Lesson 8

Implementing Identity and Account Management

Controls
Topic 8A
Implement Identity and Account Types

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered

• 3.7 Given a scenario, implement identity and account management

controls
• 5.3 Explain the importance of policies to organizational security

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Identity Management Controls

• Certificates and smart cards

• Public key cryptography
• Subject identified by a public key, wrapped in digital certificate
• Private key must be kept secure
• Tokens
• Authorizations issued under single sign-on
• Avoids need for user to authenticate to each service
• Identity provider
• Provisions and manages accounts
• Processes authentication
• Federated identity management

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Background Check and Onboarding Policies

• Human resources (HR) and personnel policies

• Recruitment (hiring)
• Operation (working)
• Termination/separation (firing or retiring)
• Background check
• Onboarding
• Welcoming a new employees or contractors to the organization
• Account provisioning
• Issuing credentials
• Asset allocation
• Training/policies
• Non-disclosure Agreement (NDA)

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Personnel Policies for Privilege Management

• Mitigate insider threat

• Separation of duties
• Standard operating procedures (SOPs)
• Shared authority
• Least privilege
• Assign sufficient permissions only
• Reduce risk from compromised accounts
• Job rotation
• Distributes institutional knowledge and expertise
• Reduces critical dependencies
• Mandatory vacations

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Offboarding Policies

• Identity and access management checks

• Disable the user account and privileges
• Ensure integrity and availability of information assets managed by the employee
• Retrieving company assets
• Returning personal assets
• Consider shared/generic accounts, security procedures that must be
changed

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Security Account Types and Credential Management

• Standard users
• Limited privileges
• Should not be able to change the system configuration
• Restricted to account profile
• Credential management policies for personnel
• Password policy
• Protect access to the account and prevent compromise
• Educate risks from reusing credentials and social engineering
• Guest accounts
• Account with no credentials (anonymous logon)
• Unauthenticated access to hosts and websites
• Must have very limited privileges or be disabled

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
 Security Group-Based Privileges

• User-assigned privileges
• Assign privileges directly to user
accounts
• Unmanageable if number of users
is large
• Group-based privileges
• Assign permissions to security
groups and assign user accounts
to relevant groups
• Issues with users inheriting
multiple permissions
Images © 123RF.com.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Administrator/Root Accounts

• Privileged/administrative accounts
• Can change system configuration
• Generic administrator/root/superuser
• User account with full control over system
• Key target for attackers
• Often disabled or usage restricted after install
• Administrator credential policies
• Create specific accounts with least privileges (generic account
prohibition)
• Enforce multifactor authentication
• Default security groups
• Administrators/sudoers

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Service Accounts

• Windows service accounts

• System
• Local Service
• Network Service
• Linux accounts to run services
(daemons)
• Deny shell access
• Managing shared service
account credentials
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Shared/Generic/Device Accounts and Credentials

• Shared accounts
• Accounts whose credentials are known to more than one person
• Generic accounts
• Accounts created by default on OS install
• Only account available to manage a device
• Might use a default password
• Risks from shared and generic accounts
• Breaks principle of non-repudiation
• Difficult to keep credential secure
• Credential policies for devices
• Privilege access management software

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
 Secure Shell Keys and Third-party Credentials

• Secure Shell (SSH) used for remote

access
• Host key identifies the server
• User key pair used to authenticate to
server
• Server holds copy of valid users’
public keys
• Keys must be actively managed
• Third-party credentials
• Passwords and keys to manage
cloud services
• Highly vulnerable to accidental
Screenshot used with permission from Amazon.com.
disclosure

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Topic 8B
Implement Account Policies

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Syllabus Objectives Covered

• 3.7 Given a scenario, implement identity and account management

controls

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Account Attributes and Access Policies

• Account attributes
• Security ID, account name,
credential
• Extended profile attributes
• Per-app settings and files
• Access policies
• File permissions
• Access rights
• Active Directory Group
Policy Objects (GPOs)
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Account Password Policy Settings

• Length
• Complexity
• Character combinations
• Aging
• History and reuse
• NIST guidance
• Password hints

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Account Restrictions

• Network location
• Connecting from a VLAN or IP subnet/remote IP
• Connecting to a machine type or group (clients versus servers)
• Interactive versus remote logon
• Geolocation
• By IP address
• By Location Services
• Geofencing
• Geotagging
• Time-based restrictions
• Logon hours
• Logon duration
• Impossible travel time/risky login

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Account Audits

• Accounting and auditing to detect

account misuse
• Use of file permissions to read
and modify data
• Failed login or resource access
attempts
• Recertification
• Monitoring use of privileges
• Granting/revoking privileges
• Communication between IT and
HR
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Account Permissions

• Impact of improperly configured

accounts
• Insufficient permissions
• Unnecessary permissions
• Escalating and revoking privileges
• Permission auditing tools

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Usage Audits

• Account logon and management

events
• Process creation
• Object access (file system / file
shares)
• Changes to audit policy
• Changes to system security and
integrity (anti-virus, host firewall,
and so on)

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
 Account Lockout and Disablement
Screenshot used with permission from Microsoft.

• Disablement
• Login is disabled until manually re-
enabled
• Combine with remote logoff
• Lockout
• Login is prevented for a period
and then re-enabled
• Policies to enforce automatic
lockout

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Topic 8C
Implement Authorization Solutions

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Syllabus Objectives Covered

• 2.4 Summarize authentication and authorization design concepts

• 3.8 Given a scenario, implement authentication and authorization solutions
• 4.1 Given a scenario, use the appropriate tool to assess organizational
security (chmod only)

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Discretionary and Role-Based Access Control

• Access control model determines how users receive permissions/rights

• Discretionary Access Control (DAC)
• Based on resource ownership
• Access Control Lists (ACLs)
• Vulnerable to compromised privileged user accounts
• Role-Based Access Control (RBAC)
• Non-discretionary and more centralized control
• Based on defining roles then allocating users to roles
• Users should only inherit role permissions to perform particular tasks

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
File System Security

• Access Control List (ACL)

• Access Control Entry (ACE)
• File system support
• Linux permissions and chmod
• Symbolic (rwx)
• User, group, world
• Octal
• r=4
• w=2
• x=1
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Mandatory and Attribute-Based Access Control

• Mandatory Access Control (MAC)

• Labels and clearance
• System policies to restrict access
• Attribute-Based Access Control (ABAC)
• Access decisions based on a combination of subject and object attributes plus
any context-sensitive or system-wide attributes
• Conditional access

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Rule-Based Access Control

• Non-discretionary
• System determines rules, not users
• Conditional access
• Continual authentication
• User account control (UAC)
• Privileged access management
• Policies, procedures, and technical controls to prevent the malicious abuse of
privileged accounts

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Directory Services

• Database of subjects
• Users, computers, security groups/roles, and services
• Access Control Lists (authorizations)
• X.500 and Lightweight Directory Access Protocol (LDAP)
• Distinguished names
• Attribute=Value pairs

CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=foo

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Federation and Attestation

• Federated identity
management
• Networks under separate
administrative control
share users
• Identity providers and
attestation
• Cloud versus on-premises
requirements

Images © 123rf.com.

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Security Assertions Markup Language
<saml p: Response xml ns: saml p=" ur n: oasi s: names: t c: SAML: 2. 0: pr ot ocol "

• Open standard for implementing

xml ns: saml =" ur n: oasi s: names: t c: SAML: 2. 0: asser t i on" I D=" 200"
Ver si on=" 2. 0"

identity and service provider

I ssueI nst ant =" 2020- 01- 01T20: 00: 10Z "
Dest i nat i on=" ht t ps: / / sp. f oo/ saml / acs" I nResponseTo=" 100" .

<saml : I ssuer >ht t ps: / / i dp. f oo/ sso</ saml : I ssuer >

communications <ds: Si gnat ur e>. . . </ ds: Si gnat ur e>

<saml p: St at us>. . . ( success) . . . </ saml p: St at us.

• Attestations/assertions <saml : Asser t i on xml ns: xsi =" ht t p: / / www. w3. or g/ 2001/ XMLSchema- i nst ance"

xml ns: xs=" ht t p: / / www. w3. or g/ 2001/ XMLSchema" I D=" 2000" Ver si on=" 2. 0"

• XML format I ssueI nst ant =" 2020- 01- 01T20: 00: 09Z" >

<saml : I ssuer >ht t ps: / / i dp. f oo/ sso</ saml : I ssuer >

• Signed using XML signature <ds: Si gnat ur e>. . . </ ds: Si gnat ur e>

specification
<saml : Subj ect >. . .

<saml : Condi t i ons>. . .

• Communications protocols
<saml : Audi enceRest r i ct i on>. . .

<saml : Aut hnSt at ement >. . .

• HTTPS
<saml : At t r i but eSt at ement >

<saml : At t r i but e>. . .

• Simple Object Access Protocol

<saml : At t r i but e>. . .

</ saml : At t r i but eSt at ement >

(SOAP) </ saml : Asser t i on>

</ saml p: Response>

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
OAuth and OpenID Connect
• “User-centric” federated services better suited to consumer
websites
• Representational State Transfer (REST) Application Programming
Interfaces (APIs) (RESTful APIs)
• Framework for implementation not a protocol
• OAuth
• Designed to communicate authorizations rather than explicitly
authenticate a subject
• Client sites and apps interact with OAuth IdPs and resource servers
that hold the principal’s account/data
• Different flow types for server to server or mobile app to server
• JavaScript object notation (JSON) web token (JWT)
• OpenID Connect (OIDC)
• Adds functions and flows to OAuth to support explicit
authentication

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32
Topic 8D
Explain the Importance of Personnel Policies

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33
Syllabus Objectives Covered

• 5.3 Explain the importance of policies to organizational security

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34
Conduct Policies

• Acceptable use policy (AUP)

• Employee use of employer’s hardware and software assets
• Rules of behavior and social media analysis
• General requirements for professional standards
• Covers personal communications and social media accounts
• Additional clauses for privileged users
• Use of personally owned devices
• Bring your own device
• Shadow IT
• Clean desk

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35
User and Role-based Training

• Impacts and risks from untrained users

• Topics for security awareness
• Overview of security policies
• Incident response procedures
• Site security procedures
• Data handling
• Password and account management
• Awareness of social engineering and malware threats
• Secure use of software such as browsers and email clients
• Role-based training
• Appropriate language
• Level of technical content

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36
Diversity of Training Techniques

• Engagement and retention

• Training delivery methods
• Phishing campaigns
• Simulating phishing messages to test employee awareness
• Capture the flag
• Computer-based training (CBT)
• Simulations
• Branching scenarios
• Gamification elements

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 37
Lesson 8
Summary

CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 38