Managing User Security

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Chapter Five Users, Groups, Profiles, and Policies.
Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Security+ Guide to Network Security Fundamentals, Fourth Edition
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Chapter 4 Chapter 4: Planning the Active Directory and Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Chapter 4 Introduction to Active Directory and Account Management
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Implementing File and Print Services
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2008
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 7 Active Directory and Account Management.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Privilege Management Chapter 22.
Introduction to Active Directory
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Access control Presented by: Pius T. S. : Christian C. : Gabes K. : Ismael I. H. : Paulus N.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
ITMT Windows 7 Configuration Chapter 6 – Sharing Resource ITMT 1371 – Windows 7 Configuration 1.
Secure Connected Infrastructure
Chapter One: Mastering the Basics of Security
Configuring Windows Firewall with Advanced Security
Introduction to Operating Systems
HARDENING CLIENT COMPUTERS
Configuring and Troubleshooting Routing and Remote Access
Overview of Active Directory Domain Services
Radius, LDAP, Radius used in Authenticating Users
(ITI310) SESSIONS 6-7-8: Active Directory.
Network Security Unit-VI
THE STEPS TO MANAGE THE GRID
CompTIA Security+ Study Guide (SY0-401)
CompTIA Security+ Study Guide (SY0-501)
Securing Windows 7 Lesson 10.
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Computer Security Protection in general purpose Operating Systems
Designing IIS Security (IIS – Internet Information Service)
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Managing User Security Chapter 3 Managing User Security

Certification Objectives CompTIA Security+ 1.2 Compare and contrast types of attacks. 2.3 Given a scenario, troubleshoot common security issues. 2.6 Given a scenario, implement secure protocols. 3.9 Explain the importance of physical security controls. 4.1 Compare and contrast identity and access management concepts. 4.2 Given a scenario, install and configure identity and access services. 4.3 Given a scenario, implement identity and access management controls. 4.4 Given a scenario, differentiate common account management practices.

Certification Objectives (continued) Microsoft MTA Security Fundamentals 2.1 Understand user authentication. 2.2 Understand permissions. 2.3 Understand password policies. 4.1 Understand client protection.

Authentication and Control Section 3.1 Authentication and Control

Key Terms Active Directory attack surface authentication behavioral biometrics biometrics crossover error rate (CER) Discretionary Access Control (DAC) dongle false acceptance rate (FAR) false rejection rate (FRR) federated identity management (FID) hardening job rotation Kerberos

Key Terms Key Distribution Center (KDC) LDAPS Lightweight Directory Access Protocol (LDAP) Mandatory Access Control (MAC) mandatory vacations multifactor authentication one-time password (OTP) permission policy right Role-Based Access Control (RBAC) rule-based access control secondary logon

Key Terms Security Accounts Manager (SAM) Security Assertion Markup Language (SAML) Shibboleth single sign-on (SSO) transitive trust user account control (UAC)

Learning Goals Explain the process of authentication. Discuss the use of access levels. Describe nontechnical approaches to user security. Compare authentication on a local computer to authentication on a network computer.

User Authentication Authentication: process of validating a user Passwords Most common authentication method One of the least-secure methods Weak passwords; shoulder surfing Reuse of passwords on multiple sites Poor password policies Password-cracking tools

User Authentication (continued) Multifactor Authentication When different forms of authentication are combined What you know Passwords Asking a security question

User Authentication (continued) What you have User must possess a device that contains security information Common access cards (CACs) Tokens Not used to replace passwords

User Authentication (continued) What you have One-time password (OTP): password that is valid for only one login or transaction, and it is often valid for only a short period Dongle: physical token inserted into a computer’s USB port

User Authentication (continued) What you are Refers to a biological feature of the user Biometrics: measurement and analysis of a biological feature Fingerprints, retina or iris scans, facial recognition, voice analysis, palm prints

User Authentication (continued) What you do Behavioral biometrics: authentication method identifying measurable patterns in human activities Keystroke dynamics: measures patterns of rhythm and timing that is generated when a person is using the keyboard on a system Wi-Fi triangulation, GPS, IP address resolution

User Authentication (continued) Security Error Rates Concerning Biometric Authentication Potential risks with biometric authentication False acceptance rate (FAR) When the biometric credentials are authorized on invalid characteristics Determined by the ration of the number of false acceptances divided by the number of identification attempts

User Authentication (continued) Security Error Rates Concerning Biometric Authentication False rejection rate (FRR) Denying an authorized biometric credential Determined by the number of false rejections divided by the number of identification attempts Crossover error rate (CER): potion where FAR and FRR are equal

User Authentication (continued) Goodheart-Willcox Publisher

Access Levels Mandatory Access Control (MAC) Security strategy that sets a strict level of access to resources Based on criteria set by the network administrator Used most often with military or supporting organizations Discretionary Access Control (DAC): user can be granted additional rights to data beyond what is allowed by assigned access level

Access Levels (continued) Goodheart-Willcox Publisher

Access Levels (continued) Role-Based Access Control (RBAC): rights are assigned to a role instead of manually to each individual user Rule-based access control: rules are established for various situations, such as allowing users to log in to a network only during specific times

Security Options Related to Existing Employees Businesses can underestimate threats from existing employees Mandatory vacations: users are forced to take vacations where they are not on the premises or using the systems Access to system and premises are removed Allows for a system check by business

Security Options Related to Existing Employees (continued) Job rotation: Users cycle through different roles New user can verify settings, data, and other aspects of the position

User Access to Resources Least privilege: employees have only the privileges needed to perform their job responsibilities Local Computer Access Right: ability to perform a type of action on the computer Permission: deals with the specific abilities within a right or with files and folders

User Access to Resources (continued) Workstation on a Network Active Directory: database of network resources and includes objects such as user and group accounts, computers, servers, and printers Directories are based on LDAP standard Lightweight Directory Access Protocol (LDAP): provides standards and ensures that directories or directory services are constructed and used in the same manner

User Access to Resources (continued) LDAPS: secure form of LDAP, where LDAP is used with SSL to send directory communications encrypted Goodheart-Willcox Publisher; server: Sashkin/Shutterstock.com; laptop: Vtls/Shutterstock.com; tablet: Alexey Boldin/Shutterstock.com; computer: Elnur/Shutterstock.com

User Access to Resources (continued) Tree approach: directories are constructed in a hierarchical manner Organizational units: objects that further organize a database Leaf objects: objects that represent resources, such as users or printers

User Access to Resources (continued) Goodheart-Willcox Publisher; printer: R-O-M-A/Shutterstock.com; computers: Elnur/Shutterstock.com; servers: Sashkin/Shutterstock.com; vector art: Rawpixel.com /Shutterstock.com

User Access to Resources (continued) Kerberos: standard authentication protocol on all versions of Microsoft Server when using the Active Directory Key Distribution Center (KDC): service running on a server that has a copy of the Active Directory to manage the main functions of Authentication Service (AS) exchange and Ticket Granting Service (TGS) exchange

User Access to Resources (continued) Goodheart-Willcox Publisher; guard: IconBunny/Shutterstock.com; user: gst/Shutterstock.com; server: VectorShow/Shutterstock.com

User Access to Resources (continued) Additional Access Levels Single sign-on (SSO): authentication service that allows a user to use one login and password combination to access a set of services Shibboleth: open-source standard that offers single sign-on capabilities Security Assertion Markup Language (SAML): open standard used by parties that allows the exchange of authentication and authorization information

User Access to Resources (continued) Federated identity management (FID) Allows semi-independent systems to work together Goal is to allow users of one system to access resources form another system Transitive trust: occurs when the trust relationship is considered two-way

User Access to Resources (continued) Standalone Computer When a computer is not connected to a network Logon accounts must be stored on that machine Security Account Manager (SAM): local, nonhierarchical database of users and groups on a Windows system Hash: computer value that uniquely identifies data

User Access to Resources (continued) Secondary Logon: allows a user to be logged in as a standard user, but run specific programs as an administrator Password-Protected Screen Savers Simple and effective way to limit access to a local computer Password can also be required when a computer “sleeps”

User Access to Resources (continued) User Rights Policy: set of rules that can automatically control access to resources Local policy: policy management on the local computer Group policies: policies that are configured on the server Locked down: ensures systems are protected from unwanted access Hardening: refers to the process of reducing or eliminating vulnerabilities on a system

User Access to Resources (continued) Attack surface: many areas that could give a hacker access to a system Password policy: provides rules that must be followed when a password is created or changed

User Access to Resources (continued)

User Access to Resources (continued)

User Access to Resources (continued) User Account Control (UAC) Technology used to govern security by limiting what a standard user is able to do on a system Helps prevent unknown or potentially dangerous settings begin made without the knowledge of the user

Section 3.1 Review What is the vulnerability that allows a person to see what a user is entering, such as a password? Shoulder surfing Directories should be based on which protocol to allow use with multiple systems? Lightweight directory access protocol (LDAP) A security technique that requires the user not to be using the computer system is known as what strategy? Mandatory vacation

Section 3.1 Review What allows you to log in one time and access multiple services without having to reenter login credentials? Single sign-on (SSO) What system configuration should you set to require administrative credentials for installing software? User account control (UAC)

Access to Files and Folders Section 3.2 Access to Files and Folders

Key Terms explicit permissions implicit permissions inherited permissions New Technology File System (NTFS) permissions share permissions

Learning Goals Explain how to set permissions on a shared folder. Differentiate between share and NTFS permissions.

Share Permissions Share permissions: allow user to share folders Remote connection allows access to files in a shared folder Have no effect on user access when logging in directly at machine Discretionary access control: person who owns the files has the ability to give others permissions to access them

Share Permissions (continued) Sharing a Folder in Windows Sharing must be enabled in the Control Panel User who owns folder has full-control permissions Three permissions: read, change, full control

Share Permissions (continued)

Share Permissions (continued) Security Considerations of Sharing Folders Shared folder presents an access point for a hacker or employee Can be used to exploit other system vulnerabilities or provide access to confidential data Shares can be created and hidden

NTFS Permissions New Technology File System (NTFS) permissions: allow rights to be set for users on the local machine Secures local access Provides more options for permissions

NTFS Permissions (continued)

NTFS Permissions (continued) Receiving Permissions Explicit permissions: those a user is given at a specific location Inherited permissions: those a user receives by default at a lower level Implicit permissions: those a user receives through another object, such as a group

NTFS Permissions (continued) Hierarchy of permission order Explicit deny Explicit allow Inherited deny Inherited allow

NTFS Permissions (continued)

NTFS Permissions (continued) Combining NTFS and Share Permissions In many cases, when a folder is shared, permissions are not flexible or granular enough. NTFS permissions are also given to the share. When two permissions combine, more restrictive permission takes precedence

NTFS Permissions (continued) Security Considerations of NTFS Permissions NTFS permissions offer ability to assign very specific permissions to users or groups. A user having permissions for many areas can cause a security risk. Administrators should verify effective permissions.

Section 3.2 Review What are the permission options for shared folders? Read, change, and full control Which NTFS permission allows the ability to rename a file? Modify How can a shared folder be set to hidden? Put a dollar sign ($) at the end of the share name.

Section 3.2 Review Permissions received from a higher folder are called what type of permissions? Inherited The net result of all permission assignments results in what a user can do. This is called what type of permission? Effective