INFORMATION

ASSURANCE &
SECURITY 1
 MODULE 5
IMPLEMENTING ACCESS CONTROL,
AUTHENTICATION,
AND ACCOUNT MANAGEMENT
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Define the Access Control and its goals;
▪ Demonstrate the concepts of Directory Services;
▪ Enumerate the types of securing remote access
▪ Explain the concepts of account management security controls;
▪ Discuss Account Management Security Controls concepts;
▪ Give different Account Policy concepts;
 ACCESS CONTROL AND
AUTHENTICATION SERVICES
ACCESS CONTROL

Access control is a way of limiting

access to a system or to physical or
virtual resources.
Directory Services

Authentication

Centralized
Administration

A directory service stores, organizes, and provides access to information in a directory.

Active Directory

Active Directory is a directory

services implementation that
provides all sorts of functionality
like authentication, group and
user management, policy
administration and more.
Active Directory is a technology created by Microsoft that provides a
variety of network services, including the following:
❑ Lightweight Directory Access Protocol (LDAP)
❑ Kerberos-based and single sign-on authentication
❑ Directory services, including DNS-based naming
❑ Central location for network administration and delegation of authority
 LDAP

LDAP (Lightweight Directory

Access Protocol) is an open
and cross platform protocol
used for directory services
authentication.
LDAP
LDAP Client

LDAP makes use of port 389.

Directory query

LDAP Server

LDAP Client
Stores directory
data Directory query
LDAP Port 636 is used for secure LDAP (LDAPS).
LDAP Client

Signed certificate Trusted session

LDAP Server LDAP Client

LDAP vs. Active Directory

Realistically, there are probably more differences than similarities between the
two directory solutions. Microsoft’s AD is largely a directory for Windows® users,
devices, and applications. AD requires a Microsoft Domain Controller to be
present and when it is, users are able to single sign-on to Windows resources that
live within the domain structure.
LDAP Authentication
There are two options for LDAP authentication in LDAP v3 – simple and SASL
(Simple Authentication and Security Layer).

Simple authentication allows for three possible authentication mechanisms:

❑Anonymous authentication

❑Unauthenticated authentication

❑Name/Password authentication
 Kerberos

❑ Based on a time-sensitive ticket granting system.

❑ Developed by MIT to use SSO.
❑ Can manage access control to many services
using one centralized authentication server.
Tunneling - A tunneling protocol is a communications protocol that
allows for the movement of data from one network to another

Carrier
Protocol
Encapsulating
Packet
Original Packet
The three types of tunneling protocols used with a VPN server/RAS
server running on Windows Server 2008 R2 include:

❑Point-to-Point Tunneling Protocol (PPTP)

❑Layer 2 Tunneling Protocol (L2TP)

❑Secure Socket Tunneling Protocol (SSTP

 PAP - Password Authentication Protocol

Remote Client Unix Server

Request is sent Credentials are verified

Password Authentication Protocol (PAP): Uses plain text (unencrypted passwords).

CHAP - Challenge-Handshake Authentication Protocol

Directory query

Challenge

Response

Remote Client Logon accepted RAS

Challenge Handshake Authentication Protocol (CHAP): A challenge-response

authentication that uses the industry standard md5 hashing scheme to encrypt
the response.
Guidelines for Securing Remote Access

❑ Implement one-time password authentication.

❑ Avoid using outdated remote access protocols.

❑ Implement a VPN.

❑ Implement time-based OTPs.

❑ Use secure tunneling protocols.

PGP - Pretty Good Privacy

❑ Public email security

❑ Digital signing
❑ Encrypt message contents and
encrypt key

Pretty Good Privacy (PGP) is a freeware email encryption system that uses
symmetrical and asymmetrical encryption. When an email is sent, the document
is encrypted with the public key and a session key.
 RADIUS - Remote Authentication Dial-In User Service

Access servers receive

Remote clients connect to requests and pass credentials
access servers to RADIUS server The RADIUS server uses a symmetric
encryption method.

RADIUS server accepts

and processes all
authentication
requests
RADIUS Server

Remote Clients Access Servers

Configured as
RADIUS Clients
TACACS
❑ TACACS is known as Terminal Access Controller Access Control System, is a
remote protocol used to link with a server in networks.
❑ It permits a remote access server to connect with an authentication server to
determine if the user has access to the system.
How does TACACS+ work?

❑The TACACS+ Server is queried by the client, and the server

responds if the user passed or failed authentication.

❑The network device then takes these credentials and validates it

with the server.

❑And also, This server responds by indicating when the user

whether has access to the device or not.
What are the advantages of [TACACS]?

1.The password sent encrypted to the server

2.Credentials not saved on network devices
3.It registers all executed commands
SAML - Security Assertion Markup Language
Security Assertion Markup Language (SAML) is an open standard that
allows identity providers (IdP) to pass authorization credentials to service
providers (SP).
One-Time Passwords – HOTP and TOTP

One-Time Passwords (OTP) are pretty much what their name says: a password that
can be only used one time.
 HOTP

HMAC
One-Time
Password:

0325170

HMAC-based one-time password (HOTP) tokens are devices that generate

passwords based on a nonrepeating one-way function. It is not restricted to time.
TOTP - Time-based One-Time Password
Tokens are devices or applications that generate passwords at fixed time intervals.
Therefore, the password will only be valid for a predefined time interval.

HMAC One-Time
Password:

0325170

Expires in:

60 seconds
 SUBTOPIC 2

IMPLEMENT ACCOUNT MANAGEMENT

SECURITY CONTROLS
 IMPLEMENT ACCOUNT
MANAGEMENT SECURITY
CONTROLS
ACCOUNT MANAGEMENT is one of the most important aspects of
an organization’s security posture.
ACCOUNT TYPES
USER ACCOUNT holds the most limited amount of access to a system, but
it is also the level that the vast majority of users have.

A SHARED ACCOUNT, sometimes known as a generic account, is one that

can be utilized by more than one assigned user.

SERVICE ACCOUNTS control the privileges and functions of an application.

PRIVILEGED ACCOUNTS should be defined for each administrative role and

system within an organization, allowing for separation of duties and
preventing too much power being placed in too few accounts.
Account Policy Enforcement

Account Policy enforcement comes into play because all users have the
right level of access and account type to meet their business function
does not mean an organization is as secure as it could be.
CREDENTIAL MANAGEMENT is an overall service that stores,
manages, and often audits logins of user credentials in a central
location, offered to both individuals and enterprise networks.
ACCOUNT LOCKOUT is another policy that automatically disables
an account when a certain threshold of incorrect passwords are
used to log in, requiring a user to recover access to their account
with a new password or by satisfying other requirements, such as
security questions.
Account Privileges
A PRIVILEGED ACCOUNT is a user account that has more privileges than ordinary
users.
Account Policy

❑Account creation
❑Resource management
❑Shared and multiple account access
❑User access reviews
❑Account prohibition
❑Password policies
Account Federation

Microsoft
Account

A federated identity in information technology is the means of linking a person's

electronic identity and attributes, stored across multiple distinct identity
management systems.
Credential Management

Credential Management is the set of practices that an organization uses to

issue, track, update, and revoke credentials for identities within their context.
Group Policy

Group Policy provides centralized management and configuration of

operating systems, applications, and users' settings in an Active Directory
environment.
ACCOUNT LOCKOUT
Account lockout keeps the account secure by preventing anyone or
anything from guessing the username and password. When your account
is locked, you must wait the set amount of time before being able to log
into your account again.
PASSWORDS
A password is a string of characters used for authenticating a user
on a computer system.
Password Policies to Enhance Security

There are a variety of configuration settings that can be used on systems to

ensure that users are required to set and maintain strong passwords.

A basic component of an information security program is ensuring that

employees select and use strong passwords.
 PASSWORD COMPLEXITY
A complex password uses different types of characters in unique ways to
increase security. Passwords must meet or exceed these criteria:

• Changed at least every 180 days.

• Between 8 and 128 characters long.
• Use at least 3 of the following types of characters:
✓ uppercase letters,
✓ lowercase letters,
✓ numbers, and/or
✓ special characters
✓ Password must be unique and cannot be re-used.
PASSWORD COMPLEXITY
Password Length

The length of a password is a key component of ensuring the strength of a

password. Password length is the number of characters used in a password. A
password with 2 characters is considered very insecure, because there is a very
limited set of unique passwords that can be made using 2 characters. A 2-
character password is considered trivial to guess.
Password complexity deals with the characters used to make
up the password. A complex password will use characters from
at least three of the following categories:
✓English uppercase characters (A through Z)
✓English lowercase characters (a through z)
✓Numeric characters (0 through 9)
✓Non-alphanumeric characters (such as !, @, #, $, %, ^, &)
Microsoft provides several controls that can be used to ensure the
security associated with passwords is maintained. These include:
Password complexity
Account lockout
Password history
Time between password changes
Group Policies that enforce password security
Education on common attack methods
PASSWORD HISTORY

Password history policy setting determines the number of unique new

passwords that must be associated with a user account before an old password
can be reused.
Account lockout refers to the number of incorrect logon attempts permitted
before the system will lock the account.

❑Account lockout duration: This setting determines the length of time a

lockout will remain in place before another logon attempt can be made

❑Account lockout threshold: This setting determines the number of failed

logons permitted before the account lockout occurs.

❑Reset account lockout counter after: This setting determines the period of
time, in minutes, that must elapse before the account lockout counter is
reset to 0 bad logon attempts.
Setting Time Between Password Changes

Minimum Password Age: The minimum password age setting controls how many
days a user must wait before they can reset their password. This can be set to a
value from 1 to 998 days.

Maximum Password Age: The maximum password age setting controls the
maximum period of time permitted before a user is forced to reset their
password.

Passwords should always expire, unless under unique circumstances, such as

service accounts for running applications.
Group Policies to Enforce Password Security

A Group Policy Object (GPO) is a set of rules which allow an administrator

granular control over the configuration of objects in Active Directory (AD),
including user accounts, operating systems, applications, and other AD objects.
Guidelines for Implementing Account Management Security Controls

❑ Implement the principle of least privilege for user and group account access.
❑ Verify that an account policy exists and includes all account policy guidelines.
❑ Verify that account request and approval procedures are in place and enforced.
❑ Verify that account modification procedures are in place and enforced.
❑ Verify that strong user name and password guidelines are documented.
Guidelines for Implementing Account Management Security Controls

❑ Verify that account usage guidelines are documented.

❑ Limit multiple and shared accounts.
❑ Store user names and passwords in encrypted databases.
❑ Implement group policies.
❑ Monitor account events.
• CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
Paperback – October 12, 2017 by Darril Gibson

• CompTIA Security+ SY0-501 Cert Guide (4th Edition) (Certification

Guide), David L. Prowse (2018)

• CompTIA Security+ Study Guide: Exam SY0-501 7th Edition by

Emmett Dulaney (Author), Chuck Easttom (Author)