Chapter 14 Controlling and Monitoring Access Flashcards
What is the difference between permissions, rights, and privileges?
Permissions: Refer to access granted for an object and determine what you can do with it. Read/create/edit/delete. Same as access rights. Example: if you have read and execute permissions for a file, you can run it.
Rights: Refers to the ability to take an action on an object. Exaple: a user with the right to modify the system time on a computer or to restore backed up data. Rights pertain to accounts, and permissions to objects.
Privileges: Combination of rights and privileges.
What are common authorization mechanisms?
Access control models use different mechanisms.
–Implicit deny: Most use this. Access is denied unless explicitly granted. Aka Deny by default
–Access Control Matrix: A table that includes subjects, objects, and assigned privileges. When a user attempts an action, the system checks to see if he/she has the privileges to do so. Each file within the matrix has a separate ACL. These are object focused.
–Capability tables: A table is focused on subjects (users, groups, or roles). For example, a table for the accounting role lists all objects that people with that role have.
–Constrained Interface: Restrictions based on privileges. For example, they may hide capabilities if the user doesn’t have permissions. Other times, a menu item will be dimmed. the Clark-Wilson model determines how this is implemented.
–Content-Dependent control: Restricts based on the content within an object. Example: a customer-based view of a customer database would only show names and emails but not credit cards
–Context-Dependent control: Requires specific activity before granting access. For example, you can’t begin the purchase process until you put something in your shopping cart. You can also use date and time controls.
–Need to know: The NTK principle, not a specific technical control
–Least Privilege
–Separation of duties
Describe access control models.
DAC: Every object has an owner and the owner can grant or deny access to any other subject. The New Technology File System (NFTS) on Windows uses DAC.
Non discretionary access control requires administrators who govern the whole environment.
RBAC: Assigns based on roles, typically job functions. Windows implements this with groups. Helps prevent privilege creep.
Rule-Based Access Control; Applies global rules to all subjects. Example is a firewall rule that blocks traffic equally. These rules may be known as restrictions or filters.
Attribute-Based Access Control: Rules can include multiple attributes. Many SDNs use these. Also allow plain language statements, such as ““Allow Managers to access the WAN using mobile devices.””
Mandatory Access Control: Use of labels for subjects and objects. If a user has a label of top secret, he/she can access a top secret document. Also known as a lattice model.
Risk-Based Access Control: Grants access after evaluating risk. Checks the environment and the situation. Uses machine learning
What are the three environments for MAC controls?
Can follow three models:
–hierarchial. Ordered structure from low to high. If you have TS, you can see anything in C and S.
–compartmented. No relationship between one security domain and another. To gain access to an object, you must have specific clearance for that domain.
–hybrid. Combines both types. For example, if something in secret has a special label, TS would not be enough.
What is XML?
XML can include tags to describe data as anything desired. for example, <ExamResults>Passed</ExamResults>. Databases from multiple vendors can import and exchange data. using XML. Many cloud-based providers use XML-based languages to share authentication and authorization information.
What is SAML?
Security Assertion Markup Language. Open XML-based standard uses to exchange AA information between federated organizations.
Organization for the Advancement of Structured Information Standards (OASIS) maintains SAML. SAML 2.0 utilizes three entities: the principal, the service provider, and the identity provider. If I am trying to log in, I am the principal. The service provider is where I want to get to. the identity provider is the third party that holds authentication and authorization information. when I enter my creds, they are sent to the Idp, which responds with XML messages.
The IdP can send three types of messages:
–Authentication Assertion: Provides proof that the user provided the proper credentials, identifies the identification method, and identifies the time of logon
–Authorization Assertion: Indicates whether the user is authorized to access the requested service, or if not, why
–Attribute Assertion: Any information about the user
What is OAuth?
Maintained by IETF. This is where you would use Facebook or Twitter to log in. When you try to log into one site, it redirects you to the social media company. Social media prompts you to log on, shows you what permissions the other site will have, and asks if you want to authorize. If you do, the social media company sends an authorization token. the original site then accesses the social media account via API using the token. This does not provides authenticaton, only authorization.
Many sites support OAuth 2.0 but not 1.0, and it’s not backward compatible.
What is OpenID?
Maintained by the OpenID foundation. Provides decentralized authentication, so users can log into multiple unrelated sites with one set of credentials.
When you go to an OpenID-authorized site, aka a relying party, you provide your OpenID identity. The OpenID-enabled Website and OpenID provider exchange data. It’s always obvious you are doing this because you have to enter your OpenID identifier, like bob.openid.com.
What is OIDC?
OpenID Connect is an authentication layer using OAuth 2.0. It provides both authenticationa and authorization. Also OpenID Foundation maintained. Builds on OpenID but uses a JavaScript Object Notation (JSON) Web Token (JWT), aka ID token. It uses a Web service to retrieve the token. Example: log into EBay with a Google account.
How does Kerberos work?
Ticket authentication is a mechanism that uses a third-party entity to prove identification and provide authentication. Kerberos is the best known. Authentication is the primary purpose. Once you authenticate, it uses that to issue tickets to user accounts, which present the tickets when accessing resources.
It offers SSO for users and protects logon credentials. V5 relies on symmetric key cryptography using AES. It provides confidentiality and integrity for authentication traffic and protects against replay attacks and eavesdropping.
Many Kerberos roles are on a single server, but they do not have to be:
–Key Distribution Center (KDC): the trusted third party that provides authentication services. All clients and servers are registered with the KDC, and it maintains the secret keys for all network members.
–Kerberos Authentication Server: Hosts the functions of the KDC. A ticket-granting services (TGS) and an authentication service (AS). the AS verifies or rejects the authenticity and timeliness of tickets.
–Ticket: An encrypted message that provides proof that a subject is authorized to access an object. Sometimes called a service ticket (ST). They have specific lifetimes and usage parameters.
–Ticket-Granting Ticket: TGT provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects. It is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Present the TGT when requesting tickets.
–Kerberos Principal: Kerberos issues tickets to Kerberos Prinipals. this is typically a user but can be any entity that needs a ticket.
–Kerberos Realm: An area controlled or ruled by something. It is a logical area. Principals within the realm can request tickets.
Kerberos requires a database of accounts, typically stored in a directory service such as AD. It exchanges tickets between clients, network servers, and the AD. Process:
–user types in a username and password
–client encrypts the username with AES for transmission to the KDC
–KDC verifies the username against a database of known credentials
–KDC generates a symmetric key for the client and Kerberos server to use. Encrypts it with a hash of the password. Also generates a TGT
–KDC then transmit the key and tickett to the client
–the client installs the TGT for use until it expires, and decrypts the key.
Note: password is never transmitted over the network. However, it is verified because the hashing would not work otherwise
When the client wants to access an object, it requests a ticket:
–Client sends the TGT back to the KDC
–KDC verifies the TGT is still valid and checks its access control matrix
–KDC generates a service ticket and sends it to the client
–Client sends the ticket to the server or service hosting the resource
–Server or service verifies the ticket with the KDC
–Once identity and authorization are verified, Kerberos activity is complete
Kerberos represents a single point of failure. If the KDC is compromised, the secret key for every system is compromised. If it goes offline,, no authentication can occur. It also has strict time requirements–systems must be within five minutes. In an AD, one domain controller synchronizes its time with an external Network time Protocol server, and all other domain controllers sync with the first.
What is RADIUS?
Remote Authentication Dial-In User Service centralizes authentication for remote access connections such as VVPNs. Typically used when an organization has more than one network access server. A user connects to any network access server, which passes credentials to the RADIUS server. In this context, the network access server is the client, and the RADIUS server is the authentication server. Many ISPs use RADIUS for authentication. Organizations also can use it, and often do so with loccation-based security. For example, if the user connects with an IP address, the system uses geolocation. For example, if the user is using an ISDN dial-up, the RADIUS server terminates the connection after authentication and calls back a pre-determined line.
RADIUS uses UDP by default and encrypts only the password exchange. It can use other protocols to encrypt the whole exchange, such as TLS over TCP. When using TLS, it uses TCP port 2083. It uses UDP port 1812 for RADIUS messages and UDP port 1813 for Accounting messages.
What is TACACS+
Cisco developed it as an improvement over RADIUS. Terminal Access Controller. Access Control System Plus. Separates authentication, authorization, and accounting into separate processes, which can be hosted on three different servers. Also, all authentication is encrypted. Uses TCP port 49.
Describe Kerberos attacks
Kerberos is susceptible to various attack. Tools include Mimikatz, Rubeus, and Impacket. Rubeus is written in C#/used for Windows and Impacket is written in Python/used for Linux
–Overpass the hash: used when NTLM is disabled. Systems still create an NTLM hash when it’s disabled. an attacker can request a TGT with the hash and use it to request network resources. Also known as pass the key.
–Pass the ticket. Attacker attempts to harvest tickets held in lsass.exe and then inject them to impersonate the user.
–Silver ticket: Uses the captured NTLM hash of a service account to crate a TGS ticket. Service accounts use TGS tickets instead of TGT tickets. The attacker gets all the privileges the service account has
–Golden ticket: Attacker obtains the hash of the Kerberos service account, so they can create tickets at will. The KRBTGT account encrypts and signs all tickets within a domain with a hash of its own password, and the password never changes. If the attacker gains access to a domain admin accont, they can log into a domain controller remotely and run Mimikatz to extract the hash
–Kerberos brute force: Attacker uses Python script on Linux or Rubeus on Windows to guess passwords
–ASREPROAST: identifies users that don’t have Kerberos preauthentication enabled. This is a feature that prevents password-guessing attacks. When preauthentication is disabled, attackers can send an authentication request to a KDC, which will reply with a TGT, encrypted with the client’s password as the key. The attacker then performs an offline attack to decrypt the ticket and find the password
–Kerberoasting: Collects encrypted TGS tickets so they the passwords can be cracked offline
