Please enable JavaScript.
Coggle requires JavaScript to display documents.
CompTIA Security+ Chapter 2 (Managing Accounts (Least Privilege - includes…
CompTIA Security+ Chapter 2
Authentication
AAA (Authentication, authorization, and accounting)
accounting - track user activity in logs
Types / Factors
Something you
know
Shared secret: password, PIN
Password Complexity
Training Users About Password Behaviors
Password Expiration
Password Recovery
Password History and Password Reuse
Group Policy - Windows GPO
Using a Password Policy - specifying complexity, expire time, etc
Implementing Account Lockout Policies - how many attempts
Changing Default Passwords
Something you
have
Smart Cards
embedded certificate
PKI
CACs and PIVs
Common Acces Card - has photo ID, goverment
Personal Idenity Verification - federal agencies
Tokens or Key Fobs
Hardware: LCD displays #, changes and sync with server
Online: Steam verification token.
HOTP and TOTP
(one time password)
Something you
are
Biometric Methods - strongest form of authentication
fingerprint scanner
retina scanner
iris scanner
voice
facial
Biometric Errors
False acceptance
False rejection
Something you
do
gestures on an image
keystroke dynamics
Somewhere
you are
geolocation: IP address
Dual-Factor and Multifactor Authentication
Authentication Services
Kerberos
New Technology LAN Manager (NTLM)
Lightweight Directory Access Protocol (LDAP)
Single sign-on (SSO)
Transitive Trusts - trust by association
Security Assertion Markup Language (SAML)
is authentication, but can also be combined with authorization
Federation - non homogenous OS logins
OAuth and OpenID Connect
Managing Accounts
Least Privilege
- includes both rights (system control) and permissions (data access/modification)
Need to Know
- focused on data and information
Account Types
End user accounts
Priviledged accounts
Guest accounts
Service accounts
Require Administrators to Use Two Accounts
one regular end user account and another with admin privileges
Standard Naming Convention
Prohibiting Shared and Generic Accounts
Policies
Disablement Policies
Time-of-Day Restrictions
Location-Based Policies
Expiring Accounts and Recertification - good for temp contractors
Account Maintenance - use scripts to remove unused accounts etc.
Credential Manager - tool to store creds
Access Control Models
Role-based access control (role-BAC)
Using Roles Based on Jobs and Functions -Microsoft Project Server.
Establishing access with 'groups' as roles instead of individually
Rule-based access control (rule-BAC)
router or firewall rules; IPSs
Discretionary access control (DAC)
every object has an owner, owner establishes access
Every object includes a discretionary access control list (DACL)
DACL is a list of Access Control Entries (ACEs).
ACEs contain security identifiers (SIDs) and permissions granted
Mandatory access control (MAC)
both subjects and objects have
labels
, a match gives access
Attribute-based access control (ABAC)
uses attributes that identify both subjects and objects, and grants access when a policy identifies a match.