c88f039c-6c09-42fa-884f-2f8697073c90_200x200

Implementing Secure Identity and Access Management

Linux Administrator
Linux Administrator
All around security geek, editor-in-chief and janitor.

Share This Post:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Secure Computer System Identity and Access Management 850 550

While the idea of secure identity and access management sounds daunting, all it refers to a process in which users claim an identity with a username and prove their identity by authenticating in order to be granted access to resources based on their proven identity. In this article, Secur take you through:

  • Authentication concepts and methods,
  • Along with some basic security principles used to manage accounts.
  • A comparison of some access control models.

 

After going through this article, you should be able to understand and explain questions related to  the following security related objectives:

  • Explain the impact associated with vulnerabilities due to improperly configured accounts
  • Troubleshoot common security issues related to unencrypted credentials/clear text and authentication issues
  • Implement secure protocols
  • Implement secure systems design by disabling default accounts/passwords.
  • Compare and contrast identity and access management concepts
    • Identification, authentication, authorization and accounting
    • Multifactor authentication
    • Federation,
    • Single sign-on
    • Transitive trust
  • Given a scenario, install and configure identity and access services.
    • LDAP
    • Kerberos
    • SAML
    • OpenID Connect
    • OAUTH
    • Shibboleth
    • Secure token
    • NTLM
  • Implement identity and access management models
    • Access control models (MAC, DAC, ABAC, Role-based access control, Rule-based access control),
    • Biometric factors (Fingerprint scanner, Retinal scanner, Iris scanner, Voice recognition, Facial recognition, False acceptance rate, False rejection rate, Crossover error rate),
    • Tokens (Hardware, Software, HOTP/TOTP),
    • Certificate- based authentication (PIV/ CAC/smart card)
  • Given a scenario, differentiate common account management practices.
    • Account types (User account, Shared and generic accounts/credentials, Guest accounts, Service accounts, Privileged accounts)
    • General Concepts (Least privilege, Time-of-day restrictions, Recertification, Standard naming convention, Account maintenance, Group-based access control, Location- based policies)
    • Account policy enforcement (Credential management, Group policy, Password complexity, Expiration, Recovery, Disablement, Lockout, Password history, Password reuse, Password length)
  • Compare and contrast basic concepts of cryptography

Understanding Authentication

The importance of authentication cannot be understated as you can’t control access if you can’t identify a user.  Authentication is the process of proving a user’s identity with some form of credentials (at least two entities must know the credentials), like the combination of a username and password, in what is essentially a two step process.

  • Identification occurs when users claim (or profess) their identity with identifiers such as usernames or email addresses.
  • Users then prove their identity with authentication credentials, such as with a password; the authenticator then verifies the credentials.

Authentication is not limited to humans as many computers use mutual authentication, where both parties authenticate to each other; services, processes, workstations, servers, and network devices all use authentication to prove their identities. 

 

How Authentication, Authorization, and Accounting Interacts with Identification

In a properly configured secure computer system, the triple A’s of authentication, authorization, and accounting (AAA) works with identification methods in providing comprehensive access control and management system.  If users can bypass the authentication process, the authorization and accounting processes are ineffective.

Ones you’ve digested the identification (the claiming of an identity) and authentication (which is proving the identity with unique credentials) processes,  it’s time to add in authorization and accounting.

  • Authorization:  Granting access to resources based on a user’s proven identity. This can be as simple as granting a user permission to read data in a shared folder.
    • Properly configured access control systems include multiple security controls to ensure that users can access resources they’re authorized to use, but no more.
  • Accounting: the tracking user activity and record the activity in audit logs.  Administrators use these to create an audit trail, allows security professionals to re-create the events that preceded a security incident.

Effective access control starts with strong authentication mechanisms, such as the use of robust passwords, smart cards, or biometrics. 

Different Computer System Authentication Factors

Basically, authentication factors are something you:

  • Know (password or personal identification number)
  • Have (smart card or USB token)
  • Are (fingerprint or other biometric identification)
  • Visit (your location using geolocation technologies)
  • Do (gestures on a touch screen)

Dual-Factor and Multifactor Authentication

An authentication system using two different factors either dual-factor authentication or multifactor authentication. 

  • Multifactor authentication indicates multiple factors and multiple is simply more than one.
  • Using two methods of the same authentication factor is not dual- factor authentication. 
    • Entering a password and a PIN, both “something you know” factor is single- factor authentication, not dual-factor authentication.
    • Dual-factor/two factor authentication uses two different factors of authentication, such as something you have and something you know. 
  • Multifactor authentication uses two or more factors of authentication. For example, you can combine the something you are factor with one or more other factors of authentication.

Something You Know

Something you know refers to a shared secret, such as a password or even a PIN.  While considered the least secure form of authentication, the security it provides can be improved with the implementation of a few simple steps.

Password Complexity

You can make passwords more secure by requiring them to be complex and strong.   By industry standard, a strong password is:

  • Of sufficient length
  • Doesn’t include words found in a dictionary 
  • Not any part of a user’s name
  • Combines at least three of the four following character types:
    • Uppercase characters (26 letters A–Z)
    • Lowercase characters (26 letters a–z)
    • Numbers (10 numbers 0–9)
    • Special characters (32 printable characters, such as !, $, and *)
  • Easily usable

While a complex password uses multiple character types, a complex password isn’t necessarily strong by default as it also needs to be sufficiently long. A key point is that longer passwords using more character types are more secure and short passwords of 4 or 5 characters are extremely weak.  In order to understand the impact of password length on password strength,  you need to understand the concept of  “key space” which you can calculate with the following formula:

C^N 

  • C: The number of possible characters used, and
  • N: he length of the password.
  • ^: indicates that C is raised to the N power.

Let’s dive into some simple mathematical examples to illustrate the concept

A basic 6-character password, using only lowercase letters (26 letters) has calculated  26^6 or about 308 million possibilities.  If you change this to a 10-character password, the value is 26^10  or about 141 trillion possibilities.

  • While these look like high number of possibilities, there are password-cracking tools that can test more than 20 billion passwords per second on desktop computers with a high-end graphics processor.   With this tool, attackers can crack a 10-character password using only lowercase characters (141 trillion possibilities) in less than two hours.

If you use all 94 printable characters (uppercase, lowercase, numbers, and special characters) with the same 6- and 10-character password lengths, the values change

  • 94^6 (946) is about 689 billion possibilities,
  • 94^10  is about 53 quintillion, 53 followed by 18 zeroes.

The password- cracking tool that cracks a lowercase password in two hours will take years to crack a 10-character password using all four character types.

Having said that,if you make a password too complex, you make it less secure as it wont be used properly as users are more likely to write them down which significantly reduces security.

The solution to this is to use “passphrases“; instead of nonsensical strings of characters, use a long string of characters that has meaning to the user that include all four character types—uppercase letters, lowercase letters, one or more numbers, and one or more special characters. 

Corporate password policies typically start as a written document that identifies the organization’s security goals related to passwords. For example, it might specify that passwords must be at least 14 characters long, complex, and users should change them every 45 days. 

Strong passwords never include words that can be easily guessed, such as a user’s name, words in a dictionary (for any language), or common key combinations

Training Proper Password Behaviors in Users

Teach users proper password behavior Human nature being what it is, most user habits are not conducive to  password security.   The honest truth is that most users don’t understand the value of their password and the potential damage of sharing it.Organization need a plan to provide training to users on password security including:

  • The creation of strong passwords
  • The importance of never sharing passwords.

Annually, the password “123456” frequently appears on lists as the most common password in use, which is almost like using no password at all; users can significantly increase the password strength by using a simple passphrase such as “1twoskipafew5.” 

Password Expiration

Organizations should force users change their passwords on a regular basis, and these days, many systems, technical password policies force users to change their passwords regularly or lose application access.

Password Recovery

Given the number of passwords we need to manage these days, users to occasionally forget their password. In many organizations, help-desk professionals or other administrators reset user passwords.  The standard protocol before resetting the password, is to verify the user’s identity, which can be done in variety of different methods.

  • Help Desk Administered:  The help-desk professional should set the password as a temporary password that expires upon first use. This requires the user to change the password immediately after logging on and it maintains password integrity.
  • Self-Service Password Reset:  This type of recovery system automates the process by offering a link, such as “Forgot Password.” to users; if users click on this link, a secure system sends you a password reset link.  An insecure system system might send the password via email, or reset the password and send the new password via email.
  • Identity-Proofing System:  Asks the users questions that they previously answered, such as the name of your first dog, the name of your first boss, and so on. Once the user proves their identity, the system gives the user the opportunity to change your password.
  • Code based system: Many password reset systems send you a code, such as a six-digit PIN, to your mobile phone or to an alternate email address that you’ve preconfigured. When you receive this PIN, you can enter it and then change your password.

Password History and Reuse

While for obvious reasons, most of us would prefer to use the same password forever simply because it’s easier to remember. Even when forced to modify passwords, most users simply change them back to the original password, which weakens overall security.  Implementing a password history system remembers past passwords and prevents users from reusing passwords.  

Group Policy and Password Security

Windows based networks use Group Policy to manage multiple users and computers in a given domain by implementing it on a domain controllers. Group Policy allows:

  • An administrator to configure a setting once in a Group Policy Object (GPO) and
  • Apply this setting to many users and computers within the domain.  Although you can implement Group Policy on single, stand-alone Windows computers, the great strength of Group Policy comes when you implement it in a Microsoft domain.
    • As an example, if you want to change the local Administrator password on all the computers in your domain, you can configure a GPO once, link the GPO to the domain, and it changes the local Administrator password for all the computers in the domain, regardless of how many computers their are.
  • An administrators can use Group Policy to target specific groups of users or computers. If administrators organize user accounts and computer accounts in organizational units (OUs), they can then create a GPO, link it to a specific OU, and the GPO settings only apply to the users and computers within that specific OU.
  • Setting a Password Policy:  The password policy settings are a common group of settings that administrators configure in the Group Policy setting.  The image below shows the Local Group Policy Editor with the Password Policy selected in the left pane
Windows Local Group Policy
Windows Local Group Policy User interface. The right pane shows the password policy for a Windows system.
  • Enforce password history: Some users will go back and forth between two passwords that they constantly reuse; password history remembers past passwords and prevents the user from reusing previously used passwords.
  • Maximum password age: This setting defines when users must change their password. For example, setting this to 45 days causes the password to expire after 45 days. This forces users to reset their password to a new password on the 46th day.
  • Minimum password age:. The minimum password age defines how long users must wait before changing their password again. If you set this to 42 day, it prevents users from changing their passwords until 42 days have passed. This is useful with a password history to prevent users from changing their password multiple times until they get back to the original password. If the password history is set to 24 and the minimum password age is set to 1 day, it will take a user 25 days to get back to the original password. This is enough to discourage most users.
  • Minimum password length: This setting enforces the character length of the password. It’s common to require users to have passwords at least 14 characters long, but some organizations require administrators to have longer passwords.
  • Password must meet complexity requirements: This setting requires users to have complex passwords that include at least three of the four character types (uppercase letters, lowercase letters, numbers, and special characters).
  • Store passwords using reversible encryption: Reversible encryption stores the password in such a way that the original password can be discovered. This is rarely enabled.
  • Account Lockout Policies: Another aspect of password administration is setting up  lockout policies, which prevent users from guessing passwords; if a user enters the wrong password too many times , the system locks the user’s account.  In the “Group Policy” image above that shows “Password Policy” settings, the “Account Lockout Policy” is found right below and is used to implement a lockout policy. Two important account lockout policies are:
    • Account lockout threshold: The maximum number of times a user can enter the wrong password; when  exceeded, the system locks the account.
    • Account lockout duration: Indicates how long an account remains locked, after which the system automatically unlocks the account. If the duration is set to 0, the account remains locked until an administrator unlocks it.

Changing Default Passwords

As almost anyone who has bought a router knows, , most devices/systems ship with default passwords. 

Change them immediately or risk being the inspiration for this sort of article.

Your basic security practice is to change these defaults before putting a system into use.  If you don’t change the password, anyone who knows the defaults can log on and take control of the router.  This also includes changing the default name of the Administrator account as often the Administrator account can’t be locked out through regular lockout policies, allowing an attacker to continue guessing the password of the Administrator account without risking being locked out.  Making this change requires that the attacker needs to know the new administrator name before they can guess the password.

A cool security hack is to add a dummy user account named “administrator” with no permissions, so if someone tries guess the password of this account, the system locks it down, alerting administrators of a possible attack.

Something You Have

This method of authentication utilizes an object in the physical possession  of an authorized user, including smart cards, common access cards, as well as software/hardware tokens.


Smart Cards

Smart cards are credit card-sized cards that have an embedded microchip and a certificate, which provides confidentiality, integrity, authentication, and non-repudiation.  Smart cards are often used with another factor of authentication.

Smart Card: Implementing Secure Identity and Access Management
Example of a smart card

For example, a user may also enter a PIN or password, in addition to using the smart card. Because the smart card is in the something you have factor and the PIN is in the something you know factor, this combination provides dual- factor authentication. Users insert the smart card into a smart card reader so the system can read the information on the card, including the details from the certificate, which provides certificate-based authentication. The embedded certificate uses public key encryption to  more secure authentication than by a password alone. Additionally, the certificate can be used with digital signatures and data encryption.

A smart card must provide the following to users:

  • Embedded certificate. The embedded certificate holds a user’s private key (used each time the user logs on to a network) and is matched with a public key .
  • Public Key Infrastructure (PKI): PKI supports issuing and managing certificates.

 

CACs and PIVs

Common Access Card (CACs) and Personal Identity Verification (PIVs) both support dual-factor/two factor authentication; users generally log on with the smart card and by entering information they know such as a password. Additionally, just as with smart cards, these cards include embedded certificates used for digital signatures and encryption.

Common Access Card: Implementing Secure Identity and Access Management
Samples of Common Access Cards.

A  CAC is a specialized type of smart card used by the U.S. Department of Defense. In addition to including the capabilities of a smart card, it also includes a picture of the user and other readable information. Users can use the CAC as a form of photo identification to gain access into a secure location. For example, they can show their CAC to guards who are protecting access to secure areas. Once inside the secure area, users can use the CAC as a smart card to log on to computers.  A Personal Identity Verification (PIV) card is a specialized type
of smart card used by U.S. federal agencies. It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does.

Tokens or Key Fobs
A token/key fob provides dual-factor authentication as the users must have something (the token) and know something (their password); tokens, sometimes called hardware tokens to differentiate them from logical, or software tokens, are  electronic devices about the size of a remote key for a car and include a liquid crystal display (LCD) that displays a number that changes periodically.  This number is a one-time use, rolling password and isn’t useful to attackers for very long, even if they can discover it.

Security Fob: Implementing Secure Identity and Access Management
RSA security fob.

The token is synced with a server that knows what the number is at any moment. This token is used to authenticate via a web site, users enter the number displayed in the token along with their username and password. 

HOTP and TOTP

One time passwords function similar to the token above and uses a hash function and cryptographic key to generate a Hash-based Message Authentication Code (HMAC).  One significant benefit of HMAC based systems is price as hardware tokens that use  open source standards are significantly less expensive than tokens that use proprietary algorithms; many software applications use these algorithms to create software tokens used within the application.

  • HMAC-based One-Time Password (HOTP): An open standard used for creating one-time passwords, similar to those used in tokens or key fobs; the algorithm combines a secret key and an incrementing counter using HMAC to create a hash of the result.  The result is transformed into a HOTP value of six to eight digits.  A password created with HOTP remains valid until it’s used which is a risk related to HOTP because other people can use the password if they discover it.
  • Time-based One-Time Password (TOTP): Similar to HOTP, but uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds.

Something You Are

The something you are authentication factor uses biometrics for authentication. Biometric methods are the strongest form of authentication because they are the most difficult for an attacker to falsify. 

Biometric Methods

Biometric finger scanner: Implementing Secure Identity and Access Management
A finger print scanner.

Biometrics use a physical characteristic, such as a fingerprint, for authentication. Biometric systems use a two-step process. In the first step, users register with the authentication system. For example, an authentication system first captures a user’s fingerprint and associates it with the user’s identity. Later, when users want to access the system, they use their fingerprints to prove their identity. There are multiple types of biometrics, including:

  • Facial recognition: Identify users based on numerous factors such as the size of their face compared with the rest of their body, the size/shape/position of their eyes, nose, mouth, cheekbones, and jaw.   A drawback with this is that it is sometimes negatively affected by changes in lighting. 
  • Fingerprint scanner: Many laptop computers and USB drives include fingerprint scanners or fingerprint readers, and they are also common on tablet devices and smartphones. Similarly, some USB flash drives include a fingerprint scanner.
  • Iris scanner: Capture the patterns of the iris around the pupil for recognition. They can take pictures from about 3 to 10 inches away, avoiding the physical contact required by retina scanners.
  • Retina scanner: Scan the retina of one or both eyes and use the pattern of blood vessels at the back of the eye for recognition.
  • Voice recognition: Uses speech recognition methods to identify different acoustic features of a person’s voice.

Biometrics can be very exact when the technology is implemented accurately.  True readings occur when the biometric system accurately accepts or rejects a user. For example, true acceptance is when the biometric system accurately determines a positive match. In contrast, true rejection occurs when the biometric system accurately determines a nonmatch. The reality is that these systems are  not infallible as they do generate errors/false readings:

  • False acceptance/positive: Unauthorized user is incorrectly identified as an authorized user; the false acceptance rate “FAR” identifies the percentage of times false acceptance occurs.
  • False rejection/negative: This is when a biometric system rejects an authorized user;  false rejection rate (“FRR”/ false nonmatch rate) identifies the percentage of times false rejections occur.

You can adjust the sensitivity or threshold level where biometric system errors occur.

  • Increasing sensitivity: Decreases the number of false matches and increases the number of false rejections.
  • Decreasing sensitivity: Increases false matches while decreasing false rejections. 

You optimize the performance of a biometric system by getting the crossover error rate (“CER“) as low as possible.  The crossover error rate is the point where the false acceptance rate crosses over the false rejection rate.  A lower CER indicates that the biometric system is more accurate. 

Somewhere You Are

Makes use of geolocation technologies to identify a user’s location.  Many systems  use Internet Protocol (IP) address to geolocate authorized users by white listing specific IP address that can be used to access a system.   Having said that, using an IP address for geolocation isn’t foolproof as you can spoof your IP address in a number of ways.

Something You Do

Also called behavioral biometrics, they identify behavioral traits of an individual, which lend themselves to use as an authentication factor and might include:

  • Gestures on a touch screen in response to prompts from a system
  • Analyzing how a user writes/types; keystroke dynamics measure the pattern and rhythm as a user types on a keyboard and includes metrics like speed, dwell time (time a key is pressed), and flight time (the time between releasing one key and pressing the next key).

Comparing Authentication Services

Now that we have discussed the basic factors of authentication, we are going to look at authentication services that build upon these factors; common to all these services is that they do not send unencrypted credentials across a network, preventing the use of a protocol analyzer to capture and view them. 

Kerberos

Originally developed at the Massachusetts Institute of Technology for Unix systems, Kerberos is a network authentication mechanism used within Windows Active Directory domains that provides mutual authentication in order to prevent:

  • Man-in-the-middle attacks
  • Replay attacks.

The Kerberos mechanism has a number of components (as seen in the diagram below):

  • Authentication tickets: The Key Distribution Center (KDC) issues ticket-granting tickets (TGTs) and other tickets that include user credentials within a ticket. These tickets, sometimes referred to as tokens,  authenticate users when they access resources such as files on a file server.  
  • Time synchronization: In order to prevent replay attacks, in which a third party attempts to impersonate a client after intercepting data captured in a session, Kerberos requires all systems to be synchronized within five minutes of each other. The clock that provides the time synchronization is used to timestamp tickets, ensuring they expire correctly.  If an attacker intercepts a ticket, the timestamp limits the amount of time an attacker can use the ticket.
  • A database of subjects or users 
 

The diagram below show the Kerberos workflow.

Kerberos work flow
Process flow associated with Kerberos authentication.

 

  • When a user logs on with Kerberos, the KDC issues the user a ticket- granting ticket, typically with a lifetime of 10 hours, and when the user tries to access a resource, the ticket-granting ticket is presented as authentication, and the user is issued a ticket for the resource. 
    • Tickets expires if users stay logged on more than the lifetime of the ticket, preventing the user from accessing network resources.
    • Users may be prompted to provide a password to renew the ticket-granting ticket
  • Additionally, Kerberos uses symmetric-key cryptography to ensure confidentiality and prevent unauthorized disclosure.

NTLM

A suite of protocols that provide authentication, integrity, and confidentiality within Windows systems, New Technology LAN Manager (NTLM) use a Message Digest hashing algorithm to challenge users and check their credentials. There are three versions of NTLM:

  • NTLM: A simple MD4 hash of a user’s password, but since MD4 has been cracked, don’t use this version.  We listed it only so you would be aware.
  • NTLMv2: A challenge-response based authentication protocol; when a user attempts to log on, NTMLv2 creates an HMAC-MD5 hash composed of a combination of the username, the logon domain name (or computer name), the user’s password, the current time, and more. To create an HMAC-MD5 message, authentication code starts as the MD5 hash of a user’s password, which is then encrypted.
  • NTLM2 Session: Adds mutual authentication to NTLMv2.

In practice,  when working with Microsoft technology, use the Negotiate security package within their applications, which selects the most secure security protocols available between the systems. 

LDAP

Windows domains use Active Directory,  a directory of objects like  users, computers, and groups) which is based on LDAP in order to provide a single location for object management. 

  • Lightweight Directory Access Protocol (LDAP), an extension of the X.500 standard that Novell and early Microsoft Exchange Server versions used,  specifies formats and methods to query directories, databases of objects that provides a central access point to manage users, computers, and other directory objects.
    • Active Directory queries use the LDAP format.
    • Similarly, Unix realms use LDAP to identify objects.

Let’s work through the use of  LDAP in scripts, so you understand how the process works

For example, “James”, a user in the Users container within the secur.cc domain is identified with the following LDAP string:

LDAP://CN=James,CN=Users,DC=Secur,DC=cc


CN = James. CN is short for common name.
CN = Users. CN in this context, refers to the container.
DC = Secur. DC is short for domain component.
DC = cc This is the second domain component in the domain name.

LDAP Secure (LDAPS) is a more secure version of LDAP which uses encryption to protect LDAP transmissions. When a client connects with a server using LDAPS , the two systems establish a Transport Layer Security (TLS) session to encrypt the data before transmission. 

Single Sign On

Authentication schemas like Kerberos and LDAP both include SSO capabilities.  Single sign-on (SSO), which allows users to log on or access multiple systems by providing credentials only once, increases system security as the user only needs to remember one set of credentials while simultaneously improving user convenience as they only have to log on one time to access resources.

Although logging into network resources seem trivial,  consider a user who needs to access multiple servers within a network to perform normal work.

  • Without SSO, the user would need to know one set of credentials to log on locally, and additional credentials for each of the servers and the reality is many users would write these credentials down to remember them.

Alternatively, in a network with SSO capabilities, the user only needs to log on to the network once. The SSO system typically creates some type of SSO secure token used during the entire logon session. Each time the user accesses a network resource, the SSO system uses this secure token for authentication. 

The effectiveness of SSO is dependant on strong authentication to be effective, as if  users create weak passwords, attackers might be able to guess them, giving them access to multiple systems. Some security professionals feel that  SSO adds in risks because if an attacker can gain the user’s credentials, it gives the attacker access to multiple systems.

Transitive Trusts

A transitive trust is indirect trust relationship between three parties.   If Party A trusts Party B and Party A trust Party C, Party B may have transitive trust of Party C.  While not perfect, it reduces network administration in a domain.  The diagram below demonstrates this relationship in an IT environment. 

Transitive Trust: Implementing Secure Identity and Access Management
Diagrammatic representation of transitive trust concept.

LDAP- based network domains use transitive trusts for SSO as seen in the diagram above; the parent domain is Secur.cc and the subdomains—Linux and Security. An LDAP transitive trust used for SSO. In this example, there is a two-way trust between the parent domain (Secur.cc) and the child domain (Linux.Secur.cc). The parent trusts the child, and the child trusts the parent. Similarly, there is a two-way trust between the parent domain and the Security subdomain. There isn’t a direct trust between the two sub domains. However, the transitive relationship creates a two-way trust between them.  Each of the domains contain objects, such as users, computers, and groups. The user account is in the Linux subdomain, and there is a server in the Security subdomain. With the transitive trust, it’s possible to grant the user access to the  server without creating another trust relationship directly between the Linux and Security subdomains.
Without this trust relationship, you’d have to create another account for the user in the Security domain before you could grant him access and the user would need to manage the second account’s password separately.  Transitive trust allows for the network supports SSO, so the user only needs a single account.

SSO and Federation

Some SSO systems connect authentication mechanisms from different environments, such as different operating systems or different networks.  A federated identity links a user’s credentials from different networks or operating systems, but the federation treats it as one identity.  One common method is with a federated identity management system, often integrated as a federated database. This federated database provides central authentication in a non homogeneous environment and requires a federated identity management system that all members of the federation agree on to use.   

Shibboleth is an open source federated identity solutions the includes Open SAML libraries written in C++ and Java, making it easier for developers to expand its usefulness. 

SSO and SAML

Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)– based data format used for SSO on web browsers. 

Normally in order to access two web sites hosted by two different organizations, user need to provide different credentials to access either web site, bu if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site.

SAML defines three roles:

 

  • Principal:  Requests an identity from the identity provider.
  • Identity provider:  Creates, maintains, and manages identity information for principals.
  • Service provider:  Entity that provides services to principals.  
 

SAML and Authorization

While the primary purpose of SSO is for identification and authentication of users, SSO does not provide authorization. Authorization is completely separate but many federation SSO systems, including SAML, include the ability to transfer authorization data between their systems. In other words, it’s possible to use SAML for single sign-on authentication and for authorization. 

 

OAuth and OpenID Connect

OAuth, an open standard for authorization to provide secure access to protected resources but instead of creating a different account for each web site you access, you can often use the same account that you’ve created with Google, Facebook, PayPal, Microsoft, or Twitter.  OpenID Connect works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials. In this context, the client is typically a web site or application that needs to authenticate users. OpenID Connect provides identification services, without requiring the application to handle the credentials. It also streamlines the user experience for users.  

Principles of User Account Management

Secure identity and access management also depends on proper account management processes involving the creation, management, disablement, and termination of accounts.

Access control methods are used to:

  • Control what the user can do.
  • When and where users can log on.

There are a number of common account management practices and basic principles for account management that we discuss below;  the failure to follow them results in improperly configured accounts with increased security risks.

The Principle of Least Privilege:  A technical control implemented with access controls, privileges are the “rights and permissions” assigned to authorized users. 

  • Least privilege specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.
  • A primary goal of implementing least privilege is to reduce risks.  If you don’t do this, user have access to all available data within the network, not just the limited amount of data he needs to perform their job.  This creates an opportunity for date theft.
    • In contrast, if administrators applied the principle of least privilege, use only have access to a limited amount of data.
    • This principle also applies to administrators; while you need to give an administrator control over all computers within a specific range, they don’t need to extend to the domain, so they wouldn’t have administrative control over all the computers in a network.
    • Proper configuration of service accounts is an often overlooked security issue: Many services actually run as user accounts, having the privileges of this user account, so ensure that these accounts are granted only the privileges needed by the
      service or the application; attackers look to compromise a service with a poorly configured account in order to gained administrative privileges and wreaked havoc on the network.

Need to know: Similar to the principle of least privilege in that users are granted access only to the data and information that they need to know for their job.

  • Typically protected with permissions. In contrast, the principle of least privilege includes both rights and permissions.
    • Rights refer to actions like the right to change the system time, the right to install an application, or the right to join a computer to a domain.
    • Permissions typically refer to permissions on files, such as read, write, modify, read & execute, and full control.

Account Types: When managing accounts, it’s important to recognize the common types of accounts used within a network, including:

  • End user accounts: Most accounts are for regular users. Administrators create these accounts and then assign appropriate privileges based on the user’s job responsibilities. 
  • Privileged accounts. A privileged account has additional rights and privileges beyond what a regular user has. 
  • Guest accounts:  Used to give someone limited access to a computer or network without creating a new account;  commonly disabled by administrators.
  • Service accounts: Some applications need to run under the context of an account and a service account fills this need.  Note that this is like a regular end-user account. The only difference is that it’s only used by the service or application, not an end user.
    • Service accounts often go unmanaged as there is no user associated with it, so if the password expires, the account is locked and the application stops working, requiring administrators to troubleshoot the issue to figure out why.  While you could configure the service account so that it doesn’t have to comply with the password policy, it presents a security risk. 

Multiple Accounts For Administrators: It’s common to require administrators to have two accounts.

  • One account for regular day-to-day work with the same limited privileges as a regular end user.
  • One with elevated privileges required to perform administrative work and used only when performing administrative work.

This practice reduces the exposure of the administrative account to an attack.  Malware attempts to gain additional rights and permissions using privilege escalation techniques, so if it assume the rights and permissions of a logged-on  administrative account, the malware can assume these elevated privileges; if the administrator is logged on with a regular standard user account, the malware must take additional steps to escalate its privileges.

Standard Naming Conventions:  Organization adopt standard naming conventions to ensure user account names and email addresses are created similarly; if you start with a different organization and you need to create accounts, you should understand that the organization probably has a naming convention in place and you should follow the convention for any accounts you create.

Prohibiting Shared and Generic Accounts:  Each user has at least one account, which is only accessible to that user.  Account sharing reduces security as you can’t implement basic authorization controls such as are:

  • Identification: Users claim an identity with an identifier such as a username.
  • Authentication: Users prove their identity using an authentication method such as a password.
  • Authorization: Users are authorized access to resources, based on their proven identity.
  • Accounting: Logs record activity using the users’ claimed identity.

When users have unique user accounts:

  • You can give them access to resources individually.
  • Logs would indicate exactly who took an action.


While Guest accounts  support identification, authentication, authorization, and accounting. you loose this functionality when  multiple users are sharing the same Guest account.

Disablement Policies:  Identifies what to do with accounts for employees who leave permanently or on a leave of absence. Disabling the account ensures that data associated with it remains available. Security keys associated with an account remain available when the account is disabled, but are no longer accessible if the account is deleted.  When the organization determines the account is no longer needed, administrators delete it. For example, the policy may direct administrators to delete accounts that have been inactive for 60 or 90 days.

Account disablement policy include:

  • Terminated employee: Ensures a disgruntled terminated employee doesn’t wreaks havoc on the network. Note that “terminated” refers to both employees who resign and employees who are fired.
  • Leaves of absence:  During a leave of absence, a user’s account should be disabled while the employee is away. 
  • Disable default accounts:  Prevents them from being used.

Recovering Accounts: In some situations, administrators need to recover accounts:

  • Enabling a disabled account:Administrators reset the user’s password, set it to expire on first use, and then give the password to the other person.
  • Recover a deleted account:  Requires an administrators to follow a specific recovery procedures.

Time-of-day restrictions:  Specify when users can log on to a computer. If a user tries to log on to the network outside the restricted time, the system denies access to the user.

Location-based policies:  An authentication factor that restrict access based on the location of the user.  Often uses whitelisting based on IP addresses or MAC addresses.

Expiring Accounts and Recertification: It’s possible to set user accounts to expire automatically. When the account expires, the system disables it, and the user is no longer able to log on using the account.

Account Expiry: Implementing Secure Identity and Access Management
Adding an account expiration date.

If you look at the screenshot above, it shows the properties of an account. The Account Expires section is currently set to zero as this is a demonstration account running on a virtual machine.  We then configured it to expire on May 5 2021 by using the “chage -E” command.  This is useful for temporary accounts such as temporary contractors.

Account Maintenance​: Administrators routinely use scripts to automate the account maintenance processes.  These script do things like:

  • Listing all enabled accounts that haven’t been used in the last 30 days to provides a list of inactive accounts, providing an additional check to ensure inactive accounts are disabled.
  • Deleting accounts that are no longer needed. For example, if there is a policy of disabling accounts when employees leave, and deleting them 60 days later, a scripted account maintenance procedures ensure the accounts are deleted.

Credential Management:  Credentials are collections of information that provides an identity (such as a username) and proves that identity (such as with a password).  As with passwords, over time users have multiple credentials that they need to remember.  To solve this problem, credential management systems store these credentials securely in order to simplify credential management for users, while also ensuring that unauthorized personnel do not have access to the users’ credentials.

Comparing Access Management Control

Access control ensures that only authenticated and authorized entities can access resources; they grant resource access using one of several different models. The models covered in this section are: 

  • Role-based access control (role-BAC)
  • Rule-based access control (rule-BAC)
  • Discretionary access control (DAC)
  • Mandatory access control (MAC)
  • Attribute-based access control (ABAC)


As we work through this section,  you’ll run across the following terms:

  • Subjects: Users/groups that access an object; the subject can be a service that is using a service account to access an object.
  • Objects:  Items such as files, folders, shares, and printers that subjects access; access control determine how systems grant authorization to objects/users access to files and other resources.

Role Based Access Control

Role-based access control (role-BAC) uses roles to manage rights and permissions for users.

  • A role-BAC model uses roles based on jobs and functions. A matrix is a planning document that matches the roles with the required privileges.
  • Useful for users within a specific department who perform the same job functions.
  • An administrator creates the roles and then assigns specific rights and permissions to the roles (instead of to the users).
  • When an administrator adds a user to a role, the user has all the rights and permissions of that role.

Using Roles Based on Jobs and Functions

  • Imagine your organization has several departments, such as Marketing, Sales, and Security with each department having a separate file server
  • Create roles for function assign these roles to users based on the department where they work.

Next, you’d grant these roles access to the appropriate server.

For example, you’d grant the Accounting role to the Accounting server, grant the Sales role to the Sales server, and so on.

Another example of the role-BAC model is Microsoft Project Server. The Project Server can host multiple projects managed by different project managers. It includes the following roles:

  • Administrators. Administrators have complete access and control over everything on the server, including all of the projects managed on the server.
  • Executives. Executives can access data from any project held on the server, but do not have access to modify system settings on the server.
  • Project Managers. Project managers have full control over their own projects, but do not have any control over projects owned by other project managers.
  • Team Members. Team members can typically report on work that project managers assign to them, but they have little access outside the scope of their assignments.
    Each of these roles has rights and permissions assigned to it, and to give someone the associated privileges, you’d simply add the user’s account to the role.

Documenting Roles with a Matrix

Think about the developers of Microsoft Project Server. They didn’t just start creating roles. Instead, they did some planning and identified the roles they envisioned in the application. Next, they identified the privileges each of these roles required. It’s common to document role-based permissions with a matrix listing all of the job titles and the privileges for each role, as shown in Table 2.1.

Role-BAC is also called hierarchy-based or job-based:

  • Hierarchy-based. In the Project Server example, you can see how top-level roles, such as the Administrators role, have significantly more permissions than lower-level roles, such as the Team Members role. Roles may mimic the hierarchy of an organization.
  • Job-, task-, or function-based. The Project Server example also shows how the roles are centered on jobs or functions that users need to perform.
  •  

Establishing Access with Group-Based Privileges

Administrators commonly grant access in the role-BAC model using roles, and they often implement roles as groups. 

Windows systems refer to these as security groups. They assign rights and permissions (privileges) to groups and then add user accounts to the appropriate group. This type of group-based access control, where access is based on roles or groups, simplifies user administration.

One implementation of the role-BAC model is the Microsoft built-in security groups and specially created security groups that administrators create on workstations, servers, and within domains.

  • The Administrators group is a built-in security group. 
  • the Administrators group on a local computer includes all of the rights and permissions on that computer.
    • If you want to grant a user full and complete control to a computer, you could add that user account to the Administrators group on that computer.
    • Once that user is a member of the Administrators group, she has all the rights and permissions of the group.
    • You can also grant other users the ability to back up and restore data by adding their user accounts to the Backup Operators group.
    • Although the built-in groups are very useful, they don’t meet all the requirements in most organizations. For example, if your organization wants to separate backup and restore responsibilities, you can create one group that can only back up data and another group that can only restore data.
    •  In Windows domains, administrators often create groups that correspond to the departments of an organization. For example, imagine that Homer, Marge, and Bart work in the Sales department and need to access data stored in a shared folder named Sales on a network server. An administrator would simplify administration with the following steps, as shown in Figure 2.6:
    • 1. Create a Sales group and add each of the user accounts to the Sales group.
    • 2. Add the Sales group to the Sales folder.
    • 3. Assign appropriate permissions to the Sales group for the Sales
      folder.

Figure 2.6: Establishing access with groups as roles

  • If the company adds new salespeople, the administrator creates accounts for them and places their accounts into the Sales group.
    • These new salespeople now have access to everything assigned to this group.
    • If any users change jobs within the company and leave the Sales department, the administrator removes them from the Sales group.
    • This automatically prevents them from accessing any resources granted to the Sales group. This example shows how to use a group for the Sales department, but you can apply the same steps to any department or group of users.
    • Without groups, you would use user-assigned privileges. In other words, you would assign all the specific rights and permissions for every user individually. This might work for one or two users, but quickly becomes unmanageable with more users.
      • As an example, imagine that people within the Sales department need access to 10 different resources (such as files, folders, and printers) within a network. When the company hires a new salesperson, you’d need to assign permissions to these 10 different resources manually, requiring 10 different administrative tasks. If you assign the permissions to the Sales group, you only need to add the new user to one group and you’re done.
  • Groups provide another security benefit. Imagine that a user is moved out of the Sales department and now works in Marketing.
    • If you have a Marketing group, you can place this user account into the Marketing group and remove the account from the Sales group.
    • Removing the user from the Sales group instantly removes all the user rights and permissions applied from that group.
    • If you’re not using groups and assign permissions to users directly, you probably won’t remember which resources were assigned to the user as a member of the Sales department. Instead, the user will continue to have access to this sales data, violating the principle of least privilege.

Rule Based Access Control

Rule-based access control is based on a set of approved instructions, such as an access control list. Some rule-BAC systems use rules that trigger in response to an event, such as modifying ACLs after detecting an attack or granting additional permissions to a user in certain situations.  Rule-based access control uses rules, an example of which is with router/firewall rules and access control lists (ACLs).

  • These rules define the traffic that the devices allow into the network, such as allowing Hypertext Transfer Protocol (HTTP) traffic for web browsers.
  • These rules are typically static and stay the same unless an administrator changes them again.
  • Some rules are dynamic. For example, intrusion prevention systems can detect attacks, and then modify rules to block traffic from an attacker. In this case, the attack triggers a change in the rules.
  • As another example, it’s possible to configure user applications with rules. For example, imagine you want to give Homer additional permissions to a database if Marge is absent. You can configure a database rule to trigger a change to these permissions when the system recognizes that Marge is absent.

Discretionary Access Control

In the discretionary access control (DAC) model, every object (such as files and folders) has an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most Unix-based systems, use the DAC model.

  • A common example of the DAC model is the New Technology File System (NTFS) used in Windows.
  • NTFS provides security by allowing users and administrators to restrict access to files and folders with permissions.
  • NTFS is based on the DAC model and the following section explains how it uses the DAC model.

SIDs and DACLs

Microsoft systems:

  • Identify users and groups with security identifiers (SIDs), a long string of characters that is meaningless to most people and may look like this: S-1-5-21-3991871189- 223218.  You will rarely see a SID as instead of the system displaying the SID, it looks up the name associated with the SID and displays the name.
  • Give every object (such as a file or folder) includes a discretionary access control list (DACL) that identifies who can access it in a system using the DAC model and is composed of Access Control Entries (ACEs).
    • Each ACE is composed of a SID and the permission(s) granted to the SID. As an example, a folder named Study Notes might have the following permissions assigned:

The Owner Establishes Access

When a user establishes a file they:

  • Are designated as the owner and have explicit control over the file.
  • Can modify the permissions on the object by adding user or group accounts to the DACL and assigning the desired permissions.

Trojans and Discretionary Access Control

The DAC model is the susceptibility to Trojan horses, executable files masquerading as something useful, but they include malware.    Many organizations require administrators to have two accounts to mitigate the risks associated with Trojans. Most of the time, administrators log on with a regular user account. If the system is infected with malware, the malware has limited permissions assigned to the regular user account. In contrast, if the system is infected with malware while the administrator is logged on with an administrative account, the malware has the elevated permissions of an administrator. 

Mandatory Access Control

The mandatory access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access and compared to the DAC model is significantly less flexible.   

With DAC, if you want to grant another user access to a file you own, you simply make the change, and that user has access, and in comparison, MAC has predefined access privileges, and the administrator is required to make the changes. 

Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access.

Security-enhanced Linux (SELinux) is one of the few operating systems using the mandatory access control model. SELinux was specifically created to demonstrate how mandatory access controls can be added to an operating system. In contrast, Windows operating systems use the discretionary access control model.

Labels and Lattice

The MAC model uses different levels of security to classify both the users and the data. These levels are defined in a lattice, which demonstrate the relationship between labels and security levels.

MAC matrix: Implementing Secure Identity and Access Management
Simple MAC model lattice for demonstration purposes.

The image above show using the MAC model lattice to divide access into separate compartments based on a need to know. 

The lattice starts by defining different levels of Top Secret, Secret, Confidential, and For Official Use. Each of these labels defines specific security boundaries. 

Within these levels, the lattice defines specific compartments. For example, the Top Secret level includes compartments labeled Bank Vault and Server Room

Imagine that User #1 has a Top Secret clearance with a Bank Vault label, giving the user access to data within the Bank Vault, but not to data in the Server Room compartments unless they also have those clearances and labels.

Higher-level clearances include lower-level clearances. For example, because User #1 has a Top Secret clearance, they can be granted access to Secret and lower-level data based on their need to know.

Establishing Access

An administrator is responsible for establishing access, but only someone at a higher authority can define the access for subjects and objects.

  • Typically, a security professional identifies the specific access individuals are authorized to access. This person can also upgrade or downgrade the individuals’ access, when necessary. Note that the security professional does all this via paperwork and does not assign the rights and permissions on computer systems. Instead, the administrator assigns the rights based on the direction of the security professional.
  • Multiple approval levels are usually involved in the decision-making process to determine what a user can access. For example, in the military an officer working in the security professional role would coordinate with higher- level government entities to upgrade or downgrade clearances. These higher- level entities approve or disapprove clearance requests.
  • Once an individual is formally granted access, a network administrator would be responsible for establishing access based on the clearances identified by the security professional. From the IT administrator’s point of view, all the permissions and access privileges are predefined.
  • If someone needed different access, the administrator would forward the request to the security professional, who may approve or disapprove the request. On the other hand, the security professional may forward the request to higher entities based on established procedures. This process takes time and results in limited flexibility.

Attribute Based Access Control

Commonly used in software defined networks (SDNs), an attribute-based access control (ABAC) system evaluates attributes and grants access based on the value of the attributes defined in policies to grant access to resources.

  • Attributes can be almost any characteristic of a user, the environment, or the resource.
  • ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy.

Many software defined networks (SDNs) use ABAC models, so rather than rules on physical routers, plain language policies statements “Allow logged-on researchers to access research sites via the main network.” in the ABAC system control the traffic.

These policy statements typically include four elements:

  • Subject: This is typically a user. You can use any user property as an attribute such as employment status, group memberships, job roles, logged-on status, and more. In the example, the subject is identified as being logged on and a member of a researchers group.
  • Object: This is the resource (such as a file, database, or application) that the user is trying to access. In the example, the object is research sites. The research sites object would include Internet access via a proxy server along with a specific list of URLs of research sites.
  • Action: The action is what the user is attempting to do, such as reading or modifying a file, accessing specific web sites, and accessing web site applications. The example allows access to specific web sites.
  • Environment:. The environment includes everything outside of the subject and object attributes. This is often referred to as the context of
    the access request. It can include the time, location, protocols, encryption, devices, and communication method. In the example, it specifies the main network as an environmental attribute.

An ABAC system has a lot of flexibility and can enforce both a DAC and a MAC model. There are also many similarities between the ABAC model and the DAC and MAC models. In the DAC model, owners have control over the access and in an ABAC model, owners can create policies to grant access. The MAC model uses labels assigned to both subjects and objects and grants access when the labels match. The ABAC model uses attributes that identify both subjects and objects, and grants access when a policy identifies a match.

Summary: Implementing Secure Identity and Access Management

After working through this article, you should have a good understanding of the basics of implementing secure identity and access management:

  • Identification occurs when a user claims an identity such as with a username or email address.
  • Authentication occurs when the user proves the claimed identity (such as with a password) and the credentials are verified.
  • Access control systems provide authorization by granting access to resources based on permissions granted to the proven identity.
  • Logging provides accounting.
  • Complex passwords use a mix of character types. Strong passwords use a mix of character types and have a minimum password length of at least 14 characters.
  • Before resetting passwords for users, it’s important to verify the user’s identity. When resetting passwords manually, it’s best to create a temporary password that expires upon first use.
  • Group Policy is implemented on a domain controller within a domain. Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more.
  • Using two or more methods in the same factor of authentication (such as a PIN and a password) is single-factor authentication. Dual-factor (or two-factor) authentication uses two different factors, such as using a hardware token and a PIN. Multifactor authentication uses two or more factors.
  • Password policies include several elements. The password history is used with the minimum password age to prevent users from changing their password to a previously used password. Maximum password age causes passwords to expire and requires users to change their passwords periodically. Minimum password length specifies the minimum number of characters in the password. Password complexity increases the key space, or complexity, of a password by requiring more character types.
  • Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password or PIN). Smart cards include embedded certificates used with digital signatures and encryption. CACs and PIVs are specialized smart cards that include photo identification. They are used to gain access into secure locations and to log on to computer systems.
  • HOTP and TOTP are both open source standards used to create one-time use passwords. HOTP creates a one-time use password that does not expire. TOTP creates a one-time password that expires after 30 seconds. Both can be used as software tokens for authentication.
  • The third factor of authentication (something you are, defined with biometrics) is the strongest individual method of authentication because it is the most difficult for an attacker to falsify. Biometric methods include fingerprints, retina scans, iris scans, voice recognition, and facial recognition. Iris and retina scans are the strongest biometric methods mentioned in this section, though iris scans are used more than retina scans due to the privacy issues and the scanning requirements. Facial recognition is the most flexible and when using alternate lighting (such as infrared), they might become the most popular. The crossover error rate (CER) measures
    the accuracy of a system and lower CERs are better
  • Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (or TGT server) to issue timestamped tickets that expire after a certain time period.

Share This Post:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

Table of Contents

You May Like

Related Posts
Linux Basics
Linux Administrator

The Linux Filesystem

The Linux filesystem structure is somewhat different from that of Windows in that Linux doesn’t make use of a physical drive, such as the C:

Read More »
September 10, 2020 1 Comment

Your Linux and Security Source

All Rights Reserved © 2020