Controlling access to computer systems is a key duty of any security professional. We will look at the different types of access control so that you can select the best solution for your company and, in an examination, choose the best method for a given scenario.

In this chapter, we will look at different types of authentication, looking first at Identity and Access Management concepts.

We will cover the following exam objectives in this chapter:

• Understanding Identity and Access Management Concepts
• Implementing Authentication and Authorization Solutions
• Summarizing Authentication and Authorization Design Concepts
• Common Account Management Policies

One of the first areas in IT security is giving someone access to the company's network to use resources for their job. There are four key elements to Identify and Access Management (IAM), and these are identity, authentication, authorization, and accounting. Let's look at each of these in the order that they should be presented:

• Identify: Each person needs some form of identification so that they can prove who they are; this could be a username, smart card, or some sort of biometric control. It needs to be unique to the person using that form of identity.
• Authentication: The second part after proving your identity is to provide authentication for that identity. This can be done in many ways; for example, inserting a password or if you have a smart card, it would be a Personal Identification Number (PIN).
• Authorization: Once the individual has been authenticated, they are given an access level based on...

An identity provider (IdP) is an entity that can validate that the credentials that are presented. The identification could be a certificate, token, or details such as a username or password. IdP is used by cloud providers who use federation services to validate the identity of a user. An example of this is that they would use SAML to pass credentials to the IdP to validate their identity.

Example: A user authenticates using a token from a provider such as OKTA. The cloud provider uses SAML to pass the credentials back to OKTA to verify the user's identity.

The following can be used when assessing a person's identity as it needs to be unique to them:

• Username: This is the account identity given to the user.
• Attribute: This is a unique variable that the user has in their account details, for example, an employee ID.
• Smart Card: A credit card token with a certificate embedded on a chip; it is used in conjunction with a pin.
• Certificate...

Each user in a system needs an account to access the network in a Microsoft Active Directory environment. The user account has a Security Identifier (SID) linked to the account. When I create a user called Ian, they may have a SID of 1-5-1-2345678-345678. When the account is deleted, the SID is deleted too.

For example, a member of the IT team has deleted a user account called Ian. It may have a SID of SID 1-5-1-2345678-345678, so he quickly creates another account called Ian, but this account cannot access resources as it has a new SID of SID 1-5-1-2345678-3499999. The first portion from left to right identifies the domain, and then the remainder is a serial number that is never reused.

There are various types of user accounts, and these are heavily tested in the Security+ exam; you must know when you would need each account:

• User Account: A user account, also known as a standard user account, has no real access. They cannot install software – they...

There are various types of authentication, and in this section, we are going to look at these, starting with security tokens and devices. Let's first look at biometric controls, followed by identity management using certificates.

Security Tokens and Devices

There are different types of tokens that have different time limits. Let's look at the difference between the Time-Based One-Time Password and the HMAC-Based One-Time Password:

• Time-Based One-Time Password (TOTP): A TOTP requires time synchronization because the password needs to be used in a very short period, normally between 30 and 60 seconds. In the following diagram, we can see the TOTP that has come to a phone. It can also come to a device similar to the RSA Secure ID token. TOTP could be used when you want to access secure cloud storage or your online bank account:

Figure 3.1 – TOTP

• HMAC-Based One-Time Password (HOTP): An HOTP is similar...

In this section, we will look at the different types of authentication and authorization solutions that can be used. As an IT security professional, you will need good knowledge of these solutions. Let's start by looking at authentication management.

Authentication Management

There are different types of authentication management, and we will look at each of these in turn:

• Password Keys: This looks like a USB device and works in conjunction with your password to provide multifactor authentication. An example of this is YubiKey. YubiKey is a Federal Information Processing Standards (FIPS) 140-2 validation that provides the highest-level Authenticator Assurance Level 3 (AAL3) used for storing passwords.
• Password Vaults: Password vaults are stored locally on the device and store all of your passwords so that you don't need to remember them. The password vault uses AES-256 encryption, so it makes storage...

We are going to look at authentication and authorization design concepts that are used by corporate environments. We are going to look at directory services, federation services, biometrics, and multifactor authentication. Let's look at each of these in turn.

Directory Services

Identity management in a corporate environment will use a directory database. This is a centralized database that will authenticate all domain users. We are going to look at Microsoft's Active Directory, where a protocol called the Lightweight Directory Access Protocol (LDAP) manages the users in groups. Let's look at how it works.

LDAP

Most companies have identity and access services through a directory that stores objects such as users and computers as X500 objects. These were developed by the International Telecommunication Union (ITU). These objects form what is called a distinguished name and are organized and stored...

We will now look at the main differences between being authenticated in the cloud or on-premises.

On-Premises

The perimeter of on-premises is very easy to establish and much easier to control as we can use proximity cards, while guards on reception can also control access to the company. You are responsible for the security of your building and for securing access to your computer systems that can be deemed trusted systems. They will never go offline. We can apply multi-factor authentication by using smart card authentication.

In the Cloud

There may be a problem if you have no internet access as you will not be able to connect to the cloud. With the adoption of cloud computing, the security perimeter is no longer confined to the on-premises environment but now extends outside of those parameters. Authentication within a cloud environment should adopt a zero-trust model, where every connection is deemed to be a hacker as we cannot...

To ensure smooth account management, it is vital that company-wide policies are in place and that everyone within the company adheres to them otherwise chaos could ensue. Let's look at each of these policies in turn.

Account Creation

Multinational corporations will generate hundreds of accounts annually and need to have a standardized format. This is known as a standard naming convention. Account templates are copied and modified with the details of new employees. Some examples of standard naming conventions are as follows:

• First name, last name: John.Smith
• Last name, first name: Smith.John
• First initial, last name: J.Smith

If you have John Smith and Jack Smith, you would have two J Smiths. Therefore, you may also use a middle initial, J A Smith, or a number at the end, J Smith1, to make them unique.

All user accounts need to be unique so that each person is responsible for their own account. If you leave...

In this practical exercise, you need to prevent users from resetting their accounts by using the same password. The company should not allow users to change their password more than once every three days and these passwords need to be complex. A user must use a minimum of 12 passwords before they can reuse the original password. You need to prevent a hacker from using more than five attempts at guessing a password:

1. On a Windows 10 desktop, type gpedit.msc or, on a domain controller, go to Server Manager | Tools | Group Policy management. Edit the Default Domain Policy field.
2. Under Computer Configurations, expand Windows Settings.
3. Select Security Settings.
4. Select Account Policy, and then select Password Policy.
5. Select Password History and enter 12 passwords remembered. Press OK.
6. Select Minimum Password Age. Enter 3 days, and then press OK.
7. Select Password must meet complexity requirements. Select the radio button...

Now it's time to check your knowledge. Answer the questions, and then check your answers, which can be found in the Solutions section at the end of the book:

1. What is the most common form of authentication that is most likely to be entered incorrectly?
2. When you purchase a new wireless access point, what should you do first?
3. What is password history?
4. How can you prevent someone from reusing the same password?
5. Explain what a complex password requires.
6. How can you prevent a hacker from inserting a different password many times?
7. What type of factor authentication is a smart card?
8. How many factors is it if you have a password, PIN, and date of birth?
9. What is biometric authentication?
10. What authentication method can be used by two third parties that participate in a joint venture?
11. Name an XML-based authentication protocol.
12. What is Shibboleth?
13. What protocol is used to store and search for Active Directory...