Download presentation
Presentation is loading. Please wait.
Published byWillis Anderson Modified over 8 years ago
1
Module 8: Designing Security for Authentication
2
Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication
3
Lesson 1: Creating a Security Plan for Authentication MSF and Security of Authentication Defense in Depth and Security of Authentication Authentication Security STRIDE Threat Model and Security of Authentication Activity: Identifying Threats to Authentication
4
MSF and Security of Authentication The MSF envisioning and planning phases help you to: Decide which locations your plan will help to protect Consider all the authentication used in your environment: Operating systems Applications Remote access Decide which locations your plan will help to protect Consider all the authentication used in your environment: Operating systems Applications Remote access 3 3 4 4 5 5 Plan Envision
5
Defense in Depth and Security of Authentication Policies, Procedures, and Awareness Physical Security Data Host Application Internal Network Perimeter
6
Authentication Security VulnerabilityText Passwords Passwords are transmitted in plaintext Password hashes are transmitted across the network Passwords are intercepted by Trojan horse applications Compatibility Older software uses weaker authentication methods Authentication protocols are weakened for use with other applications Incompatibility with non-Microsoft applications Encryption An application uses weak authentication Older operating systems use weaker authentication methods An attacker intercepts and relays authentication packets
7
STRIDE Threat Model and Security of Authentication An attacker intercepts and relays authentication packets Spoofing Passwords are transmitted in plaintext Tampering Authentication protocols are weakened for use with other applications Repudiation An application uses weak encryption Information disclosure Older software uses weak authentication methods Denial of service Incompatibility with non-Microsoft applications Elevation of privilege
8
Activity: Identifying Threats to Authentication In this practice you will: Read the scenario Answer the questions Discuss with the class Read the scenario Answer the questions Discuss with the class
9
Lesson 2: Creating a Design for Security of Authentication Determine Authentication Methods Considerations for Securing Authentication on a Network Considerations for Authenticating Web Users Considerations for Authenticating VPN Users What Is Multifactor Authentication? What Is RADIUS? Considerations for Authenticating Wireless Users Considerations for Authenticating Network Devices
10
To determine authentication requirements Analyze requirements for authentication security Identify compatibility requirements of operating systems Identify compatibility requirements of applications Identify authentication requirements of applications Design an implementation strategy Analyze requirements for authentication security Identify compatibility requirements of operating systems Identify compatibility requirements of applications Identify authentication requirements of applications Design an implementation strategy 1 1 3 3 4 4 5 5 2 2 Determine Authentication Methods
11
When using the Kerberos version 5 authentication protocol, consider: Considerations for Securing Authentication on a Network Interoperability with Kerberos realms Time synchronization Interoperability with Kerberos realms Time synchronization When using the LAN Manager and NTLM authentication protocols, consider: Removing LAN Manager password hashes Configuring the LAN Manager compatibility level Removing LAN Manager password hashes Configuring the LAN Manager compatibility level
12
Considerations for Authenticating Web Users IIS authenticationConsiderations Anonymous authentication Uses a single account Does not require users to provide credentials Basic authentication Sends user names and passwords in plaintext Supported by all browsers Secure with SSL or TLS Digest authentication Uses a user name, a password, and a nonce Supported by all web browsers Advanced digest authentication Uses credentials stored as part of Active Directory Internet Explorer only Integrated Windows authentication Internet Explorer only Cannot be used with proxy servers or firewalls Windows Live ID Users create a single sign-in name and password for access to all Windows Live ID-enabled Web sites Certificate-based authentication Requires a PKI Does not require a user to enter a password
13
Considerations for Authenticating VPN Users VPN authentication Considerations CHAP Requires that passwords are stored with reversible authentication Is compatible using Macintosh and UNIX-based clients Disallows data encryption MS-CHAP Used by client computers running Windows 95 Supports only client computers running Microsoft applications MS-CHAPv2 Performs mutual authentication Installed by default EAP-TLS Requires a PKI Enables multifactor authentication RADIUS RADIUS servers can provide a proxy service to forward authentication requests
14
What Is Multifactor Authentication? FactorsExamples Pass code User name and password PIN Physical item Smart card Hardware or software token Personal characteristic Thumbprint Voice
15
What Is RADIUS? Network VPN Server VPN Server RADIUS Server VPN User User connects to VPN server VPN server sends credentials to RADIUS server for authentication
16
Considerations for Authenticating Wireless Users Wireless authentication Consideration WEP Uses a shared key to control access Uses same key as a base for encrypting traffic MAC filtering Allows only a predefined group of client computers to access the network WPA or WPA2 Uses TKIP to continually change key, unlike WEP Can use a pre-shared key WPA2 uses stronger encryption algorithm PEAP A one-way authentication scheme that uses TLS to create an encrypted channel from the authentication server Does not require a PKI EAP-TLS Requires a PKI Provides mutual authentication
17
Considerations for Authenticating Network Devices To design user authentication for network devices, determine: How user accounts and passwords are stored How to integrate the authentication protocol with Windows-based computers How credentials are transmitted across the network How you can audit authentication How user accounts and passwords are stored How to integrate the authentication protocol with Windows-based computers How credentials are transmitted across the network How you can audit authentication
18
Lab: Designing Security for Authentication Exercise 1 Identifying Potential Authentication Vulnerabilities Exercise 2 Implementing Countermeasures
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.