Comptia SECURITY +

Module 05

Implementing Access Control,

Authentication and Account Management

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 1

 Implementing Access Control, Authentication,
and Account Management

 Access Control and Authentication Services

 Implement Account Management Security Controls

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 2

 Directory Services

Authentication

Centralized
Administration

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 3

 LDAP

LDAP Client

Directory query

LDAP Server LDAP Client

Stores directory
data

Directory query

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 4

 LDAPS

LDAP Client

Trusted session
Signed certificate

LDAP Server LDAP Client

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 5

 Common Directory Services

 Microsoft Active Directory

 Sun Java System Directory Server
 OpenDS
 OpenLDAP
 Open Directory

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 6

 Remote Access Methods

 RAS gateway connection:

 Access as part of internal network
 VPN remote access:
 Access through intermediate network like the Internet

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 7

 Tunneling

Carrier Protocol

Encapsulating Packet

Original Packet

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 8

 Remote Access Protocols

 PPP
 PPTP
 L2TP
 SSTP

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 9

 HOTP

HMAC
One-Time
Password:

0325170

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 10

 TOTP

HMAC One-Time
Password:

0325170

Expires in:

60 seconds

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 11

 PAP

Remote Client Unix Server

Request is sent Credentials are verified

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 12

 CHAP

Directory query

Challenge

Response

Remote Client Logon accepted RAS

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 13

 Guidelines for Securing Remote Access

 Implement a VPN.
 Use secure tunneling protocols.
 Implement one-time password authentication.
 Implement time-based OTPs.
 Avoid using outdated remote access protocols.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 14

 PGP

 Public email security

 Encrypt message contents and encrypt key
 Digital signing

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 15

 RADIUS

Access servers receive

Remote clients connect requests and pass
to access servers credentials to RADIUS
server

RADIUS server accepts

and processes all
authentication requests

RADIUS Server

Remote Clients Access Servers

Configured as
RADIUS Clients

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 16

 TACACS

Features of TACACS+ include:

 Provides centralized authentication and authorization services
for remote users.
 Supports multi-factor authentication.
 Accepts login requests and authenticates access credentials.
 Encrypts entire authentication process.
 Includes process-wide encryption for authentication.
 Replaces TACACS and XTACACS.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 17

 Kerberos

 Based on a time-sensitive ticket granting system.

 Developed by MIT to use SSO.
 Can manage access control to many services using one
centralized authentication server.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 18

 SAML (Security Assertion Markup Language)

 Based on XML.
 Exchanges authentication information between client, service,
and identity provider.
 Defines security request information.
 Web-based single sign-on across multiple protocols.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 19

 Identity Management

 Specific characteristics of individuals or resources.

 Assign identity with access controls.
 Prevent identity theft.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 20

 Account Management

 Processes
 Functions
 Policies

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 21

 Account Privileges

 What tasks a user is allowed to perform on a system

(permissions).
 User assigned:
 Unique to each user
 Configured toward job function
 Group based:
 Each user in group has same permissions
 Best practice
 Keep privileges well-documented.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 22

 Account Policy

 Account creation
 Resource management
 Shared and multiple account access
 User access reviews
 Account prohibition
 Password policies

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 23

 Multiple Accounts

 User awareness of multiple accounts.

 Access and permissions appropriate for each account.
 Manage privileges, permissions, and replication.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 24

 Shared Accounts

Uses:
 Anonymous and guest accounts
 Temporary employee accounts
 Administrative accounts
 Batch processing

Risks:
 Lack of accountability
 Lax in individual responsibility
 Password distribution

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 25

 Account Federation

Microsoft
Account

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 26

 Account Management Security Controls

 User ID and password requirements

 Account access restrictions
 Account management guidelines
 Multiple account guidelines
 Continuous monitoring

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 27

 Credential Management

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 28

 Group Policy

 Password properties
 Account lockout
 Reversible password encryption in storage
 Kerberos restrictions
 Audit account events
 Other rights and controls

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 29

 Guidelines for Implementing Account
Management Security Controls
 Implement the principle of least privilege for user and group
account access.
 Verify that an account policy exists and includes all account
policy guidelines.
 Verify that account request and approval procedures are in
place and enforced.
 Verify that account modification procedures are in place and
enforced.
 Verify that strong user name and password guidelines are
documented.
 Verify that account usage guidelines are documented.
 Limit multiple and shared accounts.
 Store user names and passwords in encrypted databases.
 Implement group policies.
 Monitor account events.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 30

 Reflective Questions

1. What experience do you have with access control? What types

of access control services are you familiar with?

2.What account management security controls have you come

across in your current job role? Do you think they are sufficient
in properly protecting employees’ personal information?

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 5 - 31