Welcome to cyber is video Siris on the company s security plus 5 +01 certification and exam.
I'm your instructor, Ron Warner.
This video is on section 4.4.
This is the last section of domain for an identity and access management, and it requires you to differentiate common account management practices.
One of the most fundamental aspects of network security is account management.
All authorized users must have accounts with the appropriate access level and permissions to allow those users to access. The resource is they need to on the network.
At the same time, Attackers are always seeking to compromise an account so they can also access the network. Resource is
in this section will cover general concepts of accountant access management,
the different types of accounts you'll find on any computer system and how to set end and four standard account policies.
There are standard account management concepts you need to understand for both the security plus exam and as a security professional
thes apply to any technology industry organization, et cetera.
The first concept is on boarding an off boarding when an employee joins an organization and when they leave the organization,
it's the process you'll work through often with human resource is and management on boarding is that process of creating an identity profile and the necessary information required to describe that identity onboard and can also include registering the user's assets, such as a computer, mobile assets, maybe even B Y o d.
Then pro visioning.
They're permissions to different applications. Files folders within the corporate network off boarding as that opposite part. How do you handle when an employee leaves the organization? You need to remove any access as quickly as possible.
User identities that are no longer require access to the environment should be disabled or deactivated,
eventually deleted from the environment. Based on your organizational policy, the second concept is requiring a standard naming convention. For example, might be first, initial and incomplete. Last name John Doe would be J dough.
The challenge with that is that it's easily decibel. So if I'm able to gain an act loyally list of your organization, I'll know their identity,
which is half of the user i d. Password combination.
Many companies then use a generic type of a user. I'd say a letter followed by a random set of numbers won't necessarily one of you sequential numbers, because if I'm user you 1234 then the next person would be you. 1235 again could be easily guessed. Make it somewhat random.
You may also want to separate out administrator accounts
so an administrative user will have a separate user i D. But also based on a standard naming convention,
the concept of least privileges when we've covered multiple times in this video. Siri's.
It's an access control practice in which a Logan is provided only the minimum access to the resource is required to perform its tasks. So as an employee, I'm only given access to a certain subset of assets
only those that I need to do my job to remember. The phrase less is more when considering the security principle.
When it comes to setting restrictions for user I. D. S. One way is time based.
You only allow employees to log in between 8 a.m. and 5 p.m. For example, if you know that's the only time they'll be
needing to access the corporate network or if you have Children, maybe you restrict access from 10 p.m. To 6 a.m.
You can also use location based policies
I'm always signing in from the corporate office in one particular city. For my user. I d should never sign in from a different location.
And if it does, it should throw an error.
Maybe they'll send an alert or will just deny access altogether.
Users from general concepts To keep in mind with user account management,
hear additional general access control concepts you need to keep in mind.
One is tied back to what we talked about in the earlier video on role based access control were group based access where if you're a member of a particular group, you have access to a set of resource. Is
he mighta tends to be all or nothing. If you're in that group you have access to. All of the resource is within that group. It's hard to create that subset
periodically. You need to perform some type of an account maintenance where you evaluate the accounts within your infrastructure to remove those that are no longer needed. Are valid.
Also included that with this is a privilege audit review the different privileges associated with accounts being sure they have that least privilege this is tied to the idea of that re certification. Were managers re certify each of his or her employees that the access is appropriate and access that is
in abundance should be removed?
This reduces that risk of permissions. Creep,
permissions. Crepe happens in many organizations. It's where an employee who's been there for a long period of time had many different jobs or roles within. The company now has access to every act every resource, every asset, every folder file.
Their permission just grows and grows because no one ever says, Hey, I wantto lose permissions
so periodically you should recertify and remove any access, any privileges that are no longer needed.
You should also consider that usage auditing where you're watching what people are doing through the your centralized log management system or security incident. An event management s I E. M.
All of these air necessary steps to make sure access is controlled appropriately based on your organization's policies.
Now that you understand general account management concepts, let's talk about account types you'll find on computer systems. The first step in creating secure accounts is to be certain you have different account types for different users and the different uses for those accounts first, is that general user account These air human accounts
tied back to a human being within your organization.
Next is guest accounts. These are temporary accounts that are used for very limited piece of time, not tied to a specific individual.
Sometimes WiFi access will be using a guest type of an account. Thes should be disabled by default, with minimal privileges and time limits. Shared account in generic accounts. Sometimes you have the need to share common logging.
One user i d for an application shared amongst maybe five or six employees.
The downside. No repudiation, no tracking. Who used it When someone uses that shared I D. You don't know which individual, So an example could be a conference room account or kiosk computer with shared
and generic account. You want to restrict their access time limits as much as possible.
Last thing to consider is changing the names of all the default system accounts. I'll show you how this is done within Windows infrastructure before example, Guest account is standard on a Windows operating system, so change the name of that account. That way, people won't know the identity even if it is disabled.
There are two other types of accounts you need to be aware off.
One being service accounts. They're used by computer systems or applications. A database application at a Web server needs to access. In order to take information from the Web server and put it into the database
that's considered a service account or an application account, you should restrict human use as much as possible.
What I've done with these accounts, it will set a very long password, say 25 characters that could never be guessed by human. Easy for a machine to remember. You want to also restrict those access, rights, permissions and authorizations so the Web server can Onley use this account to access the backend database server.
No other resource is could be accessed with that resource account. Name
the other type of account to be aware of our administrator account or privileged accounts in Windows. It's commonly known as the Administrator account in Lenox. It's the route account. If you have users with a requirement for administrative privileges, they should have their own user i d. For general purpose years
and then on, Lee used their administrator account when it's needed to perform administrative functions. Common examples. You'll see on operating systems to help restrict Administrator uses Windows You a C user account control. Lennox Pseudo s u D O.
Is used to run as
an administrative user. Very powerful way to keep least privilege in place on all of your computer systems, as previously mentioned. Always restrict authorization as much as possible.
Onley allow users to do the minimum they need to do their job, particularly with those enhanced privileges associated with administrator or root,
and then increase the logging. Watch what is done with those accounts
because with UM, you can cause a lot of damage.
So be ready to react if there's an issue associated with an administrator or root account.
In these last two slides, I discussed a few common types of accounts.
Now let's talk about account policy, management and enforcement.
As the number of systems and users grows in an organization account, policy enforcement becomes critical.
Therefore, set account policies that defined strong security for your systems
account policies are a subset of the policies, configurable and a group policy.
I'll start by walking through some general concepts and then provide specific examples for each.
All credentials whether simple log on passwords or complex encryption keys should carry a built in lifetime that ensures their termination
even if they were lost, were for gotten. You don't have an account that stays active forever. For example,
auditing procedures need to reveal long term inactive accounts and machine accounts that should be re routinely expired and re established to protect against long term attacks. Limit exploitation if they're compromised during normal period of use.
Active directory domains. Use group policy objects or GPO's to store a wide variety of configuration information, including password policy settings, auditing settings. Those many other configuration items show this in a moment.
Password policy settings for active directory would be set within the domain.
Password must meet a complexity requirement policy within the Windows operating system. Determine whether the passwords meet certain criteria for a strong password.
For example, password should not include the user's name, so whether their actual name or their user, i D or any other attributes that could be associated with that user
must contain three of these four categories. Uppercase characters, lower case characters, special character, special symbols or numbers should have a specific length and time limit that they are allowed to persist.
Passwords may also be set, and accounts may be set to expire, requiring them to be changed periodically.
Also, keep in mind how do you recover passwords that have been lost?
Do you go through a help desk or do you have a side channel?
The recovery could be a back door into your system. You need to make sure it's just a strong as the main entry through the password,
Then your process for disabling and locking accounts
are they automatically locked, say, after a set number of times of miss typing, a password
setting automatically disable. You can also set the time period to automatically re enable
Let's look at some of these settings within a typical Windows domain.
A standard Windows client or server such as Window seven, Windows 10 or Server 2012 2016
comes enabled with password policies on your screen. You see what it looks like within the local security policy. This would be local to a computer, but it's very similar to how it works within the group Policy Objects or GPO's.
You see here enforced password history. How many passwords you need to. The computer must remember typical setting would be 10
maximum password age. How long until the user needs to reset the password?
This prevents someone who's able to gain access to the account through a password from being able to have access for a long period of time. Because once you change the password that access goes away.
Minimum password age. You don't want users to change back to a pre known password. For example, my password is
password, for example,
even if you're remembering the history Aiken from don't have a minimum password agent I can quickly cycle through. So a typical minimum password eight would be one day
password length. How long you want the password to be
and typical tends to be a character's, although longer, of course, is better. It's a required to meet complexity requirements. As I mentioned those three out of those four categories.
Also within Microsoft local or group policies,
they will count lockout duration. How long will the account be locked out? Say if I miss type the password.
What's the threshold? How many invalid attempt so say five attempts. So on the sixth attempt, the count is locked out for that time period.
And then how quickly do you reset the counter? So I just fat finger my password.
Maybe you have it reset back to zero after 15 minutes, and all of these should be set by your organizational policy.
Auditing capabilities are also inherent within Windows operating systems, and you see some of those settings on your screen.
You can set
each of these based on whether there is a success or failure.
I recommend reviewing each of these because you may encounter them in your life. It's a security professional and provides a good overview how this works for your security plus exam.
The last item I want to discuss on Windows account policies are all of the other settings
you see here on your screen, just in example of a few.
For example, you can rename the administrator account because I know on any Windows system there's most likely a user I d. By the name of Administrator.
That gives me again half of the combination of a user I D and password. So consider changing that to some other value. Some other name
renamed the Guest Account. You can also and should also disable the guest account.
Numerous other settings recommend you review become familiar with them as they provide a good basis for understanding this section.
As you see here, Lennox has very similar type of settings, so if you learn how to do it within Windows, you comply that same philosophy and concept
within a Lennox system
for security. Plus, you don't need to know the specifics for an operating system. But as you see, the ideas are all very similar. So if you can learn it for one, say Lennox, you can interpret it for Windows environment, or vice versa.
This concludes the lecture portion of Section 4.4.
Given a scenario differentiate common Account management practices.
Let's practice on a few sample quiz questions.
Juan is a database administrator for his organization.
He's setting up a new man sequel server system and needs to establish an account for it.
Which of the following would be the best type of account for this year's?
The answer is a A service account
attaching to the sequel or database server
not to be used by a human
What is the name of the annual auditing process whereby you determine, if given account, continue to require a set of privileges.
The answer is C
annual. We re certify or justify
the access and permissions to any account.
This concludes the video for section 4.4.
Please refer to your study material for more information on this section.