#CompTIA Security+ 501 exam Chapter04 Delving into Identity and Access Management Part 1
Posted by Superadmin on November 16 2018 14:02:02

Delving into Identity and Access Management

 

In this chapter we will look at different types of authentication and how to dispose of data, we will first look at identify and access management concepts.

We will cover the following exam objectives in this chapter:

 

 

Understanding identity and access management concepts

 

One of the first areas in IT security is giving someone access to the company's network to use resources for their job. Each person needs some form of identification so that they can prove who they are; it could be anything ranging from a username to a smart card. It needs to be unique so that the person using that identity is accountable for its use. The second part after proving your identity is to provide authorization for that identity; this can be done in many ways for example inserting a password or if you have a smart card it would be a PIN.

 

 

Passwords

 

Passwords are one of the most common ways of authenticating a user; they are also the authentication factor that is most likely to be inserted incorrectly, maybe because they use higher and lower-case characteristics, numbers, and special characters not seen in programming. Some people may have the caps lock reversed without knowing it. When the password is inserted, it is shown as a row of dots therefore users cannot see their input, however, in the password box in Windows 10 you can press the eye to see the password that you have inserted. This reduces the risk of people being locked out.

 

 

Default/administrator password

 

An administrator should have two accounts, one for day-to-day work and the other for administrative tasks. If your company is using a device such as a wireless router, the default administrative username and password should be changed as they are normally posted on the internet and could be used for hacking your device/network.

 

 

Passwords—group policy

 

A group policy allows security administrators to create settings once and then push them out to all machines in their domain. This could cover maybe 5-10,000 machines. It reduces configuration errors and reduces the labor required to carry out the task. One portion of a group policy deals with passwords; please look at the screenshot:

Figure 1: Password policies

Let us look at each of these going from the top to the bottom.

If I choose the password P@$$w0rd, then it contains characters from all four groups but it would be cracked very quickly as most password crackers replace the letter o with a zero and replace an a with the @ sign.

Store passwords using reversible encryptionThis is when a user needs to use his credentials to access a legacy (old) application, because it is storing them in reversible encryption they could be stored in clear text—this is not good. Companies tend to have this option disabled at all times as it poses a security risk.

When purchasing devices, you should always change the default password that the manufacturer has set up to prevent someone hacking into your device.

Once you are locked out your account is disabled:

Figure 2: Account lockout

Know the password options and types of password attacks thoroughly.

Account lockout duration: Both Account lockout duration and Reset account lockout counter after should not be enabled. If these are disabled the person locked will have to contact the security administrator to have their password reset; this way the administrator knows who keeps for getting their password and knows to keep monitoring them.

 

 

Password recovery

 

People can be locked out from time to time by forgetting their password. They can reset their passwords by going to a portal and selecting forgotten my password, then filling in personal details and having the password reset option send a code to their phone via SMS, or by email.

Some desktop operating systems allow you to create a password reset disk so that you can save to a SD card or a USB drive; this is not normally used in a corporate environment.

 

 

Authentication factors

 

There are different authentication factors that range from something you know, for example a password, to something you are using, for example an iris scanner. The following are the different authentication factors:

Figure 3: Hardware token and key fob used with proximity card

 

 

Number of factor examples

 

Let us look at combining the different factors to determine single factor, dual factor, or multifactor. Here are different factor examples:

The number of factors is determined by the different numbers of factor groups being mentioned.

 

 

Transitive trust

 

Transitive trust is where you have a parent domain and maybe one or more child domains; these would be called trees. Refer to the diagram:

Figure 4: Transitive trust

Between the parent domain and each child domain is two-way transitive trust, where resources can be shared two ways. Because the parent domain trusts both child domains A and B, it can be said that Child A transitively trusts Child B as long as the administrator in Child B wishes to give someone from Child A access to resources and vice versa. Think of a domain as being people from the same company.

When the exam mentions third-party to third-party authentication, then that can only be federation services.

 

 

Federation services

 

Federation services are used when two different companies want to authenticate between each other when they participate in a joint venture. Think of two car manufacturers wanting to produce the best car engine in the world. Both companies have experts on engines but they want to work together to produce a super engine.

The companies don't want to merge with each other; they want to retain their own identify and have their own management in place. These are known, to each other, as third parties.

Each of these companies will have their own directory database, for example an active directory that will only have users from their domain. Therefore, normal domain authentication will not work. Let us now look at the two different domains and their directory databases:

Figure 5: Directory databases

Company A has three users in his active directory: Mr Red, Mr Blue, and Mr Green. Company B also has three users: Mr Orange, Mr Purple, and Mr Yellow. This means that they can only change passwords for the people in their own domain.

If Mr. Orange was to try and access the Company A domain he would need an account. Since he does not have an account the security administrator from Company A has no way of providing authentication. He then needs to make an agreement with Company B to set up a federation trust where the people from the other domain would need to use alternative credentials instead of a username and password or a smart card and PIN. They use extended attributes:

User-extended attributes are extended attributes used by their directory services; they are, in addition to the basic attributes:

They both have decided that the extended attributes that they will use will be the user's email address. Because an email address is easy to find or guess they will also need to use their domain password. This is known as a claim. When the exam talks about authentication using the phrase third party or extended attributes, think of federation services.

The two companies need to exchange the extended attribute information and need a special protocol to do that, so they use Security Assertion Mark-up Language (SAML) as it is XML based authentication:

Figure 6: SAML

Federation Services—Authentication: In this scenario Mr. Yellow is going to authenticate himself with Company A so that he can access limited resources. He contacts Company A through a web browser and it asks him for his email address and password:

Figure 7

Federation Services—Exchange of Extended Attributes: Company A now uses SAML to send the authentication details of Mr Yellow to Company B. Mr Yellow's domain controller confirms that they are correct:

Figure 8: Extended attributes sent to Company A using SAML

Once Company B confirms that Mr Yellow's extended attributes are valid the Company A domain controller sends a certificate to Mr Yellow's laptop; this certificate is used next time for authentication.

When the exam mentions authentication using extended attributes, they can only be federation services.

 

 

Shibboleth

 

Shibboleth is an open source federation service product that uses SAML authentication. It would be used in a small federation service environment.

 

 

Single sign-on

 

Single sign-on is used in a domain environment; this is where someone logs in to the domain and then can access several resources such as the file or email server without needing to input their credentials again. Think of it as an all-inclusive holiday where you book into your hotel and the receptionist gives you a wristband that you produce when you want to consume food and drink. federation services and Kerberos (Microsoft authentication protocol) are both good examples of single sign-on. You log in once and access all of your resources without needing to insert your credentials again.

 

 

Installing and configuring identity and access services

 

Identify management in a corporate environment will use a directory database we are going to look at Microsoft's Active Directory, where a protocol called Lightweight Directory Access Protocol manages the users are groups. Let us look at how it works.

 

 

LDAP

 

Most companies have identity and access services through a directory services that stores objects such as users and computer as X500 objects; these were developed by the International Telecommunication Union (ITU). These object form what is called a distinguished name and are organized and stored by the Lightweight Directory Access Protocol (LDAP).

There are only three values in X500 objects; these are DC (domain), Organization Unit (OU), and CN (anything else).

In this example, we have a domain called Domain A and an organizational unit called Sales; this is where all of the sales department users and computers would reside. We can see inside the Sales OU a computer called Computer 1:

Figure 9: Active Directory

When creating the X500 object we start off with the object itself, Computer 1, and then continue up through the structure. As Computer 1 is neither an OU or domain, we give it a value of CN, then we move up the structure to Sales. As it is an OU, we give it that value. Computer 1 is a CN, sales is a OU and the domain is into two portions, each having the value of DC. The distinguished name is here:

CN=Computer1, OU=Sales, DC=DomainA, DC=com

The way it is stored in the active directory can be viewed using a tool called ADSI Edit:

Figure 10: ADSI Edit

LDAP is the active directory storeman responsible for storing the X500 objects; when the Active Directory is searched, then LDAP provides the information required. LDAPS is the secure version of LDAP.

Examples:

 

 

Kerberos

 

Kerberos is the Microsoft authentication protocol that was introduced with the release of Windows Server 2000. It is the only authentication protocol that uses tickets, updated sequence numbers (USN), and is time stamped. The process of obtaining your service ticket is called a ticket granting ticket (TGT) session. It is important that the time on all servers and computers are within five minutes of each other; time can be synchronized by using a time source such as the Atomic Time clock. The Security+ exam looks at Stratum time servers.

Stratum Time Servers: There are three types of Stratum time servers, Stratum 1, 2, and 3. Stratum 1 is internal and Stratum 0 is external and the reference time source. The way to remember this is that you can draw a clock face inside a zero making it the time source. The Stratum 1 time server is linked directly to Stratum 0, the time source. The Stratum 2 time server is linked to the Stratum 1 through a network connection:

Figure 11: Stratum time servers

A TGT session is where a user sends their credentials (username and password, or it could be smart card and PIN) to a domain controller that starts the authentication process and when it has been confirmed it will send back a service ticket that has a 10-hour lifespan. This service ticket is encrypted and cannot be altered:

Figure 12: TGT session

Single sign-on/mutual authentication: Kerberos provides single sign-on as the user needs to login in only once then uses his service ticket to prove who he is; this is exchanged for a Session Ticket with the server that they want to access resources on. In the example here, the user will use his or her service ticket for mutual authentication with an email server:

Figure 13: Mutual authentication

The preceding diagram shows the logged-in user exchanging his encrypted Service Ticket with the mail server which in return provides mutual authentication by returning a session ticket. The logged-in user checks the session ticket's timestamp is within 5 minutes of the domain controllers. This means that Kerberos can complete mutual authentication.

You need to remember that Kerberos is the only authentication protocol that uses tickets. It will also prevent replay attacks as it uses USN numbers and timestamps.

NT Lan Manager (NTLM): NTLM is a legacy authentication protocol that stores the passwords using the MD4 hash that is very easy to crack. It was susceptible to the Pass the Hash attack; it was last used in a production environment in the 1990s.

 

 

Internet-based open source authentication

 

More and more people are accessing web-based applications and need an account to log in, however applications hosting companies do not want to be responsible for the creating and management of the account accessing the application. They use OAuth to help them facilitate this:

 

 

Authentication, authorization, and accounting (AAA) servers

 

The main two AAA servers are Microsoft's Remote Authentication Dial-In User Service (RADIUS) and CISCO's Terminal Access Controller Access-Control System Plus (TACACS+). Both of these servers provide authentication, authorizing, and accounting:

 

 

Authentication

 

A Virtual Private Network (VPN) allows someone working remotely either from a hotel room or home to connect securely through the internet to the corporate network. More information on how the VPN operates will be in Chapter 5Understanding Network Components, at this book; we are going to look at VPN authentication methods in this chapter:

Figure 14: VPN

Figure 15: Challenge-Handshake Authentication Protocol

The client makes a connection request to the remote access server.

  1. The RAS server replies with a challenge that is a random string.

  2. The client uses his password as an encryption key to encrypt the challenge.

  3. The RAS server encrypts the original challenge with the password stored for the user. If the both values match, then the client is logged on.

 

Learning about Identity and access management controls

 

In this section, we are going to look at identity and management controls, starting with biometrics and moving on to security tokens and certificates. Let us first look at biometric controls followed by identity management using certificates.

 

 

Biometrics

 

Biometrics is a method of authentication using an individual's characteristics, for example, using a fingerprint as everyone's fingerprints are very different. In 1892, Inspector Eduardo Alvarez from Argentina made the first fingerprint identification in the case against Francisca Rojas who had murdered her two sons and cut her own throat in an attempt to place blame on another, but the inspector proved that she was guilty. We will now look at the types of biometrics:

Figure 16: iPhone fingerprint scanner

Retina and iris scanners both look at an individual's eye and the scanners themselves are physical devices.

Microsoft has released a facial recognition program called Windows Hello that was released with Windows 10; this uses a special USB infrared camera. It being infrared it is much better than other facial recognition programs that can have problems with light.

Figure 17: Crossover error rate

If the CER point is lower down the graph, then there are fewer errors, but if it is at the top of the graph it indicates many errors and could prove more difficult to support; if this was the case, you would change your biometric system.

 

 

Security tokens and devices

 

There are different types of tokens that have different time limits; let us look at the difference between the Time-Based One-Time Password and HMAC-based one-time password:

Figure 18: TOTP

 

 

Certification-based authentication

 

Certificate-based authentication is very popular as it provides two-factor authentication that makes it more secure than single-factor authentication such as a username and password. We will now look at various types:

 

 

Port-based authentication

 

1EEE 802.1x is a port-based authentication protocol that is used when a device is connected to a switch or when a user authenticates to a wireless access point.

Authentication with a password with a short lifespan will be a Time-Based One-Time Password (TOTP).

 

 

Common account management practices

 

Account management ranged from account creation on start up to its disablement when someone leaves the company. Fully understanding these concepts is crucial to obtaining the Security+ certification.

 

 

Account types

 

Each user in a system needs an account to access the network in a Microsoft Active Directory environment; the user account has a Security Identifier (SID) linked to the account. When I create a user called Ian they may have an SID of SID 1-5-1-2345678-345678. When the account is deleted the SID is gone and a new SID is created.

For example, a member of the IT team has deleted a user account called Ian—it may have a SID of SID 1-5-1-2345678-345678, so he quickly creates another account called Ian but this account cannot access resources as it has a new SID of SID 1-5-1-2345678-3499999. The first portion from left to right, identifies the domain and then the remainder is a serial number that is never reused.

There are various different types of user accounts and these are heavily tested in the Security+ exam; you must know when you would need each account:

A guest speaker should be allocated a sponsored guest account.

A service account is a type of administrator account used to run an application.

When you need to monitor or audit to an employee level, you must eliminate the use of shared accounts.

If you do not change the default username and password for household devices it is possible for a cybercriminal to hack into your home. This includes baby monitors, TVs, ovens, and refrigerators.

 

 

Account creation

 

Multinational corporations will make hundreds of accounts annually and need to have a standardized format; this is called a standard naming convention. Account templates are copied and modified with the details of new employees. Some examples of standard naming conventions are:

If you have John Smith and Jack Smith you would have two J Smiths, therefore you may also use a middle initial—J A Smith—or a number at the end—J Smith1—to make them unique.

All user accounts need to be unique so that each person is responsible for their own account. If you leave your computer logged on to the network whilst you go for a coffee and someone deletes data using your account then you are held responsible. A good practice would be to lock your screen while you are not at your desk to prevent this.

Without a standard naming convention, accounts would be created differently and cause chaos when you tried to find users in your directory service.

 

 

Employees moving departments

 

When employees move between departments, IT teams normally modify their account for the next department they move to; they don't generally get a new account. In the Security+ exam, when people move department, they are given new accounts and the old account is active until it has been disabled.

 

 

Disabling an account

 

There are a few times when the IT team will disable accounts as good practice; let us look at the reasons for this:

When an employee leaves a company the first stage is that the account is disabled and not deleted. You will also reset the password so that the old account holder cannot use the account.

 

 

Account recertification

 

Account recertification is a process where an auditor will review all of the user accounts. The auditor will have a matrix showing all of the active accounts and what privileges and access that they should have. If the auditor finds anything wrong then he will report it to the management, who will then either write a new account policy or make changes to the management of accounts using change management. For the purpose of the exam the auditor should be looked at as a snitch—he will never take any action but he will report his findings to the management.

 

 

Account maintenance

 

Account maintenance is ensuring that accounts are created in accordance with the standard naming convention, disabled when the employee initially leaves, then deleted maybe 30 days later.

 

 

Account monitoring

 

If you wish to find out when a user account has been granted a new set of privileges then this can only be done via active monitoring of the accounts. This could be automated by using a security information and event management (SIEM) system that will create and alert you about changes to the system. You will not be alerted by user account review as there could be 6-12 months between the review—you may need to know immediately.

If you want to know immediately when there is a change to a user account such as it being given higher privileges then you need active account monitoring.