98-367 Chapter Three

Chapter 3: Understanding User Authentication

Topics Covered:

  • Comparing the three factors of authentication
  • Using passwords for authentication
  • Using smart cards and token devices for authentication
  • Using biometrics for authentication
  • Starting applications with Run As Administrator
  • Preventing time skew with Kerberos
  • Identifying RADIUS capabilities
  • Identifyng unsecure authentication protocols
Three factors of authentication
  • What you have: item such as smart card
  • What you are: fingerprints and other biometrics
  • What you know: Passwords and PINs

Kerberos is the primary authentication protocol used in Microsoft domains.
Multifactor authentication is using two or more of the factors of authentication simultaneously.

Authentication is not the same as authorization. Authentication just means they can prove identity. Authorization
relates to authority to access resources on a system.

Password Attack methods
  • Social engineering: use of phishing etc. to get password from user
  • Dictionary Attacks: using a wordlist to guess passwords at high speeds. Strong passwords best defence
  • Brute Force: In a brute-force attack an attacker simply tries to guess every possible combination. Lockout policies provide best
    protection (also use strong passwords)
Creating Strong Passwords

Length and complexity make strong passwords. Recommendations for passwords:

  • Length: 14+ chars
  • Cases: Mixture of upper and lower
  • Numbers: Use 0-9
  • Special characters: use them such as !@#$%^&*()_+
  • Dictionary: Should not be found in language dictionary
  • Personal Information: should not contain any public information
Enforcing Strong Passwords

Group Policy > Password Policy contains settings to enforce strong password params such as:

  • Password History: remembers old passwords to prevent reuse (setting is how many to remember before reuse is allowed. Default: 24)
  • Max password age: Longest period users can wait before changing password. (usually between 30 - 60 days)
  • Min password age: Minimum amount of time a user must wait before changing password again (usually at least a day)
  • Min length: Number of chars required (Recommended 14+)
  • Must meet complexity requirements: Must be at least six chars (min length will override this), use three of four character types (upper, lower, number and symbol).
    Password cannot contain username or name.
  • Store using reversible encryption: Some systems require this, do not recommend its use at all
Account Lockout Policies
  • Account lockout duration: How long an account will remain locked out (0 remains unlocked until admin unlocks it)
  • Account Lockout Threshold: How many incorrect passwords before account is locked out
  • Reset Account Lockout Counter After: How long incorrect password attempts are counted. If lockout threshold is 5
    and this is 30 mins then a user couldnt provide 4 bad passwords, wait 30 mins and then try again without being locked out.
Unlocking an Account

Accounts can only be locked out via password failures. Admins can disable accounts but cannot manually lock them.

Resetting a Password

If user has encrypted data in NFS or NTFS and local password is reset they will not be able to access that data.

Smart Card and Token Devices for Authentication

Smart card (Something you have): credit card sized car that has a certificate embedded in it. Has electrical contacts that allow data on the card
to be read by a reader. Some keyboards may have readers built in or it can be a separate device. Need PKI to manage certs.
Tokens are also common.

Biometrics

Measure physical information about a user such as fingerprints, retinas, weight. Retinas scans map blood vessels in
the back of eyes, most accurate biometric method. Weight can be used to ensure nothing is stolen and only one person is accessing at a time.

Starting applications with Run as Administrator

Administrators should have two accounts, one non privileged account to do regular work on and an admin accout to administer network.
Regular account should be used at all time execpt when admin rights needed. UAC may require users to approve request for admin access (if user has admin rights).
If they do not UAC will prompt user to enter admin credentials.

Dual accounts help prevent: access by non admins (unlocked computers etc.), accidental damage, malware elevation.

Kerberos

Primary network authentication protocol, in use since Windows 2000. System uses tickets issued to authenticated entities
to access resources. A KDC (Key Distribution Center) manages these tickets. For this to work every system in domain must use the same time.
If off by more than 5 mins a time skew error is caused and access to resources will be refused.

Time is synchronized by:

  • A single domain controller that is the primary domain controller (PDC). This machine regulary synchronizes with external time source.
  • Each domain controller in domain gets time from PDC
  • Each computer in domain recieves its time from one of the domain controllers

Changing time on client machines requires elevated permissions.

RADIUS

Remote Authentication Dial-in User Service (RADIUS) is a service used to authenticate wide range of clients. Origional use was
to authenticate clients that dialed in using modems. For VPNs, WPA2 Enterprise wireless RADIUS can provide central authentication point.

RADIUS can support several different protocols such as:

  • EAP (Extensible Authentication Protocol): Extends capabilities of OS authentication. Two methods are: Protected EAP (PEAP)
    and Smart Card or Other Certificate
    PEAP (Protected EAP): uses TLS to create encrypted channel between devices for auth process. Can be used for 802.11 wireless clients. Smart Card or Other Certificates: Can provide strongest auth. Cert from a trusted CA embedded in card. Uses EAP with TLS (EAP-TLS).
  • MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol): provides mutual authentication between client and auth server (only works with MS clients)
  • CHAP (Challenge Handshake Authentication Protocol): provides compatability with non MS clients
  • PAP (Password Authentication Protocol): Passwords sent in clear text, not secure at all in any way, never use
Identifying Unsecure Authentication Protocols

First step is knowing protocol is not secure before we can avoid using it.

LM (Lan Manager): converts passwords to uppercase, adds nulls to pad to 14 chars total length. Splits into 7 char sections and hashes those. Weak because passwords
only need to be cracked in 7 char segments (password strength means nothing)
NTLM (New Technology LAN Manager aka NTLM v1): Clients cannot verify servers identity, does not support AES. NTLMv2 fixes server identity problem.

Chapter Review Questions:

  1. What is the difference between identification and authentication?
    a. Nothing, they are the same
    b. Identification proves authentication
    c. Authentication proves an identity
    d. Identification authenticates an individual, and authentication provides authorization

  2. A brute force attack is one of the many methods used to discover __?

  3. True or false: A smart card is an authentication example using the something you are factor?

  4. Which one of the following is the strongest password?
    a. password
    b. Password
    c. PAssWord
    d. Pa$$w0rd

  5. True or false: You can enforce a password policy through Group Policy?

  6. If users forget their password, they can reset the password with a ___ as long as they created it before
    forgetting their password.

  7. What factor of authentication is used when a user’s fingerprints are checked?

  8. Kerberos clients must have their time within five mins of each other to prevent a __ error.

  9. Of the following choices, what isn’t a valid use of a RADIUS server?
    a. Authenticate VPN clients
    b. Authentication wireless clients
    c. Provide port-based authentication
    d. Provide authentication for 802x database servers

  10. Of the following choices, which authentication protocol is the weakest?
    a. Kerberos
    b. LM
    c. NTLMv1
    d. NTLMv2

Answers:

  1. c
  2. passwords
  3. False
  4. d
  5. True
  6. Password Reset Disk
  7. Something you are
  8. Time skew
  9. d RADIUS servers can provide central auth for dial in and VPN systems, wireless clients as an 802.1x server, port based auth for 802.1x network devices
    . Does not provide auth for database servers and 802x isnt a valid standard
  10. b

Relevant sections of Certification Exam

Understand user authentication: Comparing Three Factors of Authentication, Using Passwords for Authentication, Using Smart Cards
and Tokens for Authentication, Using Biometrics for Authentication, Starting Applications with Run as Admin, Preventing Time Skew,
RADIUS Capibilities

Understanding password policies: Using Passwords for Authentication

Understanding server protection: Identifying Unsecure authentication protocols


98-367 Chapter One

Chapter 1: Understanding Core Security Principles

Topics Covered:

  • Confidentiality, Integrity and Availability
  • Basics of Risk
  • Importance of implementing a defense-in-depth strategy

Risk cannot be eliminated but it can be minimized.
Risk occurs when threats exploit vulnerabilities.
Threats: Any event that can result in the loss of Confidentiality, Integrity or Availability of IT systems or data
Vulnerabilities: weaknesses

Common techniques to reduce risk:

* Enforce principle of least privilege
* Implement strong authentication mechanisms
* Train employees on risks and social engineering
* Regularly remind employees about their security responsibilities
* Implement multiple layers of security (defence-in-depth)
* Remove or disable unneeded services or protocols
* Implement host-based and network-based firewalls
* Keep systems up to date with patches
* Install and update antivirus software
* Add redundancies for critical systems
* Secure access with permissions
* Back up data and store a backup copy off-site
* Track access to data and systems with audit trails
* Encrypt critical data at rest and when in transit
* Protect systems, data and facilities with strong physical security

Confidentiality: Only authorized users are able to access data. Authentication, access control, encryption
Availability: Systems are up to date and ready for use when needed. Backups, ability to restore, RAID, failover hardware etc
Integrity: Prevent unauthorized modification and ensure that unauthorized changes are detected. Audit logging, hashing, PKI

Defense-in-depth: Strategy to use multiple levels and layers of security, policy, procedures and people to provide multiple
lines of defense.

Policy and Procedures: Written rules outlining security requirements and acceptable behavior.
Data: Permissions (Registry, NTFS, AD etc), Encryption
Auditing: Tracking access and events. Identifies who did what and when. Concept of non-repudiation (inability to deny
responsibility for an action that a user performs)
Clients and Servers: Antivirus and other software, updates and patches
Network: Firewalls, Network Access Protection, encryption of data
Wireless: Encryption and protocols
Physical Security: Locking doors, checking identification etc

Principle of least privilege: users, resources and applications should have only the rights and permissions to perform necessary
tasks and nothing else. Admins should have two accounts, and not always use an admin account for every day tasks

Server Hardening: making changes to default configuration to enhance security. Steps may include:

* Reduce the attack surface: Only run necessary services and protocols, fewer things to attack. Security Configuration Wizard good starting tool
* Keep operating system up to date: fixes issues in software, larger organizations may stage and test with WSUS or SCCM
* Enable firewalls: Windows Server 2008 and up have it enabled by default. Additional configuration
* Install and update antivirus software: Various products for different purposes such as mail server tools or desktop tools

Chapter Review Questions:

  1. What is a simple definition of risk?
  2. True or false: You can reduce risk by reducing vulnerabilities?
  3. An implementation of which security principle ensures that secrets stay secret:
    a. Authentication
    b. Availability
    c. Integrity
    d. Confidentiality
  4. The implementation of techniques that map to which security principle help to ensure that an unauthorized change to data is detected
    a. Accessibility
    b. Availability
    c. Integrity
    d. Confidentiality
  5. A basic security principle states that users, resources, and application should be granted only the rights and permissions needed to perform a task,
    is this principle?
  6. What is meant by reducing the attack surface of a system?
    a. Disabling needed services
    b. Removing unneeded protocols
    c. Keeping a system up to date
    d. Disabling the firewall
  7. What tool can you use to create a comprehensive security policy as an XML file on a Windows Server 2008 system?
    a. Microsoft Baseline Security Analyzer (MBSA)
    b. System Center Configuration Manager (SCCM)
    c. Security Configuration Wizard (SCW)
    d. Windows Server Update Services (WSUS)
  8. Of the following choices, what is the best method to protect against malware?
    a. Installing antivirus software and keeping it up to date
    b. Disabling unneeded services
    c. Removing unnecessary protocols
    d. Enabling a firewall

Answers:

  1. Risk is the probability that a threat will exploit a vulnerability
  2. True. Risk can be reduced by reducing vulnerabilities. Vulnerabilities are weaknesses, by reducing them you can reduce risk.
  3. D Confidentiality. Ensures that only authorized people have access to data. Ensured using access controls and encryption
  4. C Integrity. Audit logs and hashing can detect unauthorized changes
  5. Principle of least privilege. Users, resources and applications given bare minimum rights and privileges to do necessary work and nothing more.
  6. B Removing unneeded protocols. Fewer things on system means fewer things to exploit
  7. C Security Configuration Wizard.
  8. A Installing antivirus software and keeping it up to date

Relevant sections of Certification Exam

  • Understanding Core Security Principles: Understanding Risk, Exploring the Security Triad, Enforcing principle of least privilege, defence-in-depth
  • Understanding email protection: Installing Antivirus Software
  • Understanding server protection: Hardening a Server

98-367 Chapter Two

Chapter 2: Understanding Malware and Social Engineering

Topics Covered:

  • Comparing malware
  • Protecting against malware
  • Thwarting social-engineering attacks

Malware: Malicious software that is installed on a system without user knowledge or consent. Includes viruses, worms,
Trojans, spyware and more.
Primary purpose of most modern malware is making money (through stealing data or espionage)

Virus: Requires interaction by user. Key function is self replication and propagation through email etc. Can be spread via:

* Email attachment: may appear as a wanted attachment such as an image or audio file.
* Script in unwanted email: Run when user opens email, most clients block script execution
* USB Drives: Infected when drive inserted into computer
* Embeded in Downloaded Files: bundled with freeware or shareware software

Worm: Does not require user interaction. Almost same as virus only can spread itself over network etc with no user interaction.
May flood network with traffic as it spreads.
Trojan horse: Malware hidden with what may appear to be legitimate software. Popular example is fake AV software that tricks users into downloading
Buffer overflow: Exposes memory by sending unexpected code to a system. Applications store information in buffers, if information is to large buffer may “overflow”
causing data to be written into additional sections of memory. Malicious code is usually added at the end so it is also stored in memory. To protect:

* Validate input
* Test Applications
* Patch software

Spyware: Collects information about the user without the users knowledge. Gathering personal info for identity theft and fraud. Keyloggers are popular example.

Botnets: a large group of infected machines controlled by a server etc.

Protecting against malware

Steps that can be taken to protect against malware:

* Use Firewalls: provides added protection against worms
* Keep systems up to date: As vendors discover vulnerabilities they issue patches to fix problems
* Reduce attack surface: Remove things not needed such as protocols and services. If it isnt running it cant be compromised
* Educate users: helps to counter social engineering attacks, rogueware etc.
* Minimize use of administrator accounts: fewer priviledges means less potential damage can be done if malware is installed etc.
Use of Antivirus software

Most organizations use many different kinds of antivirus software such as:

* Content filtering firewall
* Dedicated mail server AV
* AV software on end user computers

Some common features of AV products:

* Real-Time Protection: monitors system and alerts if malware is detected and blocks its installation
* Scheduled Scans: Perform scans on a regular automated basis
* On-Demand Scans: Customize parameters of scan

Some more advanced products may offer heuristic scanning which attempts to detect malware like behaviour rather than using
a database of known malware signatures.

Social Engineering

Social engineering is broad term indicating that attacker is using techniques to trick people into giving up
sensitive information or perform actions on behalf of the attacker.

May pose as a repairman etc to gain access to physical systems.
Could call helpdesk and pretent to be user.

How to protect against password reset scamming:

* Verifying Identify Prior to Resetting Passwords: use a second piece of info to verify user such as a pin etc.
* Limit Password Reset Rights: Only high level admins should be able to reset passwords for high level executives.
* Also enforce principle of least privilege on accounts

Phishing attacks are messages designed to trick a user into thinking they are accessing a real resource such as
a bank website etc.

Spear phishing is a variant of more directed attacks that are personalized for the victim.

Pharming: redirecting using DNS Servers, DNS Poisoning, Hosts File etc.

Protecting Email
* Use antivirus software to strip off and quarentine attachments or detect malware when it is opened
* Antispam products attempt to block phishing type emails
* Disable automatic display of images
* Antiphishing culture, dont do certian things via email at all and train employees not to do it either

Chapter Review Questions:

  1. What is the primary difference between a virus and a worm?
    a. There is none. They are the same
    b. A worm requires user intervention to spread, a virus does not
    c. A virus requires user intervention to spread, a worm does not
    d. A virus is malware, but a worm is antivirus software.

  2. True or false: A buffer overflow attack can gain access to a systems memory

  3. Which of the following is a type of malware that appears to be something else?
    a. Buffer overflow
    b. Trojan horse
    c. Virus
    d. Worm

  4. True or false: Botnets dont represent a real threat today?

  5. The majority of spam is sent out by __?

  6. Microsoft has created an antivirus tool for desktop operating systems. It’s available for free for home and small
    business users and provides real time protection. What is this tool?

  7. True or false: Security Essentials 2010 is a type of Trojan horse known as rogueware?

  8. What tool can you use for free on Windows Server 2008 to check for and remove many types of threats? (Choose all that apply)
    a. Security Essentials 2010
    b. Microsoft Security Essentials
    c. Microsoft Windows Malicious Software Removal Tool
    d. Microsoft Forefront

  9. One method of conducting pharming is through DNS _?

  10. Which of the following can protect email from potential threats? (Choose all that apply)
    a. Antirivus software
    b. Disabling automatic display of graphics
    c. Enabling pharming
    d. Educating users

Answers:

  1. c
  2. True
  3. b
  4. False
  5. botnets
  6. Microsoft Security Essentials
  7. True
  8. c
  9. cache poisoning
  10. a,b,d

Relevant sections of Certification Exam

Understanding core security principles: Thwarting social engineering attacks
Understand malware: Comparing Malware
Understand client protection: Protecting against malware
Understanding email protection: Protection email, Protecting against Malware