4.4 Differentiate common account management practices Flashcards
Account types
There are two main types of accounts. Standard users, typically have limited privileges. Administrative accounts are able to install and remove programs and drivers, change system-level settings, and access any object in the file system.
Shared and generic accounts/credentials
One where passwords (or other authentication credentials) are known to more than one person. A shared account breaks the principle of non-repudiation and makes an accurate audit trail difficult to establish.
Guest accounts
A special type of shared account with no password. It allows anonymous and unauthenticated access to a resource.
Service accounts
Used to schedule processes, such as maintenance tasks, or may be used by application software, such as databases, for account or system access.
Least privilege
The policy that a user, group, or role should be allocated the minimum sufficient permissions to be able to perform its job function and no more
Onboarding/offboarding
Onboarding: the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user. Appropriate privileges are usually determined by creating workflows for each function that the user or user role performs.
Offboarding: the process of withdrawing user privileges, either when the user stops performing in a certain role or within a project group, or leaves the organization completely.
Permission auditing and review
A system that reviews privileges. Auditing would include monitoring group membership and reviewing access control lists for each resource plus identifying and disabling unnecessary accounts.
Usage auditing and review
Means configuring the security log to record key indicators and then reviewing the logs for suspicious activity.
Recertification
A security control where user access privileges are audited to ensure they are accurate and adhere to relevant standards and regulations.
Standard naming convention
The naming strategy should allow administrators to identify the type and function of any particular resource or location at any point in the directory information tree.
Account maintenance
Creating an account, modifying account properties, disabling an account, changing an account’s password, and so on
Group-based access control
Allows you to set permissions (or rights) for several users at the same time. Users are given membership to the group and then the group is given access to the resource or allowed to perform the action.
Location-based policies
Location-based policies are also often used as a part of Network Access Control (NAC) to determine whether access to the network itself should be granted.
Credential management
Instructs users on how to keep their authentication method secure (whether this be a password, smart card, or biometric ID).
Group policy objects
A means of applying security settings (as well as other administrative settings) across a range of computers and users.
