This post is part of a larger series on Security+
- Auditing & Accountability: who’s making changes, why are they making changes
- Non-Repudiation: non-repudiation is when a person cannot deny having done something. For instance, if are required to change someone’s password and have knowledge of its value, if that account then performed bad actions, you could be liable. To get non-repudiation, you must have confirmation the user has changed their password to something different.
Identification, Authorization, and Authentication
Say you were buying a movie ticket and you printed off your confirmation code. To get your tickets you will need your driver’s license and your authorization number. The driver’s license identifies who you are, the authorization number indicates you have purchased tickets and these two together mean you are now fully authenticated.
- Identification: the process of associating a user with something on a server, network, or other resources. Knowing who accessed a file or who is logging in is the process of authentication.
- Authentication: the process of
- Authorization: what rights do I have once authenticated in the system. Authorization defines what permissions the user has.
Authentication Factors
Multiple factor authentication is preferred. Different types of factors include:
- Something you know (knowledge) eg: password, PIN, CAPTCHA, security questions
- Something you have (possession) eg: smart card, cell phone, key, FOB, OTP
- Something you are (inherence) eg: biometrics, fingerprint, iris scan
- Something you do eg: the rhythm of your typing while
- Somewhere you are eg: credit card anti-fraud countermeasures
The strength of different factors comes from diversity.
Authorization
- Permissions: the administrator of a system will assign permissions to a user account. Often-times (but not necessarily) permissions are assigned to a group and users become members of a group.
- Rights and Privileges: defines what actions a specific user can take (eg: logon rights, rights to change the desktop wallpaper, etc).
Permissions are attached to objects (for example, a folder) whereas rights are applied to a user account or system as a whole.
- Least Privilege: means the least amount of permissions and rights required to perform a job correctly.
- Separation of Duties: we should be thinking about what people’s jobs are and how those jobs tie into permissions and rights based on their job function. For example, accounting functions should be separate from payroll.
Three Types of Access Control / Authorization Models
- Mandatory Access Control (MAC): when data is labeled with specific labels (for example SECRET or TOP SECRET) and then people are assigned access to these specific labels based on their clearance. This mostly comes from physical documents but there are implementations in the computer world that use MAC.
- Discretionary Access Control (DAC): whoever created the resource becomes the creator/owner of the document. That person then has the discretion to define who has access to the document. There is no concept of roles when it comes to data
- Role-based Access Control (RBAC): allows applying access to a resource based on a role - for example a group. Very common in today’s computing world
To make access control work, we need Access Control Lists
Access Control Lists (ACLs)
Access controls lists are access management control. It could be manifested in many different ways depending on the implementation. Most access control lists will have an implicit deny at the end, which means unless you explicitly allow something, it will be denied by default.
Password Security
You should establish a security policy which defines:
- Complexity (length and character requirements)
- Expiration (password age / resets)
- Password History (goes hand in hand with expiration)
Windows Local Security Policy is a great place to implement technical controls for passwords for these policies on Windows systems. Similar options can be configured in group policy objects. For exam purposes, you should be familiar with group policy objects to configure password security. Not going into detail in these notes since that’s kindergarten IT.
Linux File Permissions
- r - read: allows the contents to be read or viewed. Read on a directory allows enumerating the contents of the directory
- w - write:, allows the contents to be edited or modified. Allows new files to be created in a directory
- x - execute:, allows a file to be executed. If applied to a directory, allows you to traverse the directory
Three sets of rwx’s, the first group is the permissions applied to the owner, the second group is applied to the group, the last set is everyone else (aka other).
Every file or directory is assigned to a group and any users who are members of that group will have the permissions for that group applied to them.
- chmod: change mode - allows changing permissions
# Removes all permissions for other from myfile
chmod o= myfile
# Assigns read and execute permissions for group from myfile
chmod g=rx myfile
# Assigns read, write and execute to all from myfile
chmod a=rwx myfile
chmod can also be used to manipulate permission modes using the octal representation of bitwise flags.
Read | Write | Execute | Octal |
---|---|---|---|
0 | 0 | 0 | 0 |
0 | 0 | 1 | 1 |
0 | 1 | 0 | 2 |
0 | 1 | 1 | 3 |
1 | 0 | 0 | 4 |
1 | 0 | 1 | 5 |
1 | 1 | 0 | 6 |
1 | 1 | 1 | 7 |
# Assign read and write to owner, read to group and nothing to other using octal form
chmod 640 myfile
A quick way to remember the octal mode is to remember the numbers 4 + 2 + 1. Do you need read? Add 4. Do you need write? Add 2. Do you need execute? Add 1. If you forget this, you can always derive the value by converting the 3-bit flags to octal as shown in the table above.
- chown: change owner - allows changing the owner and group of a file or directory
# change owner of file to steven
sudo chown steven myfile
# change owner and group of file to steven
sudo chown steven:steven myfile
Windows File Permissions
NTFS permissions will be tested on the exam.
Generally, NTFS permissions are applied to folders and assigned with groups. Files and downstream directories will then inherit those permissions. Explicit changes can be made as necessary.
Using deny is usually proof you have poor folder organization, but there are cases where it’s required.
When moving a copying a file using traditional methods, they will inherit new permissions of the folder they are being copied to. The only exception is if you move (not copy) a file or folder to the same drive, permissions will move with.
Using utilities like robocopy, you can move files from one drive to another while preserving permissions.
User Account Management
- Continuous Monitoring: you should be monitoring 24/7 what your users are getting into to understand what is going on within your infrastructure. Track logon/logoff activity, file access, database access, application access, etc.
- Shared Accounts: don’t do it. They are the lazy way out. They are okay at home, but not at work.
- Multiple Account: if you need a single person to have multiple accounts (for example, different services, or regular and privileged accounts) make sure that passwords are different
- Least Privilege: Only assign permissions and rights for what is required to perform the job.
- Default/generic Accounts: for example, administrator. If you have these types of accounts, do not use them. If you can disable them, great - but it’s best to use dedicated service accounts
Authentication, Authorization and Accounting (AAA)
Two common approaches
- Remote Authentication Dial-In User Server (RADIUS): RADIUS was designed to support dial-in networking. There is a RADIUS server that has authentication backend (not defined in the standard, could be database or AD, or any other mechanism). The RADIUS client is not the person trying to get authenticated but is the gateway between the user and the services they’re trying to access (for example, an AP). The RADIUS supplicant is the end-user device that communicates with the RADIUS client, which then forwards the authentication request to the RADIUS server. RADIUS is used mostly for network access. It uses ports 1812, 1813, 1645, and 1646. RADIUS does not handle authorization, it only handles authentication and access.
- Terminal Access Controller Access-Control System Plus (TACACS+): TACACS+ is good for managing many devices. TACACS+ is better than RADIUS for authorization as it decouples the authentication from the authorization. TACACS+ users TCP port 49.
Both do auditing (accounting) well.
Authentication Methods
- Password Authentication Protocol (PAP): The oldest authentication protocol on the Security+ exam. Allows a client to become authenticated with a server. Send your username and password in the clear, not encrypted.
- Challenge-Handshake Authentication Protocol (CHAP): Also old authentication protocol, first protocol ever used which tried to protect the authentication process. The server and client already have a key. The key is never sent in the clear, but the key is used to create a challenge. The challenge can use the key to generate a matching hash to complete the challenge. No passwords are being passed, only hashes.
- NT LAN Manager (NTLM): NTLM isn’t used in advanced scenarios (Kerberos is used). If there is no domain controller, for example in a workgroup, NTLM is used. NTLMv2 is the modern standard for NTLM. Very similar to CHAP except each side does a challenge message which is hashed. The challenges are completed on both ends to provide server-client and client-server authentication
- Kerberos: Typically only used for authenticating Windows domain controllers. Kerberos is vastly different from the above methods. The domain controller is known as the Key Distribution Center (KDC). The domain controller has the authentication service and ticket-granting service. When you log in to the domain from a client computer, the authentication service will provide the client with a ticket-granting ticket (TGT) which shows that the client is authenticated to the domain. The TGT is also known as the SID. With the TGT you are authenticated, but not yet authorized. To become authorized, you send the TGT will be sent to the ticket-granting resource, which sends a session key back. Anytime you want to access a new resource, a new session key is provided.
The following are not authentication protocols but tie in closely with the above.
- Security Assertion Markup Language (SAML): SAML is used for web applications.
- Lightweight Directory Access Protocol (LDAP): LDAP isn’t authentication, but more of a structured language that allows one computer to go into another directory to query it. It can be used to query group membership for example. LDAP uses TCP and UDP port 389.
Single Sign On (SSO)
Active Directory is an example of SSO for a LAN. By joining each computer to the domain, we have created what is known as a federated system. There is an implicit trust between these machines.
There is another type of Single-Sign-On which is based on SAML. SAML uses what’s referred to as an Identity Provider (IdP) which you sign into. It also user something called a Service Provider (SP). The SP is the service you are attempting to access and trusts the IdP to provide assertions or claims that you have specific access to its system. SAML is also very common in SCADA systems.