Chapter 11 Presentation
- 2. © Cengage Learning 2015
Objectives
• Define access control and list the four access
control models
• Describe how to implement access control
• Explain the different types of authentication
services
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
2
- 3. © Cengage Learning 2015
What Is Access Control?
• Access Control
– Granting or denying approval to use specific
resources
• Physical access control
– Consists of fencing, hardware door locks, and
mantraps to limit contact with devices
• Technical access control
– Consists of technology restrictions that limit users on
computers from accessing data
• There are four standard access control models
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
3
- 4. © Cengage Learning 2015
Access Control Terminology
• Identification
– Presenting credentials
– Example: delivery driver presenting employee badge
• Authentication
– Checking the credentials
– Example: examining the delivery driver’s badge
• Authorization
– Granting permission to take action
– Example: allowing delivery driver to pick up package
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
4
- 5. © Cengage Learning 2015
Access Control Terminology
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
5
- 6. © Cengage Learning 2015
Access Control Terminology
• Object
– A specific resource
– Example: file or hardware device
• Subject
– A user or process functioning on behalf of a user
– Example: computer user
• Operation
– The action taken by the subject over an object
– Example: deleting a file
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
6
- 7. © Cengage Learning 2015
Access Control Terminology
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
7
- 8. © Cengage Learning 2015
Access Control Terminology
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
8
- 9. © Cengage Learning 2015
Access Control Models
• Access control model
– Standards that provide a predefined framework for
hardware or software developers
– Use the appropriate model to configure the
necessary level of control
• Four major access control models
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)
– Rule Based Access Control (RBAC)
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
9
- 10. © Cengage Learning 2015
Access Control Models
• Discretionary Access Control (DAC)
– Least restrictive model
– Every object has an owner
– Owners have total control over their objects
– Owners can give permissions to other subjects over
their objects
– Used on operating systems such as most types of
UNIX and Microsoft Windows
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
10
- 11. © Cengage Learning 2015
Access Control Models
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
11
- 12. © Cengage Learning 2015
Access Control Models
• DAC weaknesses
– Relies on decisions by end user to set proper
security level
• Incorrect permissions may be granted
– Subject’s permissions will be “inherited” by any
programs the subject executes
– Malware downloaded onto a user’s computer that
uses the DAC model would then run at the same
high level as the user’s privileges
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
12
- 13. © Cengage Learning 2015
Access Control Models
• Mandatory Access Control (MAC)
– Most restrictive access control model
– Typically found in military settings
– Two elements
• Labels - Every entity is an object and is assigned a
classification label that represents the relative
importance of the object
– Subjects are assigned a privilege label (clearance)
• Levels - a hierarchy based on the labels is used
– Top secret has a higher level than secret, which
has a higher level than confidential
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
13
- 14. © Cengage Learning 2015
Access Control Models
• MAC grants permissions by matching object labels
with subject labels
– Labels indicate level of privilege
• To determine if file may be opened:
– Object and subject labels are compared
– The subject must have equal or greater level than
object to be granted access
• Two major implementations of MAC
– Lattice model
– Bell-LaPadula model
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
14
- 15. © Cengage Learning 2015
Access Control Models
• Lattice model
– Subjects and objects are assigned a “rung” on the
lattice
– Multiple lattices can be placed beside each other
• Bell-LaPadula (BLP) model
– Similar to lattice model
– Subjects may not create a new object or perform
specific functions on lower level objects
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
15
- 16. © Cengage Learning 2015
Access Control Models
• Microsoft Windows uses a MAC implementation
called Mandatory Integrity Control (MIC)
– A security identifier (SID) is issued to the user,
group, or session
– Each time a user logs in, the SID is retrieved from
the database for that user
– SID is used to identify user with subsequent
interactions with Windows
– Windows links the SID to an integrity level
– User Access Control (UAC) - a Windows feature that
controls user access to resources
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
16
- 17. © Cengage Learning 2015
Access Control Models
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
17
- 18. © Cengage Learning 2015
Access Control Models
• Role Based Access Control (RBAC)
– Also called Non-Discretionary Access Control
– Access permissions are based on user’s job function
• RBAC assigns permissions to particular roles in an
organization
– Users are assigned to those roles
• Rule Based Access Control (RBAC)
– Dynamically assigns roles to subjects based on a set
of rules defined by a custodian
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
18
- 19. © Cengage Learning 2015
Access Control Models
• Rule Based Access Control (cont’d.)
– Each resource object contains access properties
based on the rules
– When user attempts access, system checks object’s
rules to determine access permission
– Often used for managing user access to one or more
systems
• Business changes may trigger application of the rules
specifying access changes
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
19
- 20. © Cengage Learning 2015
Access Control Models
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
20
- 21. © Cengage Learning 2015
Best Practices for Access Control
• Establishing best practices for limiting access
– Can help secure systems and data
• Examples of best practices
– Separation of duties
– Job rotation
– Least privilege
– Implicit deny
– Mandatory vacations
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
21
- 22. © Cengage Learning 2015
Best Practices for Access Control
• Separation of duties
– Fraud can result from single user being trusted with
complete control of a process
– Requires two or more people responsible for
functions related to handling money
– The system is not vulnerable to actions of a single
person
• Job rotation
– Individuals periodically moved between job
responsibilities
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
22
- 23. © Cengage Learning 2015
Best Practices for Access Control
• Job rotation (cont’d.)
– Employees can rotate within their department or
across departments
• Advantages of job rotation
– Limits amount of time individuals are in a position to
manipulate security configurations
– Helps expose potential avenues for fraud
• Individuals have different perspectives and may
uncover vulnerabilities
– Reduces employee burnout
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
23
- 24. © Cengage Learning 2015
Best Practices for Access Control
• Least privilege
– Limiting access to information based on what is
needed to perform a job function
– Helps reduce attack surface by eliminating
unnecessary privileges
– Should apply to users and to processes running on
the system
– Processes should run at minimum security level
needed to correctly function
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
24
- 25. © Cengage Learning 2015
Best Practices for Access Control
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
25
- 26. © Cengage Learning 2015
Best Practices for Access Control
• Implicit deny
– If a condition is not explicitly met, access request is
rejected
– Example: network router rejects access to all except
conditions matching the rule restrictions
• Mandatory vacations
– Limits fraud, because perpetrator must be present
daily to hide fraudulent actions
– Audit of employee’s activities usually scheduled
during vacation for sensitive positions
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
26
- 27. © Cengage Learning 2015
Implementing Access Control
• Technologies used to implement access control
– Access control lists
– Group Policy
– Account restrictions
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
27
- 28. © Cengage Learning 2015
Access Control Lists
• Access control list (ACL)
– A set of permissions attached to an object
• Specifies which subjects may access the object
and what operations they can perform
• When a subject requests to perform an operation:
– System checks ACL for an approved entry
• ACLs are usually viewed in relation to operating
system files
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
28
- 29. © Cengage Learning 2015
Access Control Lists
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
29
- 30. © Cengage Learning 2015
Access Control Lists
• Each entry in the ACL table is called access control
entry (ACE)
• ACE structure (Windows)
– Security identifier (SID) for the user or group account
or logon session
– Access mask that specifies access rights controlled
by ACE
– Flag that indicates type of ACE
– Set of flags that determine whether objects can
inherit permissions
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
30
- 31. © Cengage Learning 2015
Group Policies
• Group Policy
– A Microsoft Windows feature that provides
centralized management and configuration of
computers and remote users using Active Directory
(AD)
– Usually used in enterprise environments
– Settings stored in Group Policy Objects (GPOs)
• Local Group Policy
– Has fewer options than a Group Policy
– Used to configure settings for systems not part of AD
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
31
- 32. © Cengage Learning 2015
Account Restrictions
• Time of day restrictions
– Limits the time of day a user may log onto a system
– Time blocks for permitted access are chosen
– Can be set on individual systems
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
32
- 33. © Cengage Learning 2015
Account Restrictions
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
33
- 34. © Cengage Learning 2015
Account Restrictions
• Account expiration
– Orphaned accounts: accounts that remain active
after an employee has left the organization
– Dormant accounts: not accessed for a lengthy period
of time
• Recommendations for dealing with orphaned or
dormant accounts
– Establish a formal process
– Terminate access immediately
– Monitor logs
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
34
- 35. © Cengage Learning 2015
Account Restrictions
• Orphaned accounts remain a problem in today’s
organizations
• Account expiration
– Sets a user’s account to expire
• Password expiration sets a time when user must
create a new password
– Different from account expiration
• Account expiration can be a set date, or a number
of days of inactivity
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
35
- 36. © Cengage Learning 2015
Authentication Services
• Authentication
– Process of verifying credentials
• Authentication services provided on a network
– Dedicated authentication server
– A server that performs authentication, authorization,
and accounting is called a AAA server
• Common types of authentication and AAA servers
– RADIUS, Kerberos, Terminal Access Control Access
Control Systems (TACACS), generic servers built on
the Lightweight Directory Access Protocol (LDAP),
Security Assertion and Markup Language (SAML)
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
36
- 37. © Cengage Learning 2015
RADIUS
• Remote Authentication Dial In User Service
– Developed in 1992
– Became an industry standard
– Suitable for high volume service control applications
• Such as dial-in access to corporate network
– Still in use today
• RADIUS client
– Typically a device such as a wireless AP
• Responsible for sending user credentials and
connection parameters to the RADIUS server
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
37
- 38. © Cengage Learning 2015
RADIUS
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
38
- 39. © Cengage Learning 2015
RADIUS
• RADIUS user profiles are stored in a central
database that all remote servers can share
• Advantages of a central service
– Increases security due to a single administered
network point
– Easier to track usage for billing and keeping network
statistics
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
39
- 40. © Cengage Learning 2015
Kerberos
• Authentication system developed at MIT
– Uses encryption and authentication for security
• Most often used in educational and government
settings
• Works like using a driver’s license to cash a check
• Kerberos ticket characteristics:
– Difficult to copy
– Contains information linking it to the user
– User presents ticket to network for a service
– Expires in a few hours or a day
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
40
- 41. © Cengage Learning 2015
Terminal Access Control Access
Control System (TACACS)
• Authentication service similar to RADIUS
• Commonly used on UNIX devices
• Communicates by forwarding user authentication
information to a centralized server
• The current version is TACACS+
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
41
- 42. © Cengage Learning 2015
Terminal Access Control Access
Control System (TACACS)
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
42
- 43. © Cengage Learning 2015
Lightweight Directory Access Protocol
(LDAP)
• A directory service is a database stored on a
network
– Contains information about users and network
devices
– Keeps track of network resources and user’s
privileges to those resources
– Grants or denies access based on its information
• Standard for directory services
– X.500
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
43
- 44. © Cengage Learning 2015
Lightweight Directory Access Protocol
• X.500 standard defines protocol for client
application to access the DAP
• LDAP
– A simpler subset of DAP
– Designed to run over TCP/IP
– Encodes protocol elements in simpler way than
X.500
• LDAP traffic is transmitted in cleartext
– Can be made secure by using SSL or TLS
– Known as Secure LDAP or LDAP over SSL
(LDAPS)
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
44
- 45. © Cengage Learning 2015
Lightweight Directory Access Protocol
• Weakness of LDAP
– Can be subject to LDAP injection attacks
• Similar to SQL injection attacks
• Occurs when user input is not properly filtered
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
45
- 46. © Cengage Learning 2015
Security Assertion Markup Language
(SAML)
• SAML
– An Extensible Markup Language (XML) standard
that allows secure web domains to exchange user
authentication and authorization data
– Allows a user’s login credentials to be stored with a
single identity provider instead of being stored on
each web service provider’s server
– Used extensively for online e-commerce business-
to-business (B2B) and business-to-customer (B2C)
transactions
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
46
- 47. © Cengage Learning 2015
Security Assertion Markup Language
(SAML)
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
47
- 48. © Cengage Learning 2015
Summary
• Access control is the process by which resources
or services are denied or granted
• Four major access control models exist
• Best practices for implementing access control
– Separation of duties
– Job rotation
– Least privilege
– Mandatory vacations
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
48
- 49. © Cengage Learning 2015
Summary
• Access control lists define which subjects are
allowed to access which objects
– Specify which operations they may perform
• Group Policy is a Windows feature that provides
centralized management and configuration
• Authentication services can be provided on a
network by a dedicated AAA or authentication
server
– RADIUS is the industry standard
CompTIA Security+ Guide to Network Security Fundamentals, Fifth
Edition
49
Editor's Notes
- CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 11
Access Control Fundamentals
- Objectives
Define access control and list the four access control models
Describe how to implement access control
Explain the different types of authentication services
- What Is Access Control?
Access Control
Granting or denying approval to use specific resources
Physical access control
Consists of fencing, hardware door locks, and mantraps to limit contact with devices
Technical access control
Consists of technology restrictions that limit users on computers from accessing data
There are four standard access control models
- Access Control Terminology
Identification
Presenting credentials
Example: delivery driver presenting employee badge
Authentication
Checking the credentials
Example: examining the delivery driver’s badge
Authorization
Granting permission to take action
Example: allowing delivery driver to pick up package
- Access Control Terminology
Table 11-1 Basic steps in access control
- Access Control Terminology
Object
A specific resource
Example: file or hardware device
Subject
A user or process functioning on behalf of a user
Example: computer user
Operation
The action taken by the subject over an object
Example: deleting a file
- Access Control Terminology
Table 11-2 Roles in access control
- Access Control Terminology
Figure 11-1 Technical access control process and terminology
- Access Control Models
Access control model
Standards that provide a predefined framework for hardware or software developers
Use the appropriate model to configure the necessary level of control
Four major access control models
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role Based Access Control (RBAC)
Rule Based Access Control (RBAC)
- Access Control Models
Discretionary Access Control (DAC)
Least restrictive model
Every object has an owner
Owners have total control over their objects
Owners can give permissions to other subjects over their objects
Used on operating systems such as most types of UNIX and Microsoft Windows
- Access Control Models
Figure 11-2 Windows Discretionary Access Control (DAC)
- Access Control Models
DAC weaknesses
Relies on decisions by end user to set proper security level
Incorrect permissions may be granted
Subject’s permissions will be “inherited” by any programs the subject executes
Malware downloaded onto a user’s computer that uses the DAC model would then run at the same high level as the user’s privileges
- Access Control Models
Mandatory Access Control (MAC)
Most restrictive access control model
Typically found in military settings
Two elements
Labels - Every entity is an object and is assigned a classification label that represents the relative importance of the object
Subjects are assigned a privilege label (clearance)
Levels - a hierarchy based on the labels is used
Top secret has a higher level than secret, which has a higher level than confidential
- Access Control Models
MAC grants permissions by matching object labels with subject labels
Labels indicate level of privilege
To determine if file may be opened:
Object and subject labels are compared
The subject must have equal or greater level than object to be granted access
Two major implementations of MAC
Lattice model
Bell-LaPadula model
- Access Control Models
Lattice model
Subjects and objects are assigned a “rung” on the lattice
Multiple lattices can be placed beside each other
Bell-LaPadula (BLP) model
Similar to lattice model
Subjects may not create a new object or perform specific functions on lower level objects
- Access Control Models
Microsoft Windows uses a MAC implementation called Mandatory Integrity Control (MIC)
A security identifier (SID) is issued to the user, group, or session
Each time a user logs in, the SID is retrieved from the database for that user
SID is used to identify user with subsequent interactions with Windows
Windows links the SID to an integrity level
User Access Control (UAC) - a Windows feature that controls user access to resources
- Access Control Models
Figure 11-3 Windows User Account Control (UAC) prompt
- Access Control Models
Role Based Access Control (RBAC)
Also called Non-Discretionary Access Control
Access permissions are based on user’s job function
RBAC assigns permissions to particular roles in an organization
Users are assigned to those roles
Rule Based Access Control (RBAC)
Dynamically assigns roles to subjects based on a set of rules defined by a custodian
- Access Control Models
Rule Based Access Control (cont’d.)
Each resource object contains access properties based on the rules
When user attempts access, system checks object’s rules to determine access permission
Often used for managing user access to one or more systems
Business changes may trigger application of the rules specifying access changes
- Access Control Models
Table 11-3 Access control models
- Best Practices for Access Control
Establishing best practices for limiting access
Can help secure systems and data
Examples of best practices
Separation of duties
Job rotation
Least privilege
Implicit deny
Mandatory vacations
- Best Practices for Access Control
Separation of duties
Fraud can result from single user being trusted with complete control of a process
Requires two or more people responsible for functions related to handling money
The system is not vulnerable to actions of a single person
Job rotation
Individuals periodically moved between job responsibilities
- Best Practices for Access Control
Job rotation (cont’d.)
Employees can rotate within their department or across departments
Advantages of job rotation
Limits amount of time individuals are in a position to manipulate security configurations
Helps expose potential avenues for fraud
Individuals have different perspectives and may uncover vulnerabilities
Reduces employee burnout
- Best Practices for Access Control
Least privilege
Limiting access to information based on what is needed to perform a job function
Helps reduce attack surface by eliminating unnecessary privileges
Should apply to users and to processes running on the system
Processes should run at minimum security level needed to correctly function
- Best Practices for Access Control
Table 11-4 Challenges of least privilege
- Best Practices for Access Control
Implicit deny
If a condition is not explicitly met, access request is rejected
Example: network router rejects access to all except conditions matching the rule restrictions
Mandatory vacations
Limits fraud, because perpetrator must be present daily to hide fraudulent actions
Audit of employee’s activities usually scheduled during vacation for sensitive positions
- Implementing Access Control
Technologies used to implement access control
Access control lists
Group Policy
Account restrictions
- Access Control Lists
Access control list (ACL)
A set of permissions attached to an object
Specifies which subjects may access the object and what operations they can perform
When a subject requests to perform an operation:
System checks ACL for an approved entry
ACLs are usually viewed in relation to operating system files
- Access Control Lists
Figure 11-4 UNIX file permissions
- Access Control Lists
Each entry in the ACL table is called access control entry (ACE)
ACE structure (Windows)
Security identifier (SID) for the user or group account or logon session
Access mask that specifies access rights controlled by ACE
Flag that indicates type of ACE
Set of flags that determine whether objects can inherit permissions
- Group Policies
Group Policy
A Microsoft Windows feature that provides centralized management and configuration of computers and remote users using Active Directory (AD)
Usually used in enterprise environments
Settings stored in Group Policy Objects (GPOs)
Local Group Policy
Has fewer options than a Group Policy
Used to configure settings for systems not part of AD
- Account Restrictions
Time of day restrictions
Limits the time of day a user may log onto a system
Time blocks for permitted access are chosen
Can be set on individual systems
Figure 11-5 Time-of-day restrictions setting specific times and days
- Account Restrictions
Figure 6-11 Time-of-day restrictions using GUI
- Account Restrictions
Account expiration
Orphaned accounts: accounts that remain active after an employee has left the organization
Dormant accounts: not accessed for a lengthy period of time
Recommendations for dealing with orphaned or dormant accounts
Establish a formal process
Terminate access immediately
Monitor logs
- Account Restrictions
Orphaned accounts remain a problem in today’s organizations
Account expiration
Sets a user’s account to expire
Password expiration sets a time when user must create a new password
Different from account expiration
Account expiration can be a set date, or a number of days of inactivity
- Authentication Services
Authentication
Process of verifying credentials
Authentication services provided on a network
Dedicated authentication server
A server that performs authentication, authorization, and accounting is called a AAA server
Common types of authentication and AAA servers
RADIUS, Kerberos, Terminal Access Control Access Control Systems (TACACS), generic servers built on the Lightweight Directory Access Protocol (LDAP), Security Assertion and Markup Language (SAML)
- RADIUS
Remote Authentication Dial In User Service
Developed in 1992
Became an industry standard
Suitable for high volume service control applications
Such as dial-in access to corporate network
Still in use today
RADIUS client
Typically a device such as a wireless AP
Responsible for sending user credentials and connection parameters to the RADIUS server
- RADIUS
Figure 11-7 RADIUS authentication
- RADIUS
RADIUS user profiles are stored in a central database that all remote servers can share
Advantages of a central service
Increases security due to a single administered network point
Easier to track usage for billing and keeping network statistics
- Kerberos
Authentication system developed at MIT
Uses encryption and authentication for security
Most often used in educational and government settings
Works like using a driver’s license to cash a check
Kerberos ticket characteristics:
Difficult to copy
Contains information linking it to the user
User presents ticket to network for a service
Expires in a few hours or a day
- Terminal Access Control Access Control System (TACACS)
Authentication service similar to RADIUS
Commonly used on UNIX devices
Communicates by forwarding user authentication information to a centralized server
The current version is TACACS+
- Terminal Access Control Access Control System (TACACS)
Table 11-5 Comparison of RADIUS and TACAS+
- Lightweight Directory Access Protocol (LDAP)
A directory service is a database stored on a network
Contains information about users and network devices
Keeps track of network resources and user’s privileges to those resources
Grants or denies access based on its information
Standard for directory services
X.500
- Lightweight Directory Access Protocol
X.500 standard defines protocol for client application to access the DAP
LDAP
A simpler subset of DAP
Designed to run over TCP/IP
Encodes protocol elements in simpler way than X.500
LDAP traffic is transmitted in cleartext
Can be made secure by using SSL or TLS
Known as Secure LDAP or LDAP over SSL (LDAPS)
- Lightweight Directory Access Protocol
Weakness of LDAP
Can be subject to LDAP injection attacks
Similar to SQL injection attacks
Occurs when user input is not properly filtered
- Security Assertion Markup Language (SAML)
SAML
An Extensible Markup Language (XML) standard that allows secure web domains to exchange user authentication and authorization data
Allows a user’s login credentials to be stored with a single identity provider instead of being stored on each web service provider’s server
Used extensively for online e-commerce business-to-business (B2B) and business-to-customer (B2C) transactions
- Security Assertion Markup Language (SAML)
Figure 11-8 SAML transaction
- Summary
Access control is the process by which resources or services are denied or granted
Four major access control models exist
Best practices for implementing access control
Separation of duties
Job rotation
Least privilege
Mandatory vacations
- Summary
Access control lists define which subjects are allowed to access which objects
Specify which operations they may perform
Group Policy is a Windows feature that provides centralized management and configuration
Authentication services can be provided on a network by a dedicated AAA or authentication server
RADIUS is the industry standard