Managing Identity and Access

• Implement Identity and Access

Management

• Configure Directory Services

• Configure Access Services

• Manage Accounts
Identity and Access Management

Identity management products are used to

• Identify
• Authenticate
• Authorize

Very broad term

 Access Control Models

Access Control
Description
Model
• Compares object's security designation with subject's clearance
level.
MAC
• Clearance level must meet or exceed designation to gain
access.

• Access to object is controlled through ACLs.

DAC
• Owner can set permissions

• Subjects assigned predefined roles.

RBAC
• Subject must be in a certain role to access object.

Rule-based access • Based on operational rules or restrictions.

control • Restricting access based on time of day is an example.

3
 Mandatory Access Control

Owner of the object cannot grant access!

MAC OS makes the decision based on a security label

system

Users and Data are given a clearance label

Confidential
Secret,
Top secret, etc.
Mandatory Access Control

• Subjects and objects are both assigned labels

• Permissions granted when the labels match

• Categories can be defined by the organization

• SELinux (Security-Enhanced Linux)

• Uses MAC model

• Helps prevent malicious or suspicious code from executing
Mandatory Access Control
MAC

MAC is used where classification and confidentiality is of

utmost importance… military.

Generally you have to buy a specific MAC system, DAC

systems don’t do MAC
 • Uses roles (often implemented
as groups)
Role Based
• Grants access by placing users
Access Control into roles based on their
assigned jobs, functions, or
tasks
 • Resources identified as objects
• Files, folders, shares
Discretionary
Access • Specifies that every object has an owner
Control • Owner has full, explicit control of the
object and can assign permissions
 Discretionary
Access Control

Microsoft’s NTFS uses the

DAC model
Physical Access Control
Devices

• Many organization's can't rely

solely on software-based access
control.

• Often add physical tokens such

smart cards and proximity
cards.

11
 Smart cards are credit card-sized cards that
have an embedded microchip and a
certificate.

Users insert the smart card into a smart

card reader, similar to how someone would
Smart insert a credit card into a credit card reader.

Cards
Smart card reader reads the information on
the card, including the details from the
certificate on the card
HOTP
HMAC-Based One-Time Password

• One Time Password.

• Attacker who steals the OTP will be

unable to use it after the user's
session.

• Remains valid until used

TOTP
Time-Based OTP
• Uses a timestamp

• Password is only valid for a

period of time.

• Usually 30 seconds
Biometric Devices

• Fingerprint scanners
• Capture live image of person's fingerprint.
• Virtually unique to each individual, so reasonably accurate.
• Voice recognition
• Uses voice acoustics features
• Retinal scanners
• Scan blood vessels in retina portion of the eye.
• Blood vessels are complex; don't change except from disease or injury.
• Invasive as it requires the device to be very close to the eye.
• Iris scanners
• Scan the entire iris of a person's eye.
• Capture near-infrared image from comfortable distances.
• Iris is less likely to be affected by diseases.
• Pictures can be taken 3 to 10 inches away
• Facial recognition
• Take digital image of entire face.
• Identify unique features like distance between eyes, nose length and width, etc.
• Prone to error due to changes in lighting, hair, makeup, etc.

15
 False Rejection
When a biometric system
incorrectly rejects an
authorized user.

Biometric
Errors False Rejection Rate (FRR)
Identifies the percentage of
times false rejections occur.
 Percentage that represents the
point at which the false rejection
rate equals the false positive rate.

Crossover Error • Use CER to compare vendors

Rate products objectively
CER
• Lower number CER provides
more assurance. (3 is better
than an 4)

17
 CER

18
 Specialized type of smart card used by the
U.S. Department of Defense.

In addition to including the capabilities of

Common a smart card, it also includes a picture of
the user and other readable information.
Access Card
(CAC)
Users can use the CAC as a form of photo
identification to gain access into a secure
location.
Personal Identity Verification (PIV)

Personal Identity Verification (PIV) card is a specialized type of smart

card used by U.S. federal agencies. It also includes photo identification

20
 • Can include:
• Users
Directory • Groups
• Servers
Services • Clients
• Printers
• Network services
 Directory Services
Company Develetech

Region US EU

Department Sales Marketing R&D IT

John Alyssa Marcus Gloria

Users and Marketing

Computers Mary Jeremy Francis
Website

CRM Server Workstation VPN Server

22
Directory Service Description
Active Directory • Directory service by Microsoft.
• Free, but paid support is available.
Oracle Directory Server Enterprise Edition (ODSEE)
• Formerly known as Sun Java System Directory Server.
• Open source cross-platform directory service written in
OpenDJ Java.
• Based on Sun's OpenDS service.
• Open source cross-platform LDAP implementation.
OpenLDAP
• Included in many Linux distros.
• Apple's custom implementation of OpenLDAP.
Open Directory • Available for macOS Server.
• Some compatibility with Active Directory.

Common Directory Services

23
 Specifies formats and methods to
query directories.

LDAP

Lightweight
Directory Directory is a database of objects
that provides a central point to
Access manage users, computers, and
Protocol other objects.
 • LDAP Secure (LDAPS) encrypts
LDAP Secure transmissions with SSL or TLS.
(LDAPS)
 Remote • Remote Access Server (RAS) can
Access provide access control to all or part of
a network.
Methods
 • Technique in which a data
packet is put inside another
packet.

Tunneling • Tunneling conceals information

of the inside packet.

• Used in remote access

protocols, typically in VPN.

27
Tunneling

Carrier Protocol

Encapsulating Packet

Original Packet

28
Protocol Description
• Legacy standard for sending packets over phone lines
PPP
• Commonly used for dial-up Internet access.
• Microsoft VPN protocol.
PPTP • Provides tunneling and encryption for PPP packets.
• Common in older Windows clients; no longer recommended.
• VPN protocol
L2TP
• Does not provide encryption on own; often used with IPSec.

• Uses SSL/TLS to encapsulate packet

SSTP
• Supported in current Windows operating systems.

Remote Access Protocols

29
Password Authentication Protocol
(PAP)

• Sends user names and passwords as clear text.

• Lacks encryption and should be avoided.

Challenge-Handshake
Authentication Protocol (CHAP)

Developed so passwords
Typically used to connect non-
wouldn't need to be sent in
Windows servers.
plaintext.

Use MD5 hashing and

Considered obsolete due to
challenge-response
weaknesses of MD5.
mechanism.

31
NT LAN Manager (NTLM)
• Authentication protocol created by Microsoft and first released in
early versions of Windows NT.

• Weak due to outdated encryption algorithms.

• Discouraged by Microsoft.

• Kerberos is preferred in Active Directory domains.

32
 • Tasks are:

• Authentication
Authentication,
Authorization, • Authorization
and Accounting • Accounting
(AAA)
• Logging actions to create
an audit trail

33
Remote Authentication Dial-In User Service (RADIUS)

• Radius is both a protocol and a server

• Provides AAA services.

• Clients forward authentication requests to Radius server for

verification.

• Network Access Server: (NAS) The general term for a remote access
server used in RADIUS.

• (see next slide)

34
Radius

35
 Initially developed to
authenticate modem users

Can use multiple authentication

types (PAP, CHAP, EAP)

Radius Uses UDP port 1812 , and

auditing 1813

Access server notifies Radius

server on disconnect
(for auditing)
Radius Pros/Cons

Radius Pros Radius Cons

• It’s been around • Only Encrypts passwords
• A lot of vendor support
TACACS+

• Provides the same functionality of Radius

• TACACS+ uses TCP port 49

• TACACS+ can support one time passwords

• Encrypts ALL traffic data

• TACACS+ separates each AAA function.

• For example can use an AD for authentication, and an SQL server

for accounting.
Kerberos
 Authentication protocol designed by MIT.

Used in Windows 2000+ and some Unix

systems

Allows for single sign on (SSO)

Kerberos Never transfers passwords

Uses symmetric key encryption to verify

Identifications

Helps avoid replay attacks

Kerberos Components

• Principals – Users or network services

• KDC – Key Distribution Center

• Stores secret keys (passwords) for principals
• Tickets

• Ticket Granting Ticket (TGT) gets you more tickets

• Service Tickets – access to specific network services (ex. File sharing)

• Realm – a grouping of principals that a KDC provides service for, looks like a
domain name
42
 The processes,
functions, and
policies used to
effectively manage
user accounts in an
Account Management
organization.
Account Privileges

• User accounts are provided with permissions such as

accessing files and services.

• Can be user-assigned for unique job functions/tasks.

• Can also be group-based.

• User with unique privileges and who is also a member of a

group will have both sets of privileges.
 Account Types

Account Type Description

• General users.
Standard User
• Usually limited in privileges.
accounts
• Usually restricted from modifying sensitive data or systems.

• Admins need elevated privileges to fulfill duties.

Privileged accounts
• Usually reserved for IT personnel, but sometimes needed for users.

• Provided to non-employee who need limited access.

Guest accounts • Can't create, modify, or delete files.
• Example: Sign in public users at a kiosk or terminal.

• Computers and services may need access to other computers and

Computer and may need accounts
service accounts • Example: Web server needs to retrieve data from a products
database.

45
Account Policy
• Document that includes an organization's requirements for
account creation, monitoring, and removal.

• Common policy statements:

• Account approval.
• Resource usage.
• Shared/multiple account usage.
• Account disablement/modification.
• Account expiration.
• Account prohibition.
• Password usage.
• Account lockout.
• Account recovery.
Password Policy
• Password length

• Protects against brute force cracking.

• Cracking time increases exponentially with every character.

• Password complexity

• Types of characters used and the formatting of those characters.

• Complex password may require special characters, numbers, and

lower/uppercase letters.

47
Password Policy
• Password history

• Users must change passwords every so often.

• Creates a "moving target" for attackers.
• Password remembering forces users not to choose the same
passwords over and over.

• Password reuse

• Prevents person from using same password for multiple accounts.

• If one account is compromised, the others are at risk.
• Not fully enforceable on a technical level.

48
Multiple Accounts
• User can have several accounts on the same system.

• Common use case for multiple accounts:

• Admins have an admin account and a standard user account.

• User account is for daily, non-privileged work.

• Admin account is for configuring systems and other accounts.

49
Shared Accounts
• One account used by more than one user.

• Examples:

• Guest or generic accounts.

• Temporary contractor accounts.
• Admin accounts for a group.

• Inherently risky, as it is difficult to hold individuals accountable.

• Password changes may also be difficult to manage.

• If you use shared accounts, be discreet with access privileges.

50
Account Management Security Controls

Control Description
Standard naming • Reduce confusion by naming accounts consistently.
conventions • Refrain from using nicknames or anonymous user names.
• You will need to modify or remove accounts.
Account maintenance
• Have a plan in place to avoid missing necessary changes.
• New employees should have new accounts in a timely manner.
Onboarding/offboarding
• Terminated employee accounts should be removed as soon as possible.
• Perform regular permissions audits to uphold least privilege.
Access recertification
• Can help you identify what accounts need modification.
• You should also monitor how accounts are used.
Usage auditing
• Can help you spot malicious behavior.
Group-based access • Place users into groups for easier management.
control • Helps you understand each user's job function.
• Restrict physical and virtual locations from which users gain access.
Location-based policies
• Can help mitigate remote attacks from unknown sources.
• Attackers may gain access during off-hours to avoid detection.
Time-of-day restrictions
• Restrict access to only when the employee is working.

51
Group Policy

• Used for managing account security in a Windows Active Directory

Domain

• Enforcing password length, complexity, age, etc.

• Enforcing account lockout thresholds/durations.

• Storing account passwords using encryption.

• Auditing account management events.

• Assigning specific rights to individual or group accounts.

 A single user identity is created for
a user and shared with all of the
organizations in a federation

Federation Federated identity management

applies SSO at a much wider scale:
ranging from cross-organization to
Internet scale
 Identity Federation Methods

Identity Federation
Description
Method

SAML • XML-based framework for exchanging security-related information.

• An authentication method for participating sites.

OpenID • Site verifies identity with OpenID.
• Used by companies like Google and Amazon.

• Similar to OpenID, but provides authorization instead of authentication.

OAuth • User presents token to resource, which determines access rights.
• Used by sites like Google, Twitter, and Facebook.

• Based on SAML and often used by universities or public service

organizations.
• User attempts to retrieve resources from Shibboleth-enabled site.
Shibboleth
• Site sends SAML authentication info over URL queries.
• User goes through an identity provider to authenticate using this SAML
info.
54
 XML-based language that is
commonly used to exchange
authentication and authorization
(AA) information between
Security federated organizations.
Assertion
Markup
It is often used to provide SSO
Language capabilities for browser access.
(SAML)
 OpenID is an open standard for user
authentication by third parties.

It is a lot like SAML, except that the users’

credentials are maintained not by their
company but by a third-party such as
Google or Microsoft
OpenID The main draw of is that it frees up the
website developers from the need to
implement secure authentication
mechanisms for their sites.

Instead, they can leverage one of the big

companies that already do this well.
OAuth

OAuth is an open standard for authorization (not authentication) to

third parties.

The general idea is that this lets you authorize a website to use
something that you control at a different website.

For instance, if you have a LinkedIn account, the system might ask you
to let it have access to your Google contacts in order to find your
friends who already have accounts in LinkedIn.
If you agree, you will next see a pop-up from Google asking whether
you want to authorize LinkedIn to manage your contacts