Module 7:
Access management is a fundamental component of cybersecurity. It involves controlling and regulating who can access specific resources within an organization’s network or systems. This practice ensures that only authorized individuals or entities can interact with sensitive data and systems, which is vital for a CompTIA Security+ professional to understand and maintain the confidentiality, integrity, and availability of an organizations information.
Managing Identity and Access
- Implement Identity and Access Management
- Configure Directory Services
- Configure Access Services
- Manage Accounts
Identity and Access Management (IAM)
A security process that provides identity, authentication, and authorization mechanisms for entities to work with organizational assets.
You can define attributes in an identity, such as purpose, function, clearance, etc.
- Attributes enable access systems to make decisions for authentication and authorization.
- Example: Employee role factors into identity, like department and managerial status.
IAM is crucial for bolstering overall IT security.
Access Control Models
| Access Control Model | Description |
|---|---|
| MAC | Compares objects security designation with subjects clearance level. Clearance level must meet or exceed designation to gain access. Security labels usually changed by administrator only. |
| DAC | Access to object is controlled through ACLs. Owner can place subject on ACL or not. Object owners can usually modify object ACLs. |
| RBAC | Subjects assigned predefined roles. Subject must be in a certain role to access object. Roles assigned to subjects based on policies. |
| Rule-based access control | Based on operational rules or restrictions. Restricting access based on time of day is an example. Rule sets examined before subject is given access to objects. |
| ABAC | Based on set of attributes the subject possesses. Follows if x, then y procedure. Example: If subject has all required attributes, then grant access. Attributes are created ahead of time and assigned as needed. |
Physical Access Control Devices
- Many organizations cant rely solely on software-based access control.
- Devices can be a subjects token or the authenticating device itself.
- Devices can work with both physical controls and virtual controls.
- Subject token example: smart cards and proximity cards.
- Authenticating device example: card reader.
- Some authenticating devices work with other factors (e.g, biometrics).
Biometric Devices
Fingerprint scanners:
- Capture live image of a person’s fingerprint.
- Virtually unique to each individual, so reasonably accurate.
Voice recognition devices:
- Person speaks into a microphone which records a voiceprint.
- System attempts to match voiceprints.
- Voice can be recorded and replicated, but is difficult to accurately mimic.
Retinal scanners:
- Scan blood vessels in retina portion of the eye.
- Blood vessels are complex; dont change except from disease or injury.
- Invasive as it requires the device to be very close to the eye.
Iris scanners:
- Scan the entire iris of a persons eye.
- Capture near-infrared image from comfortable distances.
- Iris is less likely to be affected by diseases.
Facial recognition devices:
- Take digital image of entire face.
- Identify unique features like distance between eyes, nose length and width, etc.
- Prone to error due to changes in lighting, hair, makeup, etc.
Certificate-Based Authentication
Digital certificates prove identity of public key owner.
Personal Identity Verification (PIV):
- The Federal standard for tamper-resistant and authentication providing cards that use digital certificates.
- Used by civilian federal employees and contractors.
- Used to access facilities and systems.
Common Access Card:
- A PIV-like smart card for DoD personnel that provides certificate-based authentication.
File System and Database Access
- Access control to file systems depends on type and operating system.
- You may be able to implement an access control mode like DAC.
Example: Active Directory in Windows.
- Maintains ACLs of what subjects can access an object.
You can set granular permissions:
- Employee with read-only access to departments network folder.
- Can also create new subfolders.
- Cant modify files or delete higher-level folders.
Database access control depends on software implementation.
- Typically control access to specific database elements, like a table.
Also control access based on commands.
- Selecting, updating, modifying, and creating elements.
Guidelines for Implementing IAM
- Consider adding IAM to the overall security management process.
- Familiarize yourself with access control models.
- Decide on access models that uphold business, security and environment needs.
- Consider implementing physical access control devices like smart cards.
- Recognize strengths and weaknesses of biometric devices.
- Consider implement biometric devices like iris scanners.
- Consider implementing certificate-based authentication devices.
- Consider that PIV or CACs may be mandatory in federal environments.
- Implement access control models at the file system level.
- Implement access controls that come with database software.
Directory Services
A network service that stores identity information about all objects in a particular network.
Objects can include:
- Users
- Groups
- Servers
- Clients
- Printers
- Network services
- Centralizes security for controlling access to network resources.
- Structure is based on a hierarchy of objects.
- Starts with root and branches out to other objects.
- Helps categorize objects in a network.
Lightweight Directory Access Protocol (LDAP)
A directory service protocol that runs over TCP/IP networks.
- LDAP clients authenticate to LDAP service.
Schema defines:
- Tasks clients can and cannot perform while accessing directory
- The form a directory query must take.
- How directory server will respond.
Schema is extensible.
Secure LDAP
A method of implementing LDAP using SSL/TLS encryption.
- Prevents eavesdropping and man-in-the-middle attacks.
- Forces client and server to establish secure connection first.
- Closes the connection if it is interrupted.
LDAPS server requires a signed certificate.
- Client must install certificate on their machine.
Common Directory Services
| Directory Service | Description |
|---|---|
| Active Directory | Directory service by Microsoft. Holds network object info for one or more domains. Admins can manage object access through ACLs. AD LDS is a lightweight version. |
| Oracle Directory Server Enterprise Edition (ODSEE) | Marketed toward large installations that require reliable scaling. Free, but paid support is available. Formerly known as Sun Java System Directory Server. |
| OpenDJ | Open source cross-platform directory service written in Java. Supports LDAPv3 and DSMLV2. Based on Suns Open DS service. |
| OpenLDAP | Open source cross-platform LDAP implementation. Included in many Linux distros. |
| Open Directory | Apples custom implementation of OpenLDAP. Available for macOS Server. Some compatibility with Active Directory. |
Remote Access Methods
- Organizations can provide users with several methods of remote access.
- Customers and employees can remotely access network resources.
- A gateway RAS can provide access control to all or part of a network.
- An intermediate network like the Internet can also provide remote access.
- Security personnel must secure transmissions that pass over a public network.
Tunneling
- A data-transport technique in which a data packet is encrypted and encapsulated in another data packet.
- Tunneling conceals information of the inside packet.
- Hides user-encrypted data from carrier network.
- Used in remote access protocols, typically in VPN.
Remote Access Protocols
| Protocol | Description |
|---|---|
| PPP | Legacy standard for sending datagram packets over point-to-point links. Commonly used for dial-up Internet access. PPPoE and PPPoA are more recent and used in DSL. Provides encryption for passwords and secure authentication. |
| PPTP | Microsoft VPN layer 2 protocol. Provides tunneling and encryption for PPP packets. Common in older Windows clients; no longer recommended. |
| L2TP | Combination of PPTP and L2F for tunneling PPP across network protocols. Designed for client-to-gateway and gateway-to-gateway secure connections. Does not provide encryption on own; often used with IPSec. |
| SSTP | Uses SSL/TLS to encapsulate packet with PPP header and then SSTP header. Packet and both headers are encrypted by SSL/TLS. Supported in current Windows operating systems. |
HMAC-Based One-Time Password
An algorithm that generates a one-time password using a hash-based authentication code to ensure authenticity.
- OTPs are meant to replace or supplement insecure static passwords.
- Valid only for that session.
- Attacker who steals the OTP will be unable to use it after the user’s session.
- OTPs provide interoperability across hardware and software platforms.
- Most major mobile operating systems support HOTP.
Time-Based OTP
Adds to HOTP by introducing a time-based factor to OTP authentication.
HOTP is only invalidated after used to successfully authenticate.
- Allows an attacker to take advantage of the password if it is never used.
TOTP addresses this flaw by invalidating the password after a time.
- Attacker must steal password within time period.
- Difficult to carry out attack this quickly.
- Useful defense against authentication abuse.
Password Authentication Protocol
Password Authentication Protocol is an authentication protocol that sends user IDs and passwords as plaintext.
- Typically used when a remote client is connecting to a non-Windows server.
- Server receives user ID and password, then compares to a list of credentials.
- Allows remote access to resources if match is found.
- Lacks encryption and should be avoided.
Challenge-Handshake Authentication Protocol
Encrypted authentication protocol used to provide access control to remote access servers.
- Developed so passwords wouldn’t need to be sent in plaintext.
- Typically used to connect non-Windows servers.
- Use MD5 hashing and challenge-response mechanism.
- Can accept connections from most authentication methods.
- Considered obsolete due to weaknesses of MDS.
NT LAN Manager
A challenge-response authentication protocol created by Microsoft and first released in early versions of Windows NT.
The NTLM process:
- Client establishes connection to server.
- Server responds with a challenge to establish clients identity.
- Client responds to challenge with authentication information.
- Weak to brute force cracking attempts due to outdated encryption algorithms.
- Weak to pass the hash attacks.
- Discouraged by Microsoft.
- Kerberos is preferred in Active Directory domains.
Authentication, Authorization, and Accounting
A security concept for a centralized platform that performs three separate identity-based tasks.
Tasks are:
- Verifying object identification (authentication).
- Ensuring object is assigned relevant permissions (authorization).
- Logging actions to create an audit trail (accounting).
AAA solutions are the gatekeepers that provide access to network services.
Remote Authentication Dial-In User Service
Remote Authentication Dial-In User Service is an Internet standard protocol that provides AAA services.
- You configure an access server as the RADIUS server.
- Other access servers are RADIUS clients.
- Clients pass authentication requests to server for verification.
- Centralizes user configuration, remote access policies, and usage logging.
Network access server is the general term for a remote access server used in RADIUS.
Terminal Access Controller Access-Control System (TACACS)
TACACS/TACACS Plus are Protocols that provide AAA services for remote users.
TACACS+ is more secure and scalable than RADIUS.
- Accepts login requests and authenticates user based on credentials.
- Encrypts all data in authentication transmissions, not just password.
- Separates authentication from authorization, instead of combining into one packet.
- Original TACACS and XTACACS are superseded by TACACS+
- No native Windows support, but some solutions are available.
- Solutions also available for Linux systems.
Kerberos
An authentication service based on a time-sensitive ticket-granting system.
- Developed by MIT to use a single-sign on method of access.
- User credentials are passed to authentication server.
- Authentication server has an access list and allows access based on credentials.
- Centralized authentication server manages access to a variety of resources.
- Often used with Active Directory to authenticate users in a domain.
- Employs mutual authentication.
- Uses modern encryption standards to improve on NTLM and other protocols.
Account Management
The processes, functions, and policies used to effectively manage user accounts in an organization.
- Specific IAM function.
- Admins can create, update, modify, and delete accounts tied to identities.
- User accounts allow or deny access to information systems and resources.
- With proper controls in place, the organization can manage accounts.
Account Privileges
- User accounts are provided with permissions such as accessing files and services.
- Can be user-assigned for unique job functions/tasks.
Can also be group-based.
- Assigned to groups of users.
- Each user in group has the same permissions.
- Effective for grouping users by department (i.e., RBAC).
- Considered best practice.
- A user with unique privileges and who is also a member of a group will have both sets of privileges.
- Both should be well-documented in policy.
Account Types
| Account Type | Description |
|---|---|
| User account | Standard account type for general users. Usually limited in privileges. Usually restricted from modifying sensitive data or systems. |
| Privileged account | Greater access rights than standard user account. Admins need elevated privileges to fulfill duties. Usually reserved for IT personnel, but sometimes needed for users. |
| Guest Account | Provided to non-personnel who need limited access. No password or identifying information, Cant create, modify, or delete files. Example: Sign in public users at a kiosk or terminal. |
| Computer and service account | Non-human entities also need accounts. Computers and services may need access to other computers and services. Example: Web server needs to retrieve data from a products database. |
Account Policy
A document that includes an organizations requirement for account creation, monitoring, and removal.
- Can include user-specific or group-based requirements.
- Details can vary and can be customized and enforced based on business needs.
- You need to research and analyze policy details.
Common policy statements:
- Account approval.
- Resource usage.
- Shared/multiple account usage.
- Account disablement/modification.
- Account expiration.
- Account prohibition.
- Password usage.
- Account lockout.
- Account recovery.
Password Policy
Password length:
- Protects against brute force cracking.
- Cracking time increases exponentially with every character.
- amsnp may take seconds to crack; amsnpcjnyk may take years.
Password complexity:
- Types of characters used and the formatting of those characters.
- Complex password may require special characters, numbers, and lower/uppercase letters.
- amsnpcjnyk becomes 4mSn!cjnyk; attacker must use more characters for each round.
Password history:
- Users must change passwords every so often.
- Creates a moving target for attackers.
- Password remembering forces users not to choose the same passwords over and over.
Password re-use:
- Prevents person from using same password for multiple accounts.
- If one account is compromised, the others are at risk.
- Not fully enforceable on a technical level.
Multiple Accounts
- A user has several accounts on the same system.
- Accounts differ by level of access and/or role.
Issues:
- Lack of user awareness of accounts.
- Assigning right level of access for each account.
- Managing privileges and data replication for each account.
Common use case for multiple accounts:
- Admins have an admin account and a standard user account.
- User account is for daily, non-privileged work.
- Admin account is for configuring systems and other accounts.
- The admin may need to switch between accounts quickly and easily.
- May be challenging to support account switching without disruption.
Shared Accounts
- Accessed by more than one user or resource.
- Not associated with an individual, but rather a role or purpose.
Examples:
- Guest or generic accounts.
- Temporary contractor accounts.
- Admin accounts for a group.
- Batch process accounts.
- Inherently risky, as it is difficult to hold individuals accountable.
- Users may become careless.
- Password changes may also be difficult to manage.
- If you use shared accounts, be discreet with access privileges.
Account Management Security Controls
| Control | Description |
|---|---|
| Standard naming conventions | Reduce confusion by naming accounts consistently. Refrain from using nicknames or anonymous user names. |
| Account maintenance | You will need to modify or remove accounts. Have a plan in place to avoid missing necessary changes. |
| Onboarding/offboarding | New employees should have new accounts in a timely manner. Terminated employee accounts should be removed as soon as possible. |
| Access re-certification | Perform regular permissions audits to uphold least privilege. Can help you identify what accounts need modification. |
| Usage auditing | You should also monitor how accounts are used. Can help you spot malicious behavior. |
| Group-based access control | Place users into groups for easier management. Helps you understand each users job function. |
| Location-based policies | Restrict physical and virtual locations from which users gain access. Can help mitigate remote attacks from unknown sources. |
| Time-of-day restrictions | Attackers may gain access during off-hours to avoid detection. Restrict access to only when the employee is working. |
Credential Management
Credential manager is a tool that stores and organizes account credentials.
- Stores credentials in an encrypted database.
- User can retrieve credentials when needed.
- Credential managers can automatically fill in forms with usernames/passwords.
- Doesn’t protect against weak passwords being stolen.
- If database is password-protected, the master password must be secured.
- Use MFA with credential managers for best results.
Group Policy
Provides methods for managing account security across a Windows domain.
- Enforcing password length, complexity, age, etc.
- Enforcing account lockout thresholds/durations.
- Storing account passwords using encryption.
- Enforcing Kerberos logon restrictions and ticket lifetimes.
- Auditing account management events.
- Assigning specific rights to individual or group accounts.
Identity Federation
The practice of linking a single identity across multiple disparate identity management systems.
- Encompasses all policies and protocols that contribute to such an identity.
- Provides centralized management structure for identities.
- Streamlines user experience into a single account.
- Can create a single point of compromise.
SSO is a subset of federation:
- Eliminates need to sign in more than once.
- Not all federated identities use SSO.
Identity Federation Methods
| Identity Federation Method | Description |
|---|---|
| SAML | XML-based framework for exchanging security-related information. Communicated in assertions over HTTPS. Conveys identity of subjects and authorization decisions. Clients request assertions from SAML authorities. |
| OpenID | An authentication method for participating sites. User registers with OpenID system and signs into sites with a single account. Site verifies identity with OpenID. Used by companies like Google and Amazon. |
| OAuth | Similar to OpenID but provides authorization instead of authentication. Authorization server grants access token to user on behalf of a resource. User presents token to resource, which determines access rights. Used by sites like Google, Twitter, and Facebook. |
| Shibboleth | Based on SAML and often used by universities or public service organizations. User attempts to retrieve resources from Shibboleth-enabled site. Site sends SAML authentication info over URL queries. User goes through an identity provider to authenticate using this SAML info. |
Guidelines for Managing Accounts
- Uphold the principle of least privilege.
- Draft an account policy and include all necessary requirements.
- Verify that account request and approval procedures exist and are enforced.
- Verify that account modification procedures exist and are enforced.
- Draft a password policy and include strong password requirements.
- Limit the use of multiple and shared accounts.
- Implement account management controls like auditing and usage restrictions.
- Store user names and passwords in encrypted databases.
- Implement a group policy for wider access control.
- Consider implementing an identity federation system.
- Consider how a federated identity may be a single point of failure.
Access management as a CompTIA Security+ professional is a vital element of cybersecurity, protecting sensitive information from unauthorized access. By implementing strong authentication, authorization, and access control measures, organizations can reduce the risk of security breaches and data compromises.
You can find all of our CompTIA Sec+ guides here: CompTIA Sec+
We also have guides for the CompTIA A+ here: CompTIA A+
Recommendation:
Basic Security Testing with Kali Linux: https://amzn.to/3S0t7Vq
