ITPro.TV: CompTIA Security+ (SY0-601)

author: Nathan Acks
date: 2022-03-08

CompTIA Security+ Exam Cram

Today I’ll be reading chapter 23 of the Exam Cram, “Identity and Account Management Controls”.

I’m tempted to say that this chapter is largely “common sense”, but I suspect that’s more of a consequence of it speaking to a core function of my current job than anything else.

Account Types

Exam Cram notes that Windows includes sudo/su like “run as” functionality (beyond the usual Shift + Right Click “Run as Administrator”), but doesn’t elaborate on this potentially useful tool. Fortunately, it’s not hard to find out that the utility itself is called runas:

runas /user:$USERNAME $EXECUTABLE

Note that $USERNAME can also be specified as $DOMAIN\$USERNAME for domain-joined machines. The $EXECUTABLE is treated normally (as if not prefixed by the runas command); thus, a full or relative path is only necessary when $EXECUTABLE is not already in the Windows path.

Onboarding and Offboarding

And identity providers (IdP) is an organization or system responsible for managing and authenticating user identities.

Access Auditing and Reviews

“Access recertification” is just a formal access review that explicitly cross-references current corporate policies and relevant compliance requirements.

Exam Cram recommends that access to high-risk applications be reviewed quarterly, and all applications/groups should have their access reviewed yearly. Part of this review should also include identifying a “single wringable neck” for each application, as well as data classification for the application.

Time of Day and Location Restrictions

Location-based restriction vocabulary:

Time of day login restrictions are handled under Windows using the Kerberos group policy “Enforce User Login Restrictions”. In particular, “Automatically Log Off users” controls whether or not users can remain logged in “after hours”.

Logical Access Controls

USER-BASED ACCESS CONTROL assigns permissions directly to individual users. Fine-grained, but time-consuming to manage and doesn’t scale well.

GROUP-BASED ACCESS CONTROL (also called role-based access control) assigns permissions based on groups which users are then assigned to. Coarse-grained, but way easier to managed.

Exam Cram states that all systems handle permissions in groups cumulatively, but treat deny directives as absolute (such that a denial in one group cannot be overridden by access provided by another). The authors have clearly not used groups in Google Workspace (whose only concept of “deny” is to turn a feature off or set it to a more restricted value, both of which will be overridden if the user is in a group with more liberal permissions). That said, Exam Cram indicates that this convention for group-based access controls may be featured on the Security+ exam, so I guess exam-takers need to just forget about Google.

Account Policy Enforcement

Exam Cram emphasizes that ideally all accounts and credentials should be set to automatically expire and then explicitly renewed, rather than relying only on the deprovisioning process.

In Active Directory, domain-level policies are always enforced, but OU-level policies are only enforced for local logins.

Account Lockout

Windows “Account Lockout Policy” notes:

Password Age and History / Password Length and Rotation

Windows “Password Policy” notes:

Exam Cram states that the “Minimum password age” setting is used to limit the amount of time that a breached password can be used, but I’m pretty sure they mean “Maximum password age” here. Even Microsoft’s own documentation states that the purpose of “Minimum password age” is to make password re-use impractical.

If Exam Cram’s practice questions are any guide, the Security+ exam considers “passphrases” just to be really long passwords.