AAA (Authentication, Authorization & Accounting) lec1

Flashcards covering the key concepts of Authentication, Authorization, and Accounting (AAA) as presented in the lecture notes.

What are the three components of AAA?

Authentication, Authorization, and Accounting

What question does Authentication answer?

Do you have the credentials necessary to access this system?

What question does Authorization answer?

Once authenticated, what do you have permission to do?

What question does Accounting answer?

Once authorized to access a resource, how much of the resource are you using?

Name three methods of Authentication.

What you know, What you have, What you are

What is Two-factor authentication?

Uses two of the above methods of authentication to prove an identity

Give an example of Two-factor authentication.

Password and a security token code

List some methods of Identification.

User ID (UID), Physical Object (e.g. - ATM card), Biometrics, Digital Certificates

List some methods of Proof of Identification

Passwords, Access Code (e.g. - PIN number), One-Time Tokens, Biometrics, Digital Certificates

Give examples of simple user ID strategies

Jeff, Bill, Milton, etc.

How are user IDs commonly generated for large groups of users?

Computer Generated abc123, dgu083, jsprankl1, etc.

What does LNI or ILN stand for?

LNI = Last name + first initial

ILN = first initial + last name

Why should user ID ≠ email address?

security purposes

What is the first rule of good passwords?

Don’t write passwords down!

What are some easy to guess passwords you should avoid?

Names of family members or pets, Birth dates, Anything within sight, Special interests

What is a good minimum password length?

Use at least eight characters

What is the optimal frequency for password changes?

Minimum 30 days, 90 days is optimal

What types of characters should be included in a secure password?

Mix case, if possible. Use non-alpha characters such as Numbers, special characters

What should you avoid for passwords?

Plain English passwords

What is a potential downside of strict password rules?

The more strict the password rules, the higher the chances users will violate the first rule of secure passwords

What is the recommended minimum length for secure passwords?

10 characters minimum

How should secure passwords be generated?

Randomly generated to include at least letters and numbers

Why is it important to use a different password for each site?

If one site gets compromised, the gained credentials can be used at other sites you visit

What type of service should you use to manage passwords?

Password management service

What are the two groups of Biometrics?

Physiological and Behavioral

Give some examples of Physiological Biometrics.

Includes fingerprints, hand scans, retina scans

Give some examples of Behavioral Biometrics.

Include speech, signature or keystroke recognition

What are the issues with Biometrics?

Issues with false negatives and false positives

What is a Digital Certificate?

Encrypted data file that uses a Certificate Authority to guarantee the identity of the holder. Also includes an encryption key for secure transmissions

What protocols exist to enable AAA functions?

Domain Logon, RADIUS, TACACS+, Diameter

Where are login credentials stored in a domain environment?

Stored in the directory as an account object

What is RADIUS?

Remote Authentication Dial In User Service

What is the function of a Network Access Server in RADIUS?

RADIUS client

What kind of protocols are used to remotely check credentials with RADIUS?

Separate protocols

What is TACACS+?

Terminal Access Controller Access-Control System (plus)

What transport protocol does TACACS+ use?

TCP instead of UDP

How does TACACS+ handle AAA functions?

Breaks each of the AAA functions into a separate process

What is TACACS+ typically used for?

Typically only used to access devices, not workstations/servers

What kind of transport protocol does Diameter use?

TCP

What kind of security does Diameter use?

IPSec or TLS

What are the two models that Diameter provides?

Stateful and stateless models

What is authorization accomplished through?

the use of permissions (or rights)

What is the best practice for assigning access permissions?

Assign access permissions to groups rather than individual users

What is a Resource Group?

Resources other than users can also be added to groups

Give an example of a resource group.

Printers could be added to a Printers group

What does ACL stand for?

Access Control List

Where are is ACLs attached to?

to the resource

What does an ACL contain?

Contain a list of authorized users and their authorization level

Where are ACL's used?

Windows and Netware Resource

Where was Kerberos developed?

MIT

What does Kerberos include?

Authorization mechanism

What is built into Active Directory?

Kerberos

What are the minimum servers required for Kerberos?

One Authentication Server (AS), One Ticket Granting Server (TGS), At least one Application Server

What is the role of the Authentication Server (AS) in Kerberos?

Authenticates the user and provides a Ticket Granting Token (TGT)

What is the role of the Ticket Granting Server (TGS) in Kerberos?

Authorizes the user and provides a Service Granting Ticket (SGT)

What are the two places to set permissions in Windows?

The file system itself, if allowed and the network share

What is the best practice for setting Windows permissions?

Set all permissions on the file system and allow everyone access the share

When should you enforce permissions on the share?

If you do not want the share to appear to a user unless the user has permissions to see it

Where are NTFS permissions set?

Through the Security tab on the Properties dialog box on the folder

When do share permissions apply?

When the resource is accessed over a network

What is the difference between Inherited and Explicit Permissions?

Permissions can be explicitly assigned instead of inherited

Can an explicit allow override an inherited deny?

No

What tool can be used to clear up confusion about permissions?

Effective Permissions tool

What does the Effective Permission Tool show?

Shows the effective, cumulative permissions for a user or group, as they apply to a resource

How does TACACS+ use authorization?

ACLs on the NAS device. The TACACS+ server tells the access server what ACL to use

How does Diameter support authorization?

Through the use of the NASREQ add-in application

What is accounting used for in network resource management?

The tracking of the consumption of network resources by users

What is accounting usually tracking?

Data usage

What is the purpose of using accounting?

Can be used for bill-back purposes

How does RADIUS track usage for accounting?

Uses Start and Stop packets

How does TACACS+ perform accounting?

Writes information to a log or a database

Which protocol has accounting built into the base protocol?

Diameter