98-367 Chapter Three

Chapter 3: Understanding User Authentication

Topics Covered:

  • Comparing the three factors of authentication
  • Using passwords for authentication
  • Using smart cards and token devices for authentication
  • Using biometrics for authentication
  • Starting applications with Run As Administrator
  • Preventing time skew with Kerberos
  • Identifying RADIUS capabilities
  • Identifyng unsecure authentication protocols
Three factors of authentication
  • What you have: item such as smart card
  • What you are: fingerprints and other biometrics
  • What you know: Passwords and PINs

Kerberos is the primary authentication protocol used in Microsoft domains.
Multifactor authentication is using two or more of the factors of authentication simultaneously.

Authentication is not the same as authorization. Authentication just means they can prove identity. Authorization
relates to authority to access resources on a system.

Password Attack methods
  • Social engineering: use of phishing etc. to get password from user
  • Dictionary Attacks: using a wordlist to guess passwords at high speeds. Strong passwords best defence
  • Brute Force: In a brute-force attack an attacker simply tries to guess every possible combination. Lockout policies provide best
    protection (also use strong passwords)
Creating Strong Passwords

Length and complexity make strong passwords. Recommendations for passwords:

  • Length: 14+ chars
  • Cases: Mixture of upper and lower
  • Numbers: Use 0-9
  • Special characters: use them such as !@#$%^&*()_+
  • Dictionary: Should not be found in language dictionary
  • Personal Information: should not contain any public information
Enforcing Strong Passwords

Group Policy > Password Policy contains settings to enforce strong password params such as:

  • Password History: remembers old passwords to prevent reuse (setting is how many to remember before reuse is allowed. Default: 24)
  • Max password age: Longest period users can wait before changing password. (usually between 30 - 60 days)
  • Min password age: Minimum amount of time a user must wait before changing password again (usually at least a day)
  • Min length: Number of chars required (Recommended 14+)
  • Must meet complexity requirements: Must be at least six chars (min length will override this), use three of four character types (upper, lower, number and symbol).
    Password cannot contain username or name.
  • Store using reversible encryption: Some systems require this, do not recommend its use at all
Account Lockout Policies
  • Account lockout duration: How long an account will remain locked out (0 remains unlocked until admin unlocks it)
  • Account Lockout Threshold: How many incorrect passwords before account is locked out
  • Reset Account Lockout Counter After: How long incorrect password attempts are counted. If lockout threshold is 5
    and this is 30 mins then a user couldnt provide 4 bad passwords, wait 30 mins and then try again without being locked out.
Unlocking an Account

Accounts can only be locked out via password failures. Admins can disable accounts but cannot manually lock them.

Resetting a Password

If user has encrypted data in NFS or NTFS and local password is reset they will not be able to access that data.

Smart Card and Token Devices for Authentication

Smart card (Something you have): credit card sized car that has a certificate embedded in it. Has electrical contacts that allow data on the card
to be read by a reader. Some keyboards may have readers built in or it can be a separate device. Need PKI to manage certs.
Tokens are also common.

Biometrics

Measure physical information about a user such as fingerprints, retinas, weight. Retinas scans map blood vessels in
the back of eyes, most accurate biometric method. Weight can be used to ensure nothing is stolen and only one person is accessing at a time.

Starting applications with Run as Administrator

Administrators should have two accounts, one non privileged account to do regular work on and an admin accout to administer network.
Regular account should be used at all time execpt when admin rights needed. UAC may require users to approve request for admin access (if user has admin rights).
If they do not UAC will prompt user to enter admin credentials.

Dual accounts help prevent: access by non admins (unlocked computers etc.), accidental damage, malware elevation.

Kerberos

Primary network authentication protocol, in use since Windows 2000. System uses tickets issued to authenticated entities
to access resources. A KDC (Key Distribution Center) manages these tickets. For this to work every system in domain must use the same time.
If off by more than 5 mins a time skew error is caused and access to resources will be refused.

Time is synchronized by:

  • A single domain controller that is the primary domain controller (PDC). This machine regulary synchronizes with external time source.
  • Each domain controller in domain gets time from PDC
  • Each computer in domain recieves its time from one of the domain controllers

Changing time on client machines requires elevated permissions.

RADIUS

Remote Authentication Dial-in User Service (RADIUS) is a service used to authenticate wide range of clients. Origional use was
to authenticate clients that dialed in using modems. For VPNs, WPA2 Enterprise wireless RADIUS can provide central authentication point.

RADIUS can support several different protocols such as:

  • EAP (Extensible Authentication Protocol): Extends capabilities of OS authentication. Two methods are: Protected EAP (PEAP)
    and Smart Card or Other Certificate
    PEAP (Protected EAP): uses TLS to create encrypted channel between devices for auth process. Can be used for 802.11 wireless clients. Smart Card or Other Certificates: Can provide strongest auth. Cert from a trusted CA embedded in card. Uses EAP with TLS (EAP-TLS).
  • MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol): provides mutual authentication between client and auth server (only works with MS clients)
  • CHAP (Challenge Handshake Authentication Protocol): provides compatability with non MS clients
  • PAP (Password Authentication Protocol): Passwords sent in clear text, not secure at all in any way, never use
Identifying Unsecure Authentication Protocols

First step is knowing protocol is not secure before we can avoid using it.

LM (Lan Manager): converts passwords to uppercase, adds nulls to pad to 14 chars total length. Splits into 7 char sections and hashes those. Weak because passwords
only need to be cracked in 7 char segments (password strength means nothing)
NTLM (New Technology LAN Manager aka NTLM v1): Clients cannot verify servers identity, does not support AES. NTLMv2 fixes server identity problem.

Chapter Review Questions:

  1. What is the difference between identification and authentication?
    a. Nothing, they are the same
    b. Identification proves authentication
    c. Authentication proves an identity
    d. Identification authenticates an individual, and authentication provides authorization

  2. A brute force attack is one of the many methods used to discover __?

  3. True or false: A smart card is an authentication example using the something you are factor?

  4. Which one of the following is the strongest password?
    a. password
    b. Password
    c. PAssWord
    d. Pa$$w0rd

  5. True or false: You can enforce a password policy through Group Policy?

  6. If users forget their password, they can reset the password with a ___ as long as they created it before
    forgetting their password.

  7. What factor of authentication is used when a user’s fingerprints are checked?

  8. Kerberos clients must have their time within five mins of each other to prevent a __ error.

  9. Of the following choices, what isn’t a valid use of a RADIUS server?
    a. Authenticate VPN clients
    b. Authentication wireless clients
    c. Provide port-based authentication
    d. Provide authentication for 802x database servers

  10. Of the following choices, which authentication protocol is the weakest?
    a. Kerberos
    b. LM
    c. NTLMv1
    d. NTLMv2

Answers:

  1. c
  2. passwords
  3. False
  4. d
  5. True
  6. Password Reset Disk
  7. Something you are
  8. Time skew
  9. d RADIUS servers can provide central auth for dial in and VPN systems, wireless clients as an 802.1x server, port based auth for 802.1x network devices
    . Does not provide auth for database servers and 802x isnt a valid standard
  10. b

Relevant sections of Certification Exam

Understand user authentication: Comparing Three Factors of Authentication, Using Passwords for Authentication, Using Smart Cards
and Tokens for Authentication, Using Biometrics for Authentication, Starting Applications with Run as Admin, Preventing Time Skew,
RADIUS Capibilities

Understanding password policies: Using Passwords for Authentication

Understanding server protection: Identifying Unsecure authentication protocols