Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing User Security

Published bySamuele Lazzari Modified over 6 years ago

Similar presentations

Presentation on theme: "Managing User Security"— Presentation transcript:

1

2 Managing User Security
Chapter 3 Managing User Security

3 Certification Objectives
CompTIA Security+ 1.2 Compare and contrast types of attacks. 2.3 Given a scenario, troubleshoot common security issues. 2.6 Given a scenario, implement secure protocols. 3.9 Explain the importance of physical security controls. 4.1 Compare and contrast identity and access management concepts. 4.2 Given a scenario, install and configure identity and access services. 4.3 Given a scenario, implement identity and access management controls. 4.4 Given a scenario, differentiate common account management practices.

4 Certification Objectives (continued)
Microsoft MTA Security Fundamentals 2.1 Understand user authentication. 2.2 Understand permissions. 2.3 Understand password policies. 4.1 Understand client protection.

5 Authentication and Control
Section 3.1 Authentication and Control

6 Key Terms Active Directory attack surface authentication
behavioral biometrics biometrics crossover error rate (CER) Discretionary Access Control (DAC) dongle false acceptance rate (FAR) false rejection rate (FRR) federated identity management (FID) hardening job rotation Kerberos

7 Key Terms Key Distribution Center (KDC) LDAPS
Lightweight Directory Access Protocol (LDAP) Mandatory Access Control (MAC) mandatory vacations multifactor authentication one-time password (OTP) permission policy right Role-Based Access Control (RBAC) rule-based access control secondary logon

8 Key Terms Security Accounts Manager (SAM)
Security Assertion Markup Language (SAML) Shibboleth single sign-on (SSO) transitive trust user account control (UAC)

9 Learning Goals Explain the process of authentication.
Discuss the use of access levels. Describe nontechnical approaches to user security. Compare authentication on a local computer to authentication on a network computer.

10 User Authentication Authentication: process of validating a user
Passwords Most common authentication method One of the least-secure methods Weak passwords; shoulder surfing Reuse of passwords on multiple sites Poor password policies Password-cracking tools

11 User Authentication (continued)
Multifactor Authentication When different forms of authentication are combined What you know Passwords Asking a security question

12 User Authentication (continued)
What you have User must possess a device that contains security information Common access cards (CACs) Tokens Not used to replace passwords

13 User Authentication (continued)
What you have One-time password (OTP): password that is valid for only one login or transaction, and it is often valid for only a short period Dongle: physical token inserted into a computer’s USB port

14 User Authentication (continued)
What you are Refers to a biological feature of the user Biometrics: measurement and analysis of a biological feature Fingerprints, retina or iris scans, facial recognition, voice analysis, palm prints

15 User Authentication (continued)
What you do Behavioral biometrics: authentication method identifying measurable patterns in human activities Keystroke dynamics: measures patterns of rhythm and timing that is generated when a person is using the keyboard on a system Wi-Fi triangulation, GPS, IP address resolution

16 User Authentication (continued)
Security Error Rates Concerning Biometric Authentication Potential risks with biometric authentication False acceptance rate (FAR) When the biometric credentials are authorized on invalid characteristics Determined by the ration of the number of false acceptances divided by the number of identification attempts

17 User Authentication (continued)
Security Error Rates Concerning Biometric Authentication False rejection rate (FRR) Denying an authorized biometric credential Determined by the number of false rejections divided by the number of identification attempts Crossover error rate (CER): potion where FAR and FRR are equal

18 User Authentication (continued)
Goodheart-Willcox Publisher

19 Access Levels Mandatory Access Control (MAC)
Security strategy that sets a strict level of access to resources Based on criteria set by the network administrator Used most often with military or supporting organizations Discretionary Access Control (DAC): user can be granted additional rights to data beyond what is allowed by assigned access level

20 Access Levels (continued)
Goodheart-Willcox Publisher

21 Access Levels (continued)
Role-Based Access Control (RBAC): rights are assigned to a role instead of manually to each individual user Rule-based access control: rules are established for various situations, such as allowing users to log in to a network only during specific times

22 Security Options Related to Existing Employees
Businesses can underestimate threats from existing employees Mandatory vacations: users are forced to take vacations where they are not on the premises or using the systems Access to system and premises are removed Allows for a system check by business

23 Security Options Related to Existing Employees (continued)
Job rotation: Users cycle through different roles New user can verify settings, data, and other aspects of the position

24 User Access to Resources
Least privilege: employees have only the privileges needed to perform their job responsibilities Local Computer Access Right: ability to perform a type of action on the computer Permission: deals with the specific abilities within a right or with files and folders

25 User Access to Resources (continued)
Workstation on a Network Active Directory: database of network resources and includes objects such as user and group accounts, computers, servers, and printers Directories are based on LDAP standard Lightweight Directory Access Protocol (LDAP): provides standards and ensures that directories or directory services are constructed and used in the same manner

26 User Access to Resources (continued)
LDAPS: secure form of LDAP, where LDAP is used with SSL to send directory communications encrypted Goodheart-Willcox Publisher; server: Sashkin/Shutterstock.com; laptop: Vtls/Shutterstock.com; tablet: Alexey Boldin/Shutterstock.com; computer: Elnur/Shutterstock.com

27 User Access to Resources (continued)
Tree approach: directories are constructed in a hierarchical manner Organizational units: objects that further organize a database Leaf objects: objects that represent resources, such as users or printers

28 User Access to Resources (continued)
Goodheart-Willcox Publisher; printer: R-O-M-A/Shutterstock.com; computers: Elnur/Shutterstock.com; servers: Sashkin/Shutterstock.com; vector art: Rawpixel.com /Shutterstock.com

29 User Access to Resources (continued)
Kerberos: standard authentication protocol on all versions of Microsoft Server when using the Active Directory Key Distribution Center (KDC): service running on a server that has a copy of the Active Directory to manage the main functions of Authentication Service (AS) exchange and Ticket Granting Service (TGS) exchange

30 User Access to Resources (continued)
Goodheart-Willcox Publisher; guard: IconBunny/Shutterstock.com; user: gst/Shutterstock.com; server: VectorShow/Shutterstock.com

31 User Access to Resources (continued)
Additional Access Levels Single sign-on (SSO): authentication service that allows a user to use one login and password combination to access a set of services Shibboleth: open-source standard that offers single sign-on capabilities Security Assertion Markup Language (SAML): open standard used by parties that allows the exchange of authentication and authorization information

32 User Access to Resources (continued)
Federated identity management (FID) Allows semi-independent systems to work together Goal is to allow users of one system to access resources form another system Transitive trust: occurs when the trust relationship is considered two-way

33 User Access to Resources (continued)
Standalone Computer When a computer is not connected to a network Logon accounts must be stored on that machine Security Account Manager (SAM): local, nonhierarchical database of users and groups on a Windows system Hash: computer value that uniquely identifies data

34 User Access to Resources (continued)
Secondary Logon: allows a user to be logged in as a standard user, but run specific programs as an administrator Password-Protected Screen Savers Simple and effective way to limit access to a local computer Password can also be required when a computer “sleeps”

35 User Access to Resources (continued)
User Rights Policy: set of rules that can automatically control access to resources Local policy: policy management on the local computer Group policies: policies that are configured on the server Locked down: ensures systems are protected from unwanted access Hardening: refers to the process of reducing or eliminating vulnerabilities on a system

36 User Access to Resources (continued)
Attack surface: many areas that could give a hacker access to a system Password policy: provides rules that must be followed when a password is created or changed

37 User Access to Resources (continued)

38 User Access to Resources (continued)

39 User Access to Resources (continued)
User Account Control (UAC) Technology used to govern security by limiting what a standard user is able to do on a system Helps prevent unknown or potentially dangerous settings begin made without the knowledge of the user

40 Section 3.1 Review What is the vulnerability that allows a person to see what a user is entering, such as a password? Shoulder surfing Directories should be based on which protocol to allow use with multiple systems? Lightweight directory access protocol (LDAP) A security technique that requires the user not to be using the computer system is known as what strategy? Mandatory vacation

41 Section 3.1 Review What allows you to log in one time and access multiple services without having to reenter login credentials? Single sign-on (SSO) What system configuration should you set to require administrative credentials for installing software? User account control (UAC)

42 Access to Files and Folders
Section 3.2 Access to Files and Folders

43 Key Terms explicit permissions implicit permissions
inherited permissions New Technology File System (NTFS) permissions share permissions

44 Learning Goals Explain how to set permissions on a shared folder.
Differentiate between share and NTFS permissions.

45 Share Permissions Share permissions: allow user to share folders
Remote connection allows access to files in a shared folder Have no effect on user access when logging in directly at machine Discretionary access control: person who owns the files has the ability to give others permissions to access them

46 Share Permissions (continued)
Sharing a Folder in Windows Sharing must be enabled in the Control Panel User who owns folder has full-control permissions Three permissions: read, change, full control

47 Share Permissions (continued)

48 Share Permissions (continued)
Security Considerations of Sharing Folders Shared folder presents an access point for a hacker or employee Can be used to exploit other system vulnerabilities or provide access to confidential data Shares can be created and hidden

49 NTFS Permissions New Technology File System (NTFS) permissions: allow rights to be set for users on the local machine Secures local access Provides more options for permissions

50 NTFS Permissions (continued)

51 NTFS Permissions (continued)
Receiving Permissions Explicit permissions: those a user is given at a specific location Inherited permissions: those a user receives by default at a lower level Implicit permissions: those a user receives through another object, such as a group

52 NTFS Permissions (continued)
Hierarchy of permission order Explicit deny Explicit allow Inherited deny Inherited allow

53 NTFS Permissions (continued)

54 NTFS Permissions (continued)
Combining NTFS and Share Permissions In many cases, when a folder is shared, permissions are not flexible or granular enough. NTFS permissions are also given to the share. When two permissions combine, more restrictive permission takes precedence

55 NTFS Permissions (continued)
Security Considerations of NTFS Permissions NTFS permissions offer ability to assign very specific permissions to users or groups. A user having permissions for many areas can cause a security risk. Administrators should verify effective permissions.

56 Section 3.2 Review What are the permission options for shared folders?
Read, change, and full control Which NTFS permission allows the ability to rename a file? Modify How can a shared folder be set to hidden? Put a dollar sign ($) at the end of the share name.

57 Section 3.2 Review Permissions received from a higher folder are called what type of permissions? Inherited The net result of all permission assignments results in what a user can do. This is called what type of permission? Effective

Download ppt "Managing User Security"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Understanding Active Directory

Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
OV 11 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Similar presentations

Ads by Google