CompTIA Security+ SY0-601 – 3.7 Implement identity and account management controls.
In this video we’re going to be talking about identity and account types. So when you’re thinking of identity, what comes to mind? Your probably username comes to mind. That’s what comes to my mind right away. How do I identify myself to a computer? That’s generally done with a username. But there are other ways to identify yourself to a computer. Let’s take, take a look at some terms that we need to understand. The first thing we have is what is known as an identity provider. Identity providers are basically going to be places or software that can store your identity. For example, when doing single sign on, when you use one username and password to log into multiple resources, you need somewhere to store that username and that password. We’ll talk about open authentication, OpenID Kerberos and things of that nature coming up later in the class.
But things like Open ID is basically an identity provider. Keep in mind we’ll talk about that a little bit later. Another thing you want to talk about when you’re talking about someone’s identity is the attributes. Identity attributes could be physical attributes like the sex of a person, male or female. You also have your Social Security number. Other identity information that we could use to authenticate people would be like thumbprints. We can also use so that would be an identity attribute. Also when identifying yourselves to a computer, we could use certificates, which is something we have gone over in depth. So don’t forget when Amazon say if I go to Amazon, how does Amazon prove its identity to me? By providing the certificate that we see here. This is how Amazon is telling me, hey, I’m Amazon, okay, I know you’re Amazon because I see the Amazon certificate.
Another way we could do it is with tokens. So this is another thing we talked about. We talked about authentication. You could use the RSA tokens, whether it’s a soft tokens like something on your phone or you can have a hardware token like an RSA physical token. The other thing we have is SSH we could talk about and I showed you guys how to set it up with the SSH keys to log you in. And of course smart cards. Another one we talked about something you have with smart cards. So these are all ways to identify yourself and but these can also help you authenticate yourself. Now when it comes to account types, there’s a lot of different account types that we should be familiar with. So a user account, this computer right now, if I right click on Start, I’m going to go to Computer management and where is it? Okay, here we go.
Okay, so here we go.Computer Management if I go to local users. So these are basically user accounts. So here I have my user account, Andrew. And this account right now is a member of the administrator. This is who I’m logged in as right now. So these here would be user accounts. So user accounts allows you to log in and use the computer. Now you do have shared and generic accounts and credentials, although it is never ever recommended to share credentials or share accounts, right, especially for individual users. But you do have some generic accounts that people may log in once in a while, like the administrator account. Now, I do want to point out here in Windows, the administrator account is disabled by default. You can see it’s actually, the account is disabled.
You can see the little down arrow on it, but on things like a Windows server. So when I log into this Windows server, you notice the administrator account. This is the administrator account and it’s already enabled. So you see I just logged in as the administrator, so it’s not disabled there. That is more of a generic account. Now you do have guest accounts. So Windows does come with a guest account. Now our guest account, a guest account, basically, you can see this one here is disabled. A guest account is basically a user account with extremely limited privileges. And you could enable this account, give it a password, and if you want people just to open it, maybe use a web browser, they could. And the last one that’s mentioned is something called a service account.
So if I go here to services and I go to services, these services generally run as a particular account. And you do have specific things like local systems, but certain services, if I just double click on one of them, I’m going to go in here to log in and you notice some of these. You could enable a specific account to use that service. Now, service account, not so much so on desktops but on service. When you’re running specific services like batch processing, databases and so on, you could specify specific accounts. So administrators create specific user account with specific rights to run those services. Now, it’s fine to do that, just make sure the account is secure. Okay? So when talking about identity, don’t forget at the different attributes. Token certificates can help prove who you are and then different forms of account types. Make sure to review this, just to know these terms for your test.
In this video, I’m going to be talking about account policies. Now, one of the most basic security things that you’re going to be doing, task or activity that you’re going to be doing as a security manager, analyst, administrator, is managing user accounts. So in this video, I’m going to be going through a whole bunch of different things with you. And it’s quite a long list here of things that we should know when managing user accounts. Things like making sure your passwords are complex or restricting what they can log in and when they can log in. So this is basically like Security 101, right? Managing user accounts security 101. It’s something that we should all be very familiar with. Let’s take a look at some account policies that we should be familiar with. Now, I’m going to be showing this to you using my Windows Server Active Directory. And I’ll also show you how to do some group policies on your local computer.
Again, this course does not replace an MCSA or MCSE Windows Server course it doesn’t replace that, but I will show you where these things are found so you have a good understanding of what we’re talking about and how it’s done in the real world. So let’s go ahead and get started. So the first thing I want to talk about is password. Now, when it comes to managing user accounts, we should enable password complexity so users cannot have weak passwords. We want to make sure that we have good password history. This is how many passwords do you store and do you allow people to reuse passwords? So good password history is not going to allow them to reuse password after a certain amount. So maybe you store twelve password and they can’t keep reusing the same.
What’s the point of having people changing their passwords if they can just keep changing it back to the same old password? So to do this, you can set this in group policies on a computer. So to do this, I’m going to open up my group policy. I’m going to go to window R to open up a MMC console. So we’ll do MMC. So I’ve opened up my MMC. What I’m doing, I’m going to add a snap in here and we’re going to go down here to group policy object Editor. So for the local computer. So group policies. Now, I covered this in a plus. Hopefully you watched those videos or you took your A Plus. You should be familiar with this. I’m going to go down in here and we’re going to expand some of these things here. And I’m looking for basically security settings. And we’re going to go in here and we’re going to go to account policies and we’re going to go down to this part that says password policies.
Now, I don’t want to set it up on this computer because I don’t want a complex password. This is just a test machine that we keep wiping out after every class and so on. But this is where you would set it. Now you could set this on a domain controller and push it to your users. So notice how you have this one here. So they’re talking about password reuse history and complexity. So we can go in here. The first one I’ll take a look at is password must meet complexity, so we can enable that. So by enabling that, now, no one can use a simple password. So by using complexity, the password will have to be at least six characters in length. It’s going to have to have upper case, lower case numbers and so on. The other thing we want to do is we want to enable in here password history.
So enforcement. How many times do we want to remember a password? If I put twelve in here, they cannot reuse this. So it has to be twelve more passwords before they can reuse an old password. Another thing is, how long can they keep a password? So this is password age, minimum and maximum. So they change their password minimum. How long is the minimum amount of time they can keep it and the maximum amount of time they can keep it? Another thing you always want to do is enable good password length in here, minimum of eight characters. I would say even ten characters now would be correct. Okay. So this here would be password. Now, the other thing here are things like time of day. So to do this, I’ll show you this in Active Directory. So in active directory. Here I have my active directory. Let me open it from the start.
So if you have Active Directory installed, you would go to Tools. We’ll do active Directory users and computers. So I actually want to open up the Active Directory console. I have one user, Andy, I created, and I’m going to go in here. And here I have the account settings. And in here I have the part here that says Log on hours. See this? So we can go in here and change when they can log in. So the time of day logging in. All right? So this is going to be really important because this also time of day, what time of the day they can log in, and also time based login, how long they can stay logged in for. You can set that. So what we could do here is we could say, you know what, on Sundays they’re not permitted. On Saturdays. They’re not. From twelve to about 07:00, twelve in the night to seven in the morning, they cannot log in.
So we’re denying that. And then from, let’s say from eight to nine, they cannot log in. So basically, I’m only allowing these people to log in between 07:00 A. m. And 08:00 P. m. In the night. So I would just say, okay, and now Andy user account cannot log into my network until those times are met and he can’t log in on weekends. We can even determine what computers he can log in to. Remember in active directory, one username and password and active directory could allow you to log in to multiple accounts. Okay, the next thing we’re talking about is network locations. And there’s a couple of terms here that’s related to this geofencing, geo tagging and geolocation. So being able to do location based authentication or location based log in it.
So one of the first things you want to do is you want to have geolocation. Geolocation basically allows you to tag where and this mostly goes into mobile devices, right? You’re not going to have geolocation or network based login locations on a desktop because it doesn’t move. But on laptops you could especially on these mobile devices. These mobile devices are location aware. So you could set up the MDM software to tag the geolocation. So geo tagging, it just tags the location to certain images or files of where that particular image or file was made. Geolocation tells us where the device is and then you can do geofencing. So geofencing, you would set up a point, and this is generally done in MDM software, you would set up a point and then you would do a radius of a certain amount of miles.
And when people go out of that they could be alerted to the phone that you know, what you’re outside of the geofence, outside of geographical region. And what that does is that then you can restrict them maybe from accessing certain applications, you can send them prompts that they’re outside of the geofence and also the administrator can be alerted about it. So this is something that’s useful for phones. It’s useful for if you don’t want people accessing certain types of resources outside of a certain physical geographical region. And this may be because of compliance. Okay, the next thing here we have is going to be access policies. These are policies that you’re going to have set up of what people can access, what resources they may be able to access. Account permissions. Now account permissions is basically what permissions that account has rights to account permissions.
There’s two ways to look at this. It’s whether is that user, so if I look at this user here, the andy user on my local computer, this user is right now is in a member of administrator. So the permission is that it has full access, but maybe you could make it part of a normal group and then it doesn’t have access to much, it can’t install anything. The other way to look at this would be given permission to folders. See if I right click on a file here and I go to properties, what account so I can see that I have my user account and has full controller. So this would be this account having permissions there. So as an administrator, you need to set the permissions for the user to access certain resources, whether that be in a file or folder in our application. That just comes into managing your user accounts and giving them the right permissions. Also account audits.
So there is a term called permission creep. Here’s how this works. A user starts to work for an organization. They start out with a normal user account. They’re just in the, let’s say, the receptionist group. Over time they progress and they get more and more permissions as time has progressed, maybe they move in to finance and accounting and sales. The problem is they’re moving from departments, they’re going up and they’re going sideways. Maybe not to manage a level, but across. And before you know it, they’re accumulating a lot of permissions. So what you got to do is you got to audit these accounts to make sure that permission creep isn’t happening. In other words, people with too much permissions is what I’m talking about.
So you want to audit them and basically what you’re going to do is that you’re going to look at them to see if they have too much permissions. Remove groups that they don’t need. You don’t want permission to creep. The other thing here you have is impossible travel time or risky logins use geofencing if you realize that people shouldn’t be logging in at late in the night, restrict the user accounts. It could be a hacker logging in. Andrew army couldn’t be logging in at 02:00 in the morning because I’m asleep at that time, or at least recording videos at that time for you guys as I do many nights. Okay, lockouts and disablement. So you could set your accounts to lock out. All right. Now what this means is that if you put the password in too many times wrong, what happens is that it could lock the account up.
And what happens if this happens? Let’s say you put a minimum password length and make it complexity people put in. So I’m going to go to account lockout. So if I go in there and I say account lockout, duration the threshold. So if I go in there and I put three, for example, and somebody puts in their password incorrect three times, it locks them out. Now, what happens when you lock it out? Do they have to wait a certain time in minutes or does somebody have to come and unlock the account? So what happens is, depending on how you said it could be locked out for a certain period of time, which is good that we know what it needs to come and fix it, but sometimes it disables the account and then somebody has to manually come and do that. So disabling the account.
Somebody would have to like right now the administrator account is disabled, so somebody would have to come right click, uncheck the box to disable it. So sometimes the account lockout disables account. Most of the time just locks it out for about five minutes, and then they can reenter their password. Another thing is, when they leave, disable the account, a lot of our organizations doesn’t like deleting the account. So what they do is they disable the account. Security breaches from the beginning of time has been happening because someone left the organization and no one disabled the account. This is more of a policy administrative procedure that has to be followed more than a technical thing. All right, so a lot of interesting things here when it comes to account policies, make sure to review this section. This is just it security 101 when it comes to managing user accounts.
Popular posts
Recent Posts