Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
• Manage Accounts
Identity and Access Management
• Identify
• Authenticate
• Authorize
Access Control
Description
Model
• Compares object's security designation with subject's clearance
level.
MAC
• Clearance level must meet or exceed designation to gain
access.
3
Mandatory Access Control
11
Smart cards are credit card-sized cards that
have an embedded microchip and a
certificate.
Cards
Smart card reader reads the information on
the card, including the details from the
certificate on the card
HOTP
HMAC-Based One-Time Password
• Usually 30 seconds
Biometric Devices
• Fingerprint scanners
• Capture live image of person's fingerprint.
• Virtually unique to each individual, so reasonably accurate.
• Voice recognition
• Uses voice acoustics features
• Retinal scanners
• Scan blood vessels in retina portion of the eye.
• Blood vessels are complex; don't change except from disease or injury.
• Invasive as it requires the device to be very close to the eye.
• Iris scanners
• Scan the entire iris of a person's eye.
• Capture near-infrared image from comfortable distances.
• Iris is less likely to be affected by diseases.
• Pictures can be taken 3 to 10 inches away
• Facial recognition
• Take digital image of entire face.
• Identify unique features like distance between eyes, nose length and width, etc.
• Prone to error due to changes in lighting, hair, makeup, etc.
15
False Rejection
When a biometric system
incorrectly rejects an
authorized user.
Biometric
Errors False Rejection Rate (FRR)
Identifies the percentage of
times false rejections occur.
Percentage that represents the
point at which the false rejection
rate equals the false positive rate.
17
CER
18
Specialized type of smart card used by the
U.S. Department of Defense.
20
• Can include:
• Users
Directory • Groups
• Servers
Services • Clients
• Printers
• Network services
Directory Services
Company Develetech
Region US EU
23
Specifies formats and methods to
query directories.
LDAP
Lightweight
Directory Directory is a database of objects
that provides a central point to
Access manage users, computers, and
Protocol other objects.
• LDAP Secure (LDAPS) encrypts
LDAP Secure transmissions with SSL or TLS.
(LDAPS)
Remote • Remote Access Server (RAS) can
Access provide access control to all or part of
a network.
Methods
• Technique in which a data
packet is put inside another
packet.
27
Tunneling
Carrier Protocol
Encapsulating Packet
Original Packet
28
Protocol Description
• Legacy standard for sending packets over phone lines
PPP
• Commonly used for dial-up Internet access.
• Microsoft VPN protocol.
PPTP • Provides tunneling and encryption for PPP packets.
• Common in older Windows clients; no longer recommended.
• VPN protocol
L2TP
• Does not provide encryption on own; often used with IPSec.
29
Password Authentication Protocol
(PAP)
Developed so passwords
Typically used to connect non-
wouldn't need to be sent in
Windows servers.
plaintext.
31
NT LAN Manager (NTLM)
• Authentication protocol created by Microsoft and first released in
early versions of Windows NT.
• Discouraged by Microsoft.
32
• Tasks are:
• Authentication
Authentication,
Authorization, • Authorization
and Accounting • Accounting
(AAA)
• Logging actions to create
an audit trail
33
Remote Authentication Dial-In User Service (RADIUS)
• Network Access Server: (NAS) The general term for a remote access
server used in RADIUS.
34
Radius
35
Initially developed to
authenticate modem users
• Realm – a grouping of principals that a KDC provides service for, looks like a
domain name
42
The processes,
functions, and
policies used to
effectively manage
user accounts in an
Account Management
organization.
Account Privileges
45
Account Policy
• Document that includes an organization's requirements for
account creation, monitoring, and removal.
• Password complexity
47
Password Policy
• Password history
• Password reuse
48
Multiple Accounts
• User can have several accounts on the same system.
49
Shared Accounts
• One account used by more than one user.
• Examples:
50
Account Management Security Controls
Control Description
Standard naming • Reduce confusion by naming accounts consistently.
conventions • Refrain from using nicknames or anonymous user names.
• You will need to modify or remove accounts.
Account maintenance
• Have a plan in place to avoid missing necessary changes.
• New employees should have new accounts in a timely manner.
Onboarding/offboarding
• Terminated employee accounts should be removed as soon as possible.
• Perform regular permissions audits to uphold least privilege.
Access recertification
• Can help you identify what accounts need modification.
• You should also monitor how accounts are used.
Usage auditing
• Can help you spot malicious behavior.
Group-based access • Place users into groups for easier management.
control • Helps you understand each user's job function.
• Restrict physical and virtual locations from which users gain access.
Location-based policies
• Can help mitigate remote attacks from unknown sources.
• Attackers may gain access during off-hours to avoid detection.
Time-of-day restrictions
• Restrict access to only when the employee is working.
51
Group Policy
Identity Federation
Description
Method
The general idea is that this lets you authorize a website to use
something that you control at a different website.
For instance, if you have a LinkedIn account, the system might ask you
to let it have access to your Google contacts in order to find your
friends who already have accounts in LinkedIn.
If you agree, you will next see a pop-up from Google asking whether
you want to authorize LinkedIn to manage your contacts