Security+ SY0-501 Domain 4 Identity and Access Management: A look into common account management practices

By Guy Nguyen-Phuoc on October 15, 2020

(By: Guy Nguyen-Phuoc on October 16, 2020)

Introduction

In 2016, the Central Intelligence Agency (CIA) experienced a data breach containing up to 34 terabytes of data (34,000,000,000,000 bytes) [1]. Later dubbed as “Vault 7”, these collections of documents (including classified data on cyber tools) were published on WikiLeaks, March 2017 [2]. After internal investigations it was revealed that an employee took advantage of “woefully lax” security and handed the documents to WikiLeaks [2]. While it is extremely uncommon, albeit very impactful, these data breaches showcase the need for data security and management, even at the highest of levels. This paper will look at SY0-501’s Domain 4: Identity and Access Management to see how to implement common account management practices.

Account Types

End user accounts. Most accounts are for regular users. Administrators create these accounts and then assign appropriate privileges based on the user’s job responsibilities. In the Microsoft environment platform, they refer to these users as, “Standard user accounts”.
Privileged accounts. A privileged account has additional rights and privileges beyond what a regular user has. As an example, someone with root account privileges on a Linux machine has full and complete control over the Linux computer.
Guest accounts. Windows operating systems include a Guest account. These are useful if you want to grant someone limited access to a computer or network without creating a new account.
Service accounts. Some applications and services need to run under the context of an account and a service account fills this need. As an example, SQL is a database application that runs on a server and it needs access to resources on the server and the network. Administrators create a regular user account, name it something like, “sqlservice”, assign it appropriate privileges, and configure SQL Server to use this account. Note that this is like a regular end-user account. The only difference is that it is only used by the service or application, not an end user.

General Concepts

Least privilege. A technical control used to assign ONLY the needed privileges for a user to perform a job, task or functions. Example, Jill needs read access to a certain folder on the server. Jill should ONLY have read access to that folder and nothing more. The idea is that if the user doesn’t use this privilege then it should not have the privilege, thus reducing the change of an outside actor compromising the account.
Auditing and review. Coming in two flavors, usage and permission auditing can greatly keep track of certain activities of a user. Logging allows auditing of when a user, logs on, accesses a network share, reads a file, modifies a file, creates a file, prints a file, accesses a website via a proxy server, and much more. Configuring logging of logon attempts is an important security step for system monitoring. Logs create an audit trail of what happened. Usage auditing reviews are often done to recreate the audit trail, or reconstruct what happened in the past. For example, if someone leaks proprietary information outside the organization, investigators can look at the auditing files to see who accessed the information, what they did with it(such as printing it), and when they did so.
Account maintenance. Administrators routinely perform account maintenance. This is often done with scripts to automate the processes. Example, deleting accounts that are no longer needed. If an organization has a policy of disabling accounts when the employees leave, but deleting them 60 days later, account maintenance procedures ensure the accounts are deleted.
Time-of-Day restrictions. Time-of-Day restrictions specify when users can log on to a computer. If a user tries to log on to the network outside the restricted time, the system denies access to the user. Example, Johnny wants to log in to finish some work in the evening. His allocated time is only 8am to 4pm. When Johnny attempts to login at 8pm, he is denied access to the system/s.
Location-based policies. Restricts access based on the location of the user. This can be geolocational, example is blocking foriegn ip addresses or based on the computers name or MAC address.

Account Policy Enforcement

Credential management. A credential is a collection of information that provides an identity (such as a username) and proves that identity (such as with a password). Over time, users often have multiple credentials that they need to remember, especially when they access many websites. Credential management systems help users store these credentials securely. The goal is to simplify credential management for users, while also ensuring that unauthorized personnel do not have access to the users’ credentials.
Group policy. In windows, Group Policy is used to manage multiple users and computers in a domain. Group Policy allows an administrator to configure a setting once in Group Policy Objects (GPO) and apply this setting to many users and computers within the domain.
Password complexity. One method used to make passwords more secure is to require them to be complex and strong. A strong password is of sufficient length, does not include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types:
    Uppercase characters (26 letters A-Z)
    Lowercase characters (26 letters a-z)
    Numbers (10 numbers 0-9)
    Special characters (32 printable characters, such as !, $ and *)
A complex password uses multiple characters types such as Ab0@. However, a complex password isn’t necessarily strong. It also needs to be sufficiently long. The longer the password, the more possible combinations it has, thus taking longer to guess. A password of lowercase values (26 possible characters) of ten length has 26^6 different combinations or 141 trillion values. However due to the advancements of General Purpose Graphical Processing Units (GPGPU) modern passwords guessing tools can guess all 141 trillion values within under 2 hours.
Password expiration. In addition to using strong passwords, users should change their passwords regularly, such as every 45 or 90 days. When the password expires, users are no longer able to log on unless they first change their password. This also prevents data dumps of old passwords from working on current systems.
Password recovery. Occasionally, users forget their passwords. In many organisations, help-desk professionals or other administrators reset user passwords. Before resetting, it is important to verify the user’s identity. Help-desks should reset the password through, temporarily password, automate the process with a temporary link that forces a new password setup, security questions and via a PIN through email or phone.

Conclusion

Although these methods are common, it can not be stressed enough that even following the basic precautions outlined here can have a huge impact on security. As shown by the CIA’s data breach, you can not be too safe to ignore.

References

[1] https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html

[2] https://www.cnn.com/2020/06/16/politics/cia-wikileaks-vault-7-leak-report/index.html