ID, account name,
credential
• Extended profile attributes
• Per-app settings and files
• Access policies
• File permissions
• Access rights
• Active Directory Group
Policy Objects (GPOs)
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Account Password Policy Settings

• Length
• Complexity
• Character combinations
• Aging
• History and reuse
• NIST guidance
• Password hints

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Account Restrictions

• Network location
• Connecting from a VLAN or IP subnet/remote IP
• Connecting to a machine type or group (clients versus servers)
• Interactive versus remote logon
• Geolocation
• By IP address
• By Location Services
• Geofencing
• Geotagging
• Time-based restrictions
• Logon hours
• Logon duration
• Impossible travel time/risky login

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Account Audits

• Accounting and auditing to detect


account misuse
• Use of file permissions to read
and modify data
• Failed login or resource access
attempts
• Recertification
• Monitoring use of privileges
• Granting/revoking privileges
• Communication between IT and
HR
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Account Permissions

• Impact of improperly configured


accounts
• Insufficient permissions
• Unnecessary permissions
• Escalating and revoking privileges
• Permission auditing tools

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Usage Audits

• Account logon and management


events
• Process creation
• Object access (file system / file
shares)
• Changes to audit policy
• Changes to system security and
integrity (anti-virus, host firewall,
and so on)

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Account Lockout and Disablement
Screenshot used with permission from Microsoft.

• Disablement
• Login is disabled until manually re-
enabled
• Combine with remote logoff
• Lockout
• Login is prevented for a period
and then re-enabled
• Policies to enforce automatic
lockout

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Topic 8C
Implement Authorization Solutions

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Syllabus Objectives Covered

• 2.4 Summarize authentication and authorization design concepts


• 3.8 Given a scenario, implement authentication and authorization solutions
• 4.1 Given a scenario, use the appropriate tool to assess organizational
security (chmod only)

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Discretionary and Role-Based Access Control

• Access control model determines how users receive permissions/rights


• Discretionary Access Control (DAC)
• Based on resource ownership
• Access Control Lists (ACLs)
• Vulnerable to compromised privileged user accounts
• Role-Based Access Control (RBAC)
• Non-discretionary and more centralized control
• Based on defining roles then allocating users to roles
• Users should only inherit role permissions to perform particular tasks

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
File System Security

• Access Control List (ACL)


• Access Control Entry (ACE)
• File system support
• Linux permissions and chmod
• Symbolic (rwx)
• User, group, world
• Octal
• r=4
• w=2
• x=1
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Mandatory and Attribute-Based Access Control

• Mandatory Access Control (MAC)


• Labels and clearance
• System policies to restrict access
• Attribute-Based Access Control (ABAC)
• Access decisions based on a combination of subject and object attributes plus
any context-sensitive or system-wide attributes
• Conditional access

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Rule-Based Access Control

• Non-discretionary
• System determines rules, not users
• Conditional access
• Continual authentication
• User account control (UAC)
• Privileged access management
• Policies, procedures, and technical controls to prevent the malicious abuse of
privileged accounts

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Directory Services

• Database of subjects
• Users, computers, security groups/roles, and services
• Access Control Lists (authorizations)
• X.500 and Lightweight Directory Access Protocol (LDAP)
• Distinguished names
• Attribute=Value pairs

CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=foo

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Federation and Attestation

• Federated identity
management
• Networks under separate
administrative control
share users
• Identity providers and
attestation
• Cloud versus on-premises
requirements

Images © 123rf.com.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Security Assertions Markup Language
<saml p: Response xml ns: saml p=" ur n: oasi s: names: t c: SAML: 2. 0: pr ot ocol "

• Open standard for implementing


xml ns: saml =" ur n: oasi s: names: t c: SAML: 2. 0: asser t i on" I D=" 200"
Ver si on=" 2. 0"

identity and service provider


I ssueI nst ant =" 2020- 01- 01T20: 00: 10Z "
Dest i nat i on=" ht t ps: / / sp. f oo/ saml / acs" I nResponseTo=" 100" .

<saml : I ssuer >ht t ps: / / i dp. f oo/ sso</ saml : I ssuer >

communications <ds: Si gnat ur e>. . . </ ds: Si gnat ur e>

<saml p: St at us>. . . ( success) . . . </ saml p: St at us.

• Attestations/assertions <saml : Asser t i on xml ns: xsi =" ht t p: / / www. w3. or g/ 2001/ XMLSchema- i nst ance"

xml ns: xs=" ht t p: / / www. w3. or g/ 2001/ XMLSchema" I D=" 2000" Ver si on=" 2. 0"

• XML format I ssueI nst ant =" 2020- 01- 01T20: 00: 09Z" >

<saml : I ssuer >ht t ps: / / i dp. f oo/ sso</ saml : I ssuer >

• Signed using XML signature <ds: Si gnat ur e>. . . </ ds: Si gnat ur e>

specification
<saml : Subj ect >. . .

<saml : Condi t i ons>. . .

• Communications protocols
<saml : Audi enceRest r i ct i on>. . .

<saml : Aut hnSt at ement >. . .

• HTTPS
<saml : At t r i but eSt at ement >

<saml : At t r i but e>. . .

• Simple Object Access Protocol


<saml : At t r i but e>. . .

</ saml : At t r i but eSt at ement >

(SOAP) </ saml : Asser t i on>

</ saml p: Response>

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
OAuth and OpenID Connect
• “User-centric” federated services better suited to consumer
websites
• Representational State Transfer (REST) Application Programming
Interfaces (APIs) (RESTful APIs)
• Framework for implementation not a protocol
• OAuth
• Designed to communicate authorizations rather than explicitly
authenticate a subject
• Client sites and apps interact with OAuth IdPs and resource servers
that hold the principal’s account/data
• Different flow types for server to server or mobile app to server
• JavaScript object notation (JSON) web token (JWT)
• OpenID Connect (OIDC)
• Adds functions and flows to OAuth to support explicit
authentication

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32
Topic 8D
Explain the Importance of Personnel Policies

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33
Syllabus Objectives Covered

• 5.3 Explain the importance of policies to organizational security

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34
Conduct Policies

• Acceptable use policy (AUP)


• Employee use of employer’s hardware and software assets
• Rules of behavior and social media analysis
• General requirements for professional standards
• Covers personal communications and social media accounts
• Additional clauses for privileged users
• Use of personally owned devices
• Bring your own device
• Shadow IT
• Clean desk

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35
User and Role-based Training

• Impacts and risks from untrained users


• Topics for security awareness
• Overview of security policies
• Incident response procedures
• Site security procedures
• Data handling
• Password and account management
• Awareness of social engineering and malware threats
• Secure use of software such as browsers and email clients
• Role-based training
• Appropriate language
• Level of technical content

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36
Diversity of Training Techniques

• Engagement and retention


• Training delivery methods
• Phishing campaigns
• Simulating phishing messages to test employee awareness
• Capture the flag
• Computer-based training (CBT)
• Simulations
• Branching scenarios
• Gamification elements

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 37
Lesson 8
Summary

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 38

You might also like