Flashcards in Chapter 4 Access Control, Authentication, Authorization Deck (28)
What is Access Control?
the act of allowing only authorized users into a system, and keeping people you don't want in out.
Identification vs. Authentication
Identification is finding out who someone is. Authentication is proving it.
5 different forms of authentication
Something you know: password or PIN
something you have: smart card or token
Something you are: biometrics
Something you do: an action you take to complete authentication
Somewhere you are: geolocation (not so likely anymore)
Just one form of authentication. Usually like a username and password.
Whenever you use more than one method of authentication
Layered Security and Defense In Depth
it essentially just means you should have more than one type of security present.
Authenticate the user. Essentially just a sliver of information that tells the computer who you are.
A collection of networked computers that agree on communication standards
IM programs are an example of this
When A trusts B and B trusts C, A and C might implicitly trust each other. This is taken care of with transitive trusts.
Password Authentication Protocol
-Legacy system that sends username and password to an authentication server in plain text.
-Main difference between this and PAP is that the username and password are encrypted
-It is less secure than CHAP and is susceptible to replay attacks.
Challenge Handshake Authentication Protocol
-The connecting machine needs to generate a random number (usually a hash) and sends it to the server.
-The server will periodically ask for that number again, which prevents man-in-the-middle attacks.
Time-Based One Time Password
-Uses a time-based factor to create unique passwords.
-Google Authenticator is a good example
-Uses Hash Message Authentication Code to authenticate
Password Length and Complexity
(account policy enforcement, page 139)
On Windows, enabling password complexity requires:
-Cannot contain parts of username over 3 consecutive characters
-Must be at least eight characters long
-Must contain an element from 3 of the following
(account policy enforcement, page 140)
90 days is about standard, but Microsoft recommends 42 days. You should enable password history so they can't just use the same password every time.
Remote Authentication Dial-In User Service
-Allows authentication of remote and other network connections. It was originally intended for use with Dial-Up, but it is still being kept state-of-the-art
-If there's only one RADIUS server on a network, if it goes down the whole network will.
More RADIUS servers means more stability
A good competitor for RADIUS. Cisco uses it as standard now. Unlike RADIUS, it combines Authentication and Authorization rather than separating them.
an XML based authentication, generally used by service providers authenticating those who are accessing their information.
Uses a Key Distribution Center (KDC) to authenticate the "principal" (user) and provides them with a ticket
-this ticket provides authentication.
-The weakness is the KDC going down
Gives the authenticated user instant access to everything they need. Passwords are generally stored on a server, which poses a significant security risk.
Mandatory Access Control (MAC)
High security and inflexible
Rights and privileges must be defined and, if need be, changed by the admin
Discretionary Access Control (DAC)
A little more flexible
Allows users to share information with each other dynamically.
Role-Based Access Control (RBAC)
Essentially just establishing group policy.
Role-Based Access Control
You use the settings of the preconfigured security policy
User Access Review
Periodically review your employees' permissions to make sure they're not getting too powerful
Common Access Card (CAC)
Cards used by the DOD
-You have your picture, beneath which is a chip and a barcode, and on the back there's a magnetic strip with another barcode