Scribd
Upload
31 views

4.0 Identity and Access Management

Uploaded by

Crystal Torbush
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
31 views

4.0 Identity and Access Management

Uploaded by

Crystal Torbush
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 236

CHAPTER

4
Identity and
Access
Management

SECURITY PRO
4.1
IDENTITY AND ACCESS
MANAGEMENT

Access
Control
Models

SECURITY PRO
Key Terms
CIA Triad Mandatory access control (MAC)
National Institute of Standards and Role-based access control (RBAC)
Technology (NIST)
Rule-based access control
Cybersecurity Frameworks (CSF)
Least privilege
Identity and Access Management
Security Identifier (SID)
(IAM)
Group Policy Objects (GPOs)
Authentication, Authorization, and
Accounting (AAA) Geolocation
Discretionary access control (DAC)

SECURITY PRO
Key Definitions
CIA Triad: Three principles of security control and management -
confidentiality, integrity, and accessibility. Also known as the information
security triad.
National Institute of Standards and Technology (NIST): Develops computer
security standards used by US federal agencies and publishes cybersecurity best
practice guides and research.
Cybersecurity Frameworks (CSF): Standards, best practices, and guidelines
for effective security risk management. Some frameworks are general in nature,
while others are specific to industry or technology types.
Identity and Access Management (IAM): A security process that provides
identification, authentication, and authorization mechanisms for users,
computers, and other entities to work with organizational assets like networks,
operating systems, and applications.
SECURITY PRO
Key Definitions
Authentication, Authorization, and Accounting (AAA): A security concept
where a centralized platform verifies subject identification, ensures the subject is
assigned relevant permissions, and then logs these actions to create an audit trail.
Discretionary access control (DAC): An access control model where each
resource is protected by an access control list (ACL) managed by the resource's
owner (or owners).
Mandatory access control (MAC): An access control model where resources are
protected by inflexible, system-defined rules. Resources (objects) and users
(subjects) are allocated a clearance level (or label).
Role-based access control (RBAC): An access control model where resources
are protected by ACLs that are managed by administrators and that provide
user permissions based on job functions.

SECURITY PRO
Key Definitions
Rule-based access control: A nondiscretionary access control technique that is
based on a set of operational rules or restrictions to enforce a least privileges
permissions policy.
Least privilege: A basic principle of security stating that something should be
allocated the minimum necessary rights, privileges, or information to perform its
role.
Security Identifier (SID): The value assigned to an account by Windows and that
is used by the operating system to identify that account.
group policy objects (GPOs): On a Windows domain, a way to deploy per-user and
per-computer settings such as password policy, account restrictions, firewall status,
and so on.
geolocation: The identification or estimation of the physical location of an object,
such as a radar source, mobile phone, or Internet-connected computing device.
SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Fundamental Security Concepts

SECURITY PRO
Access Control Models

SECURITY PRO
Discretionary Access Control
Every resource has an owner
Uses ACLs

SECURITY PRO
Access Control Models

SECURITY PRO
Mandatory Access Control
Every object has a label
Every user has a level

SECURITY PRO
Access Control Models

SECURITY PRO
Access Control Models

SECURITY PRO
Access Control Models

SECURITY PRO
Access Control Models

SECURITY PRO
Role-Based Access Control
Hybrid between MAC and DAC
Roles determine access

SECURITY PRO
Access Control Models

SECURITY PRO
Rule-Based Access Control
Used with routers
Uses router ACLs
Allows or denies
Matches are allowed
All others are denied

SECURITY PRO
Attribute-Based Access
Flexible access control
Combines attributes
Uses an if-then-else format

SECURITY PRO
Access Control Models

SECURITY PRO
Access Control Models

SECURITY PRO
Access Control Models

SECURITY PRO
Access Control Models

SECURITY PRO
Conditional Access
User or group
IP address
Application
Device

SECURITY PRO
Summary
Discretionary
Mandatory
Role-based
Rule-based
Attribute-based
Conditional

SECURITY PRO
Class Discussion
What is access control and why is it important?
How are rule-based access control and mandatory access control (MAC)
similar?
How does role-based control differ from rule-based control?
How do separation of duties and job rotation differ?
Which authentication type requires you to prove your identity?

SECURITY PRO
4.2
IDENTITY AND ACCESS
MANAGEMENT

Authentication

SECURITY PRO
Section Skill Overview
Use a biometric scanner
Use single sign-on

SECURITY PRO
Key Terms
Multi-factor authentication (MFA)
One-time password (OTP)
Passwordless
Attestation
NT LAN Manager (NTLM)
authentication
Pluggable authentication module
(PAM)
Kerberos

SECURITY PRO
Key Definitions
Multi-factor authentication (MFA): An authentication scheme that
requires the user to present at least two different factors as credentials;
for example, something you know, something you have, something you
are, something you do, and somewhere you are. Specifying two factors
is known as 2FA.
One-time password (OTP): A password that is generated for use in one
specific session and becomes invalid after the session ends.
Passwordless: Multi- factor authentication scheme that uses
ownership and biometric factors, but not knowledge factors.

SECURITY PRO
Key Definitions
Attestation: Capability of an authenticator or other cryptographic
module to prove that it is a root of trust and can provide reliable
reporting to prove that a device or computer is a trustworthy platform.
NT LAN Manager (NTLM) authentication: A challenge-response
authentication protocol created by Microsoft for use in its products.
Pluggable authentication module (PAM): A framework for
implementing authentication providers in Linux.
Kerberos: A single sign-on authentication and authorization service
that is based on a time-sensitive, ticket-granting system.

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Authentication Methods

SECURITY PRO
Biometrics and Authentication Technologies

SECURITY PRO
Biometric Methods
Fingerprints
Retina
Iris
Face
Gait

SECURITY PRO
Biometric Parameters
Universal
Unique
Permanent
Collectible
Difficult to duplicate

SECURITY PRO
Biometrics and Authentication Technologies

SECURITY PRO
Biometrics and Authentication Technologies

SECURITY PRO
Biometrics and Authentication Technologies

SECURITY PRO
Biometrics and Authentication Technologies

SECURITY PRO
Push Notification
Used instead of passwords
Can be approved or denied
Simple to use
Limited implementation

SECURITY PRO
Summary
Biometrics
Authentication technologies

SECURITY PRO
Class Discussion
What is the difference between authentication factors and attributes?
What is an example of the "something you are" authentication type?
What is an example of the "something you have" authentication type?
What is multi-factor authentication?
Which physical attributes can be used to identify an individual?

SECURITY PRO
4.3
IDENTITY AND ACCESS
MANAGEMENT

Authorization

SECURITY PRO
Key Terms
Authorization
Access control list (ACL)
Effective permissions
Deny permissions

SECURITY PRO
Key Definitions
Authorization: Granting a user on the computer system the right to use
a resource.
Access control list (ACL): A collection of access control entries that
determines which users are allowed or denied access to an object and
the privileges given to that user.
Effective permissions: Access rights are cumulative, giving the user
combined permissions from multiple groups.
Deny permissions: Always override Allow permissions.

SECURITY PRO
Authorization

SECURITY PRO
Authorization

SECURITY PRO
Access Control Lists
List of permissions
Files
Folders
Access control entries
Users
Groups

SECURITY PRO
Authorization

SECURITY PRO
Security Principals
Includes:
User accounts
Computer accounts
Security group accounts
Uses unique SID

SECURITY PRO
Access Tokens
Include user account’s SID
Include all users’ and groups’ SIDs
Use user’s rights and privileges

SECURITY PRO
Authorization

SECURITY PRO
Authorization

SECURITY PRO
Summary
Authorization
Access control lists
Permissions and privileges

SECURITY PRO
Cumulative Access

SECURITY PRO
Cumulative Access

SECURITY PRO
Cumulative Access

SECURITY PRO
Cumulative Access

SECURITY PRO
Cumulative Access

SECURITY PRO
Cumulative Access

SECURITY PRO
Cumulative Access

SECURITY PRO
Cumulative Access

SECURITY PRO
Summary
Roles
Groups
Limiting user's roles

SECURITY PRO
Class Discussion
How is authorization different from authentication?
How does an access control list (ACL) help to increase network
security?
What is the difference between a Discretionary access control list
(DACL) and a system access control list (SACL)?

SECURITY PRO
4.4
IDENTITY AND ACCESS
MANAGEMENT

Active
Directory
Overview

SECURITY PRO
Section Skill Overview
Join a domain
Manage Active Directory objects
Create OUs
Delete OUs
Use Group Policy
Create and link a GPO
Create user accounts
Manage user accounts
Create a group
Create Global Groups
SECURITY PRO
Key Terms
Domain
Tree
Forest
Organizational Unit (OU)
Object
Domain Controller
Replication
Member Servers
Policy

SECURITY PRO
Key Definitions
Domain: A domain is an administratively defined collection of network
resources that share a common directory database and security policies.
The domain is the basic administrative unit of an Active Directory
structure.
Tree: A tree is a group of related domains that share the same
contiguous DNS namespace.
Forest: A forest is a collection of related domain trees. The forest
establishes the relationship between trees that have different DNS
namespaces.
Organization Unit (OU): An organizational unit is similar to a folder.
It subdivides and organizes network resources within a domain.
SECURITY PRO
Key Definitions
Object: Each resource within Active Directory is identified as an object.
Domain Controller: A domain controller is a server that holds a copy
of the Active Directory database. It is also the copy of the Active
Directory database on a domain controller that can be written to.
Replication: Replication is the process of copying changes to Active
Directory on the domain controllers.
Member Servers: Member servers are servers in the domain that do not
have the Active Directory database.
Policy: A policy is a set of configuration settings applied to users or
computers.

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory
Centralized
Resources
Security administration
Single logon
Simplified resource location

SECURITY PRO
Centralized Administration
Single-point administration
Active Directory database

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Active Directory Introduction

SECURITY PRO
Summary
Active Directory overview
Domains
Domain controllers
Organizational units
Built-in containers
Active Directory objects

SECURITY PRO
Group Policy

SECURITY PRO
Group Policy
Configuration settings
Controls environment for:
User accounts
Computer accounts

SECURITY PRO
Group Policy

SECURITY PRO
Group Policy

SECURITY PRO
Group Policy

SECURITY PRO
Group Policy

SECURITY PRO
Group Policy

SECURITY PRO
Group Policy

SECURITY PRO
Group Policy

SECURITY PRO
Computer Policies
Used by the computer
Apply to all users
Include:
Software
Scripts
Password settings
Network security
Registry settings
Applied at system boot

SECURITY PRO
User Policies
Linked to a user
Can be unique to each user
Include:
Software for one user
Scripts for one user
Web browser security
Web browser favorites
Individual registry setting

SECURITY PRO
Key Policy Types
Account policies
Local policies/audit policy
Local policies/user rights
Local policies/security options
Registry policies
File system policies
Software restriction policies
Administrative templates

SECURITY PRO
Summary
Group Policy management
Domain implementation
Group vs Local Group Policy
Computer configuration policies
User configuration policies
Key policy types

SECURITY PRO
In-Class Practice
Do the following labs:
4.4.5 Create OUs
4.4.6 Delete OUs
4.4.10 Create and Link a GPO
4.4.11 Create User Accounts
4.4.12 Manage User Accounts
4.4.13 Create a Group
4.4.14 Create Global Groups

SECURITY PRO
Class Discussion
What is the purpose of a domain?
How do organizational units (OUs) simplify security administration?
How do computer policies differ from user policies?
What is the order in which Group Policy objects (GPOs) are applied?

SECURITY PRO
4.5
IDENTITY AND ACCESS
MANAGEMENT

Hardening
Authentication

SECURITY PRO
Section Skill Overview
Configure user account restrictions
Configure account policies and UAC settings
Use password managers
Configure account password policies
Hardening user accounts
Restrict local accounts
Secure default accounts
Enforce user account control
Configure smart card authentication
SECURITY PRO
Key Terms
Multifactor authentication
Smart cards
Microprobing
Radio frequency identification (RFID)

SECURITY PRO
Key Definitions
Multifactor authentication: Using more than one method to
authenticate users.
Smart cards: Similar in appearance to credit cards, smart cards have an
embedded memory chip that contains encrypted authentication
information. These cards are used for authentication.
Microprobing: The process of accessing a smart card's chip surface
directly to observe, manipulate, and interfere with the circuit.
Radio frequency identification (RFID): The wireless, non-contact use
of radio frequency waves to transfer data.

SECURITY PRO
Hardening Authentication

SECURITY PRO
User Education
Create memorable passwords
Don't write down passwords
Understand social engineering
Don’t share access

SECURITY PRO
Stronger Passwords
Password aging policies
Password history
Password complexity
Password management

SECURITY PRO
Hardening Authentication

SECURITY PRO
Hardening Authentication

SECURITY PRO
Hardening Authentication

SECURITY PRO
Account Restrictions
Limit logins to one per person
Time of day restrictions
Account lockout threshold
Reset lockout counter

SECURITY PRO
Hardening Authentication

SECURITY PRO
Old/Inactive Accounts
Delete old employee accounts
Disable inactive accounts
Automatic account expiration

SECURITY PRO
Access Levels
Domain accounts
Stored on domain controller
Managed by administrators
Local user accounts
Stored locally
No local admin user accounts
Rename admin account
Create standard users
Disable guest user account

SECURITY PRO
Remote Access
Limited remote access
Connect through DMZ
Restrict IP addresses
Limit concurrent logins
Audit remote logins

SECURITY PRO
Summary
User education
Stronger passwords
Multifactor authentication
Account restrictions
Account monitoring
Account maintenance
Limit remote access

SECURITY PRO
In-Class Practice
Do the following labs:
4.5.5 Configure Account Password Policies
4.5.7 Restrict Local Accounts
4.5.8 Secure Default Accounts
4.5.9 Enforce User Account Control
4.5.12 Configure Smart Card Authentication

SECURITY PRO
Class Discussion
What does the minimum password age setting prevent?
What is a drawback to account lockout for failed password attempts?
What are the advantages of a self-service password reset management
system?

SECURITY PRO
4.6
IDENTITY AND ACCESS
MANAGEMENT

Linux Users

SECURITY PRO
Key Terms
Linux
/etc directory
Daemon
Account record
Shadow file
SELinux

SECURITY PRO
Key Definitions
Linux: Linux is an open-source, Unix-like, multi-user OS where each
user account has a unique, customizable computing environment.
/etc directory: The "/etc" directory in a Unix-like file system is a
standard location for system-wide configuration files and settings used
by various programs and services.
daemon: A daemon is a Linux or UNIX program that runs as a
background process, rather than being under the direct control of an
interactive user.

SECURITY PRO
Key Definitions
Account record: In a Linux system, an account record is an entry in
the "/etc/passwd" file containing essential information about a user,
such as their username, user ID, home directory, and default shell.
Shadow file: In a Linux system, a shadow file refers to the
"/etc/shadow" file containing encrypted password information for user
accounts, enhancing security by separating sensitive data from the
publicly readable "/etc/passwd" file.
SELinux: SELinux (Security-Enhanced Linux) is a mandatory access
control (MAC) security mechanism implemented in the Linux kernel
to provide fine-grained control over processes and resources,
enhancing system security by enforcing access policies.

SECURITY PRO
Linux User and Group Overview

SECURITY PRO
Linux Users and Groups
Linux is a multi-user OS
User environment is unique
Account information stored in:
User file
Group file
Password file
/etc directory

SECURITY PRO
Linux Password File
/etc/passwd
User account information
No passwords

SECURITY PRO
Linux User and Group Overview

SECURITY PRO
Linux User and Group Overview

SECURITY PRO
Linux Account Types
Standard
Used to log in
System
Used by services or daemons

SECURITY PRO
Linux User and Group Overview

SECURITY PRO
Linux User and Group Overview

SECURITY PRO
Password and Shadow Files
Must be synchronized
Text editor breaks sync
Use proper utilities
Use command to re-sync
pwck

SECURITY PRO
Linux User and Group Overview

SECURITY PRO
Linux User and Group Overview

SECURITY PRO
Linux User and Group Overview

SECURITY PRO
/etc/gshadow
Stores group passwords

SECURITY PRO
Summary
/etc/passwd
User account information
/etc/shadow
Passwords
/etc/group
Groups and group members

SECURITY PRO
Linux User Security and Restrictions

SECURITY PRO
Strong Password Rules
Eight or more characters
Numbers and symbols
Uppercase and lowercase
No dictionary words/usernames

SECURITY PRO
Chage Command
Syntax:
Chage [options] [LOGIN]
Options:
-m days
-M days
-W days

SECURITY PRO
Using pam_limits
File path:
./etc/security/Iimits.conf
Syntax:
Entity type limit value
Types
Hard
Soft

SECURITY PRO
Using pam_limits
Limits
core
data
fsize
nofile
cpu
nproc
maxlogins
priority

SECURITY PRO
Using ulimit
Syntax
ulimit [options] [limit]
Options:
-c
-f
-t
-u
-d
-H
-s
-a
SECURITY PRO
In-Class Practice
Do the following labs:
4.6.4 Create a User Account
4.6.5 Rename a User Account
4.6.6 Delete a User
4.6.7 Change Your Password
4.6.8 Change a User's Password
4.6.9 Lock and Unlock User Accounts

SECURITY PRO
Class Discussion
How do you create a user in Linux?
Why shouldn't passwords expire too frequently?
Which directory contains configuration file templates copied into a new
user's home directory?
Which command deletes a user and the user's home directory
simultaneously?

SECURITY PRO
4.7
IDENTITY AND ACCESS
MANAGEMENT

Linux
Groups

SECURITY PRO
Key Terms
Linux group
sudo privileges
Linux standard user

SECURITY PRO
Key Definitions
Linux group: A collection of user accounts that share common access
permissions to files, directories, and other system resources.
sudo privileges: The rights granted to a user account to execute
commands with administrative or superuser privileges, allowing them
to perform tasks that regular users typically cannot.
Linux Standard User: An account with limited permissions, typically
lacking administrative rights, to perform regular tasks without the
ability to make system-level changes.

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
Managing Linux Groups

SECURITY PRO
In-Class Practice
Do the following labs:
4.7.3 Rename and Create Groups
4.7.4 Add Users to a Group
4.7.5 Remove a User from a Group

SECURITY PRO
Class Discussion
Which usermod option changes the secondary group membership?
Which command removes all secondary group memberships for specific
user accounts?
Which groupmod option changes the name of a group?

SECURITY PRO
4.8
IDENTITY AND ACCESS
MANAGEMENT

Remote
Access

SECURITY PRO
Key Terms
Remote access
Remote access policies
Remote Authentication Dial-in User Service (RADIUS)
Terminal Access Controller Access-Control System Plus (TACACS+)

SECURITY PRO
Key Definitions
Remote access: Infrastructure, protocols, and software that allow a
host to join a local network from a physically remote location, or that
allow a session on a host to be established over a network.
Remote access policies: Policies used to restrict remote access. The
policies identify authorized users, conditions, permissions, and
connection parameters such as time of day, authentication protocol,
caller id, etc.

SECURITY PRO
Key Definitions
Remote Authentication Dial-in User Service (RADIUS): AAA
protocol used to manage remote and wireless authentication
infrastructures.
Terminal Access Controller Access-Control System Plus
(TACACS+): A network security protocol that provides centralized
authentication, authorization, and accounting (AAA) services for users
attempting to access network resources.

SECURITY PRO
Remote Access

SECURITY PRO
Remote Access

SECURITY PRO
Remote Access

SECURITY PRO
Remote Access

SECURITY PRO
Remote Access

SECURITY PRO
Remote Access

SECURITY PRO
Remote Access

SECURITY PRO
Class Discussion
How does EAP differ from CHAP?
How can remote access and tunneling be secured?
What is the difference between RADIUS and TACACS+?

SECURITY PRO
4.9
IDENTITY AND ACCESS
MANAGEMENT

Network
Authentication

SECURITY PRO
Key Terms
Authentication

SECURITY PRO
Key Definitions
Authentication: Authentication is the process of validating user
credentials that prove user identity.

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
Network Authentication Protocols

SECURITY PRO
LDAP Authentication

SECURITY PRO
LDAP
Open-source protocol
Talks to network directories
Lightweight and fast
Runs over TCP/IP
Can be secured

SECURITY PRO
LDAP Authentication

SECURITY PRO
LDAP Authentication

SECURITY PRO
Simple Authentication
Name/password
Unauthenticated
Anonymous

SECURITY PRO
SASL Authentication
Uses an authentication service
Is more secure
Separates authentication and application protocols

SECURITY PRO
Summary
LDAP Protocol
Simple authentication
SASL authentication

SECURITY PRO
Class Discussion
In the challenge/response process, what information is exchanged over
the network during logon?
What is included in a digital certificate?
What is PKI?
Which tool can manage authentication credentials on Windows hosts?

SECURITY PRO

You might also like