SY0-401:5 TS Quiz Access Control and Identity Management

Terms in this set (54)

"
Answer:
password complexity


Explanation:
Password complexity is the most important setting to ensure password strength. Password complexity allows you to configure which characters should be required in a password to reduce the possibility of dictionary or brute force attacks. A typical password complexity policy would force the user to incorporate numbers, letters, and special characters. Both uppercase and lowercase letters can be required. A password that uses a good mix, such as Ba1e$23q, is more secure than a password that only implements parts of these requirements, such as My32birthday, NewYears06, and John$59.

Password age, sometimes referred to as password expiration, allows you to configure the minimum or maximum number of days before a user is required to change the user's password. It is a good security practice to enforce a password age of 30 to 60 days. Some companies force users to change their passwords monthly or quarterly. This interval should be determined based on how critical the information is and on how frequently passwords are used.

Password history allows you to configure how many new passwords must be created before an old one can be reused. This setting enhances security by allowing the administrators to ensure that old passwords are not being reused continually. Passwords that are used repeatedly are sometimes referred to as rotating passwords.

Password lockout allows you to configure the number of invalid logon attempts that can occur before an account is locked. Usually this password lockout policy also allows you to configure the number of days that the account remains in this state. In some cases, you may want to configure the account lockout policy so that an administrator must be contacted to re-enable the account.

Other password factors that you should consider include:
Password reuse - specifies whether users can reuse old passwords. In most cases, this setting allows you to configure the number of previous passwords that will be retained. In this case, an old password can be reused if it is old enough to no longer be retained. For example, if you must change your password every 30 days and your system is configured to remember the last 6 passwords, then you will be able to reuse a password 6 months after it is no longer used.
Password length - specifies the minimum number of characters that must be included in the user's password.
The use of strong passwords will help to prevent password cracking, which is the process of cracking the password using a dictionary or brute force attack. A security administrator should periodically test the strength of user passwords. The best method for testing is to copy the user password database to a stand-alone server, and use a password-cracking program against the database.

"
"
Answer:
to ensure control over user permissions and access rights


Explanation:
Privilege management is the process of determining the security requirements of users, providing access authorization, monitoring the resources accessed by users, and ensuring that the privileges assigned to users in the form of permissions and access rights to information resources corroborate with their job requirements.

The primary objective of privilege management is to define the entitlement rights of users to access the organization's information. The standard practices for an effective privilege management are use of the ""need to know"" and ""least privilege"" principles. The need to know principle is based on the premise that users should be provided access to information that they absolutely require to fulfill their job responsibilities. Access to any additional information is denied to users who work under the least privilege principle.

Need to know policies dictate that information should be limited to only those individuals who require it, to minimize unauthorized access to information.

A group membership refers to a set of users sharing common access rights and permissions to accomplish a given task. For example, users performing accounting activities can be grouped into an accounting group.

Password management refers to the standard security practices of generating and maintaining resource passwords. It includes aspects such as complex passwords, non-sharing of passwords, passwords changes at regular intervals, and password transfers in a secure manner.

A clear reporting structure establishes the process of authorization and accountability because each employee needs to get approvals from the concerned supervisor and is accountable to the supervisor for meeting the security objectives of the organization.

Group-based privileges are always easier to manage than user-based privileges. If your organization uses groups, you should add users to the group accounts and assign permissions to the groups. Otherwise you will need to assign permissions to users. As the user amount grows, so grows the administrative effort that you will need to manage privileges.

"
"
Answer:
single sign-on


Explanation:
Single sign-on allows users to freely access all systems to which their account has been granted access after the initial authentication. The single sign-on process addresses the issue of multiple user names and passwords. It is based on granting users access to all the systems, applications, and resources they need when they start a computer session. This is considered both an advantage and a disadvantage. It is an advantage because the user only has to log in once and does not have to constantly re-authenticate when accessing other systems. Multiple directories can be browsed using single sign-on. It is a disadvantage because the maximum authorized access is possible if a user account and its password are compromised. All the systems that are enrolled in the single sign-on (SSO) system are referred to as a federation. In most cases, transitive trusts are configured between the systems for authentication. Systems that can be integrated into an SSO solution include Kerberos, LDAP, smart cards, Active Directory, and SAML.

Discretionary access control (DAC) and mandatory access control (MAC) are access control models that help companies design their access control structure. They provide no authentication mechanism by themselves.

Smart cards are authentication devices that can provide increased security by requiring insertion of a valid smart card to log on to the system. They do not determine the level of access allowed to a system. Most smart cards have expiration dates. If a user was reissued a smart card after the previous smart card had expired and the user is able to log into the domain but is now unable to send digitally signed or encrypted email, you should publish the new certificates to the global address list.

A biometric device can provide increased security by requiring verification of a personal asset, such as a fingerprint, for authentication. They do not determine the level of access allowed to a system.

Single sign-on was created to dispose of the need to maintain multiple user accounts and passwords to access multiple systems. With single sign-on, a user is given an account and password that logs on to the system and grants the user access to all systems to which the user's account has been granted. User accounts and passwords are stored on each individual server in a decentralized privilege management environment.

"
"
Answer:
Issuing the Run as command to execute administrative tasks during a regular user session


Explanation:
The best implementation of the principle of least privilege is to issue the Run as command to execute administrative tasks during a regular user session. You should never use an administrative account to perform routine operations such as creating a document or checking your e-mail. Administrative accounts should only be used to perform an administrative task, such as configuring services or backing up the computer. By issuing the Run as command to execute administrative tasks during a regular user session, you execute the task as needed, but limit the administrative account to only running the particular task. If you logged off and back on using the administrative account, there is a possibility that you would forget to return to using your regular user account when performing routine tasks.

Completing administrative tasks at a computer that functions only as a server is not an implementation of the principle of least privilege. Users should be able to perform administrative tasks at servers and workstations.

Ensuring that all services use the main administrative account to execute their processes is an example of NOT ensuring the principle of least privilege. Services should use a service account specifically created for the service that is only configured with those rights, permissions, and privileges for the service to carry out its functions.

Issuing a single account to each user, regardless of his job functions, is an example of NOT ensuring the principle of least privilege. Those users charged with administrative duties should be issued a minimum of two accounts: one regular user account for performing normal user tasks and one administrative user account configured with those rights, permissions, and privileges for the user to carry out the administrative duties.

A proper implementation of the principle of least privilege ensures users are given only the user rights they need to execute their authorized tasks. The concept of least privilege exists within the Trusted Computer System Evaluation Criteria (TCSEC), which is used to categorize and evaluate security in all computer software.

The principle of least privilege is usually implemented by limiting the number of administrative accounts. Tools that are likely to be used by hackers should have permissions that are as restrictive as possible.
"
"
Answer:
password history


Explanation:
Password history allows you to configure how many new passwords must be created before an old one can be reused. This setting enhances security by allowing the administrators to ensure that old passwords are not being reused continually. Reused passwords are sometimes referred to as rotating passwords.

Password age allows you to configure the minimum or maximum number of days that must pass before a user is required to change the password. It is a good security practice to enforce a password age of 30 to 60 days. Some companies force users to change their passwords monthly or quarterly. This interval should be determined based on how critical the information is and on how frequently passwords are used.

Password length allows you to configure the minimum number of characters that must be used in a password. At minimum, this policy should be configured to 7 or 8 characters. Be careful not to configure this value too high, as it can make the password very hard to remember.

Password lockout allows you to configure the number of invalid logon attempts that can occur before an account is locked. Usually this password lockout policy also allows you to configure the number of days that the account remains in this state. In some cases, you may want to configure the account lockout policy so that an administrator must be contacted to enable the account again.

Password complexity allows you to configure which characters should make up a password to reduce the possibility of dictionary or brute force attacks. A typical password complexity policy would force the user to incorporate numbers, letters, and special characters. In addition, both uppercase and lowercase letters can be required. A password that uses a good mix, such as Ba1e$23q, is more secure than a password that only implements parts of these requirements, such as My32birthday, NewYears06, and John$59. A password complexity policy that enforces lowercase passwords using a to z letters, where n is the password length, would be represented as 26n.

Account policies should be enforced on all systems in the company. It is also a good practice to make sure that passwords are masked or encrypted. This encryption should occur on the storage device on which they are located. Also, encryption should be used when they are transmitted across the network.

As a good practice, a user's password should never be the same as the login account name.
"
"
Answer:
low security cost
easier to implement


Explanation:
Role-based access control (RBAC) has a low security cost because security is configured based on roles. For this reason, it is also easier to implement than the other access control models. During the information gathering stage of a deploying RBAC model, you will most likely need a matrix of job titles with their required access privileges.

RBAC is NOT the most user friendly option. Discretionary access control (DAC) is more user friendly than RBAC because it allows the data owner to determine user access rights. If a user needs access to a file, he only needs to contact the file owner.

RBAC is NOT discretionary is nature. DAC is discretionary, meaning access to objects is determined at the discretion of the owner.

RBAC is NOT a highly secure environment. Mandatory access control (MAC) is considered a highly secure environment because every subject and object is assigned a security label.

With RBAC, it is easy to enforce minimum privilege for general users. You would create the appropriate role, configure its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role should be granted. Roles are based on the structure of the organization and are usually hierarchical.

RBAC is a popular access control model used in commercial applications, especially large networked applications.

Rule-based access control is often confused with RBAC because their names are similar. With rule-based access control, access to resources is based on a set of rules. The user is given the permissions of the first rule that he matches.

"
"
Answer:
RADIUS


Explanation:
Remote Authentication Dial-In User Service (RADIUS) provides centralized remote user authentication, authorization, and accounting.

A virtual private network (VPN) is a technology that allows users to access private network resources over a public network, such as the Internet. Tunneling techniques are used to protect the internal resources. A VPN by itself does not provide centralized authentication, authorization, and accounting.

A demilitarized zone (DMZ) is an isolated subnet on a corporate network that contains resources that are commonly accessed by public users, such as Internet users. The DMZ is created to isolate those resources to ensure that other resources that should remain private are not compromised. A DMZ is usually implemented with the use of firewalls.

Single sign-on is a feature whereby a user logs in once to access all network resources.

RADIUS is defined by RFC 2138 and 2139. A RADIUS server acts as either the authentication server or a proxy client that forwards client requests to other authentication servers. The initial network access server, which is usually a VPN server or dial-up server, acts as a RADIUS client by forwarding the VPN or dial-up client's request to the RADIUS server. RADIUS is the protocol that carries the information between the VPN or dial-up client, the RADIUS client, and the RADIUS server. RADIUS will support 802.1x authentication.

The centralized authentication, authorization, and accounting features of RADIUS allow central administration of all aspects of remote login. The accounting features allow administrators to track usage and network statistics by maintaining a central database.
"
"
Answer:
spread spectrum


Explanation:
Spread spectrum is not a component of a transponder system-sensing card. Spread spectrum is a part of wireless technology.

Proximity readers can be either user-activated or system-sensing readers. If the proximity reader is user activated, the user swipes the card and provides a valid sequence number as access credentials to the reader. This grants the user authorized access to the facility. In a system-sensing proximity reader, the user need not perform any action or provide credentials. The access control system automatically detects the user's presence in a specified area and authenticates the user based on the credentials transmitted to the reader. The reader sends the user credentials to an authentication server for processing. A proximity reader is used to prevent unauthorized employees from entering the data center. If a proximity reader is not used, another alternative is to use a guard. Some companies implement security cameras instead of multiple security guards. The security cameras allow a single security guard to actively monitor more than one entrance.

System-sensing cards are classified into the following categories:
Transponders have a receiver, a transmitter, a place to store the access code, and a battery. Following an authentication request from the reader, the card sends an access code to the reader and is granted authorized access to the facility area.
Passive devices use the power from the reader. The reader transmits an electromagnetic field that is sensed by the passive device to ensure user credential authentication.
Field-powered devices have their own power supply, and the card does not depend on the reader for power.
"
"
Answer:
keystroke dynamics


Explanation:
Keystroke or keyboard dynamics can work in conjunction with a password to provide increased security. Keystroke dynamics records a user's speed and motion when entering a phrase and compares it to stored data. This type of authentication, when used with a password or passphrase, increases security because it is harder to duplicate a person's typing style than just a password or passphrase.

None of the other options is a biometric method. Password aging is a security method in which a password policy is created to force a user to change his or her password after a certain amount of time. A password checker is a tool that detects a weak password. Its primary benefit is that it can protect your network against dictionary or brute force attacks. Password encryption is a password protection mechanism whereby the password is encrypted before it is transported across the network.

Keystroke dynamics is considered a low cost, non-intrusive biometric device that is transparent to users. One important keystroke dynamics term is dwell time, which refers to the amount of time a user holds down a key. Another is flight time, or the time it takes to switch between keys.

If the security administrator discovers that an employee who entered the data center does not match the owner of the PIN that was entered, the security administrator should implement some sort of biometric authentication. Biometrics would validate that the correct user was being authenticated.

Biometric authentication requires the use of a biometric reader. Biometric readers can authenticate users before they are granted access to a building, a section of a building, or even to a single device. In most cases, biometrics are used to authenticate users entering a highly secure data center. Implementing biometric authentication is often expensive because of the equipment and configuration costs. Biometric readers can be implemented at the device level if the device contains highly sensitive and confidential information and if the device can be easily stolen. It would not be cost-effective to implement biometrics on a mainframe system, no matter how sensitive the data is, because the device would be hard to steal. However, implementing biometrics on a laptop that contains confidential data might be a good idea if you can justify the cost.

"
"
Answer:
requiring users to use only alphabetic words as passwords


Explanation:
Requiring users to use only alphabetic words as passwords will likely weaken password security because dictionary words are typically the easiest passwords for a hacker to crack.

Strong passwords should typically be at least eight characters in length and contain a mixture of alphabetic, numeric, and symbolic characters. Requiring users to use a minimum of eight characters, including symbols, numbers, and letters, in their passwords and requiring that users periodically change their passwords will likely strengthen password security.

In addition, as part of your organization's password policy, you should configure an account lockout to occur after a certain number of invalid logins. You should configure a password expiration policy. You should also configure a password reuse policy that ensures that passwords cannot be reused until a certain number of password changes have occurred. For example, if you configure a policy such that a password expires in 90 days and that you cannot reuse the last 6 passwords, a user could simply reset the password 7 times to be able to reuse the original password when it comes time for the password to be reset. To prevent users from resetting the password in this manner to bypass your organization's password policy, you should configure a password policy that ensures that passwords cannot be changed more than once a day.

Any generic accounts that are included with any software or device, such as the default administrative or guest accounts, should be removed or disabled. If you do not want to remove or disable these accounts, you should at minimum assign the accounts a complex password. The generic accounts are commonly known, and that is why generic account prohibition or account disablement is encouraged.

If a user forgets his password, your organization should have a password recovery policy in place. If you have to reset the password, you should reset it with something generic and configure the user account so that the user must change the password at the next login.

"
"
Answer:
verifying the identity of users


Explanation:
Authentication refers to the process of verifying the identity of users. Authentication technologies that you need to understand include the following:
Tokens - a small device that generates time-sensitive passwords
Common access cards - similar to smart cards and are used by the U.S. federal government for active-duty military personnel
Smart cards - small plastic cards that contains authentication information
Multifactor authentication - when multiple authentication factors are used to authenticate a user. Authentication factors include something you are, something you have, something you know, somewhere you are, and something you do.
TOTP - A time-based one-time password is an extension of the HOTP that is modified to support a time-based moving factor. If an organization introduces token-based authentication to system administrators due to risk of password compromise, and the tokens have a set of numbers that automatically change every 30 seconds, TOTP is being used.
HOTP - An HMAC one-time password is an algorithm that is used to generate a password that is used once.
CHAP - Challenge Handshake Authentication Protocol is an authentication protocol that validates the identity of the remote user.
PAP - Password Authentication Protocol is an authentication protocol that uses a password.
Single sign-on - an authentication technology that allows a user to log in once and be granted access to different systems configured as part of the network
Implicit deny - when a user inherits a deny permission based on his membership is a group or role
Trusted OS - an operating system that provides support for multilevel security
Authorization allows users to access resources. Authorization is typically applied to a user account after a user is authenticated on a network. You need to understand the following authorization technologies:
Least privilege - This principle ensures that users are granted only those permissions they need to do their work
Separation of duties - This principle ensures that tasks are divided between users to ensure that one user cannot commit fraud.
ACLs - Access control lists are configured to control permissions to resources.
Time of day restrictions - This method configures the time(s) and day(s) that users are allowed to access resources. In some cases, this policy also allows administrators to configure the location from which the user can log in.
Encrypting files is an example of protecting the confidentiality of the contents of a file. Backing up the data stored on a hard disk is an example of protecting the availability of network resources.

"
"
Answer:
when the last login occurred


Explanation:
To determine whether user accounts are being actively used, you should verify when the last login occurred for every user account. If a user account has not been logged in recently, either the user is not logging out properly or the user account is no longer being used. It is a good policy to periodically perform user account reviews such as this to ensure that all accounts are valid. Continuous monitoring is essential to any organization.

You should not check when the password was last configured. Doing so will ensure that users are changing their passwords as stipulated in the password expiration policy. Passwords may not be changed if the user is not properly logging out each day. A password expiration policy is vital for security. Users should be required to change their passwords monthly or quarterly, based on the organization's needs. In addition, if a user forgets his password and asks an administrator to recover it, the user should be required to immediately change the password once again when logging in.

You should not check whether a password is required. Doing so will ensure that user accounts are required to have a password.

You should not check whether user accounts are disabled. Disabled user accounts are not used. User accounts are often retained in a disabled state for a period of time. Restoring a user account once it is deleted is difficult.

It may also be necessary to check on when users are using administrative-level or normal user accounts. Administrative-level accounts should only be used while performing administrative duties. The rest of the time, users should use their regular user account. Your organization should ensure that users understand this principle of least privilege so that issues associated with users who have multiple accounts are minimized. Credential management is one of the most important considerations for any organization.

Any organization should mitigate issues associated with users with multiple accounts or shared accounts. Any training for users who have multiple accounts should include instructions on when to use each account type. Remember that administrative-level accounts should only be used when performing duties that require those accounts.
"
"
Answer:
dynamic password
software-generated password


Explanation:
Dynamic passwords and software-generated passwords are the same thing. They are also called one-time passwords because they are only used during one login session. At the next login session, a new password is generated. They are usually the hardest passwords to remember because they are so complex. Because of their complexity, they are also harder to guess.

A static password, also called a user-generated password, is one created by the user. It is usually very easy for the user to remember. In most companies, the password policy ensures that the static passwords expire after a certain amount of time.

A cognitive password is a password that is based on some personal fact or opinion. One of the most popular uses of a cognitive password is for security purposes to obtain confidential information. Cognitive passwords are things like your mother's maiden name, your favorite color, or the school where you graduated.

One-time, or dynamic, passwords are considered to be more secure than static passwords and passphrases. They are usually generated by a piece of software. If the password generator is compromised, the entire system is in jeopardy. There are different types of password generators.

A token device, sometimes called a transaction device, is usually a handheld device that presents a user with a list of characters to be entered as a password for the computer. Only the device and the authentication server know the password.

A synchronous token device synchronizes with the authentication server based on time or a counter. The time value device must have the same time as the authentication server. The time value and a secret key are used to create the one-time password, which is displayed for the user. The counter value device uses an authentication value. The value and a secret are hashed, and the one-time password is displayed for the user.

An asynchronous token device authenticates the user using a challenge/response mechanism. The authentication server generates random values. This random value is entered by the user, encrypted, and transmitted. A one-time password is then generated.
"
"
Answer:
Kerberos
SESAME
Active Directory


Explanation:
Kerberos, SESAME, and Active Directory are three technologies that provide single sign-on authentication. Novell eDirectory is another example. Single sign-on addresses the problem of users having to remember multiple usernames and passwords to access different systems. It involves centrally authenticating multiple systems against a federated user database.

Discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC) are three access control models that help companies design their access control structure. While they work with authentication technologies, they do not provide single sign-on authentication by themselves.

Remote Authentication Dial-In User Service (RADIUS) is a dial-up and virtual private network (VPN) user authentication protocol used to authenticate remote users. It provides centralized authentication and accounting features. Alone, it does not provide single sign-on authentication. RADIUS only encrypts password packets from the client to the server.

Single sign-on provides many advantages. It is an efficient logon method because users only have to remember one password and only need to log on once. Resources are accessed faster because users do not need to log in for each resource access. It lowers security administration costs because only one account exists for each user. It lowers setup costs because only one account needs to be created for each user. Single sign-on allows the use of stronger passwords.

Other technologies that provide single sign-on authentication are security domains, directory services, and thin clients.
"
"
Answer:
user identification with reusable password


Explanation:
The most common form of identification and authentication is user identification with a reusable password. User identifications (IDs) and passwords are something a user knows.

Biometrics, while not the most common form of identification and authentication, is more secure than using user identification and passwords. Biometrics is something you are. A fingerprint, for instance, would be more secure than a password, because your fingerprint will never change.

Smart cards, which are something you have, are not commonly implemented because of the expense. However, they are more secure than using user identification and passwords. Smart cards are a Type 2 authentication factor. Common access cards are similar to smart cards and are used by the U.S. federal government for active-duty military personnel.

Two-factor authentication must include two of the following three categories: something you know (Type I), some you have (Type II), or something you are (Type III). Two-factor authentication is not as common as using user identification and passwords. Two-factor authentication is sometimes referred to as multi-factor authentication. Multi-factor authentication will provide an additional layer of security when stored keys and passwords are not strong enough. Recently, some security professionals have started using two other authentication factors: somewhere you are and something you do. Somewhere you are is based on the location, and something you do is based on your actions, such as how you strike the keys or sign a phrase.

Passwords are considered the weakest authentication mechanism. Passphrases are somewhat stronger because of their complexity.

When assessing identification and authentication controls, it is good practice to maintain a list of authorized users and their approved access levels. A password policy should be implemented that forces users to change their passwords at predefined intervals. User accounts should be terminated when employment is terminated or suspended while on vacation or leave. Account lockout policies can ensure that unsuccessful login attempts will eventually result in an account being locked out.
"
"
Answer:
all of the above choices


Explanation:
Roles, groups, location, time of day, and transaction type can all be used to restrict access to resources. Regardless of the criteria used, access administration can be simplified by grouping objects and subjects. Access control lists (ACLs) can be used to assign users, groups, or roles access to a particular resource. If you implement time of day restrictions with ACLs, security is improved.

Roles are based upon a subject's job within the company. The roles are only granted those rights and privileges needed to complete job assignments.

Groups are created to incorporate users that need the same access permissions into one common entity. When these users need access to a resource, the permission is granted to the entire group. Using groups simplifies access control administration. Group-based privileges are best suited when assigning user rights to individuals in a sales department where there is a high turnover rate.

Locations can be used to restrict user access to resources by limiting the location from which a subject can log on. A Microsoft Windows domain can restrict user access to the domain by limiting the computer from which a user can log on to the domain. This is done by entering the computer name from which the user can access the domain to the user's account properties.

Time of day can be used to restrict user access to resources by limiting the days and times during which a user is authorized to work. A Microsoft Windows user account can be edited to allow only certain login times.

Transaction type is a commonly used access restriction method in databases. Subjects are given access permissions based on transaction types. For example, a user may be allowed to view employee compensation, but not allowed to edit it.

"