Security+: Installing and Configuring Identity and Access Services
Identity and Access Services are important components to an effective Information Security environment. These services are also important parts of the CompTIA Security+ certification exam.
This article will detail what Identity and Access Services are covered on the exam as well as what you need to know. This article should serve as a brief review for this portion of the Security+ exam and not as a sole means of preparation.
Identity and Access Services Terms to Know
Lightweight Directory Access Protocol, or LDAP, is part of the TCP/IP suite and is used for accessing and changing directory services data at the application level. LDAP is the protocol that controls directory services, including Active Directory. The default open port is 389, but organizations who want to employ Secure LDAP, or LDAPS, will have to use port 636.
A commonly-used authentication protocol, Kerberos enables computers to securely prove their identity. Many organizations that use a client-server environment use this method for computer authentication between the client and server, known as mutual authentication.
A domain controller in the network will serve as a Key Distribution Center, or KDC, which will handle authentication requests for the computers in the network. The KDC domain controller will need to have inbound port 88 open for login requests from client computers.
Terminal Access Controller Access Control System Plus (TACACS+) is an authentication, authorization and accounting (AAA) protocol service. This client/server model (where the client is normally a router or firewall) protocol uses default port 49. TACACS+ is considered more reliable than other authentication protocols because it runs off TCP (instead of UDP) and encrypts the entirety of the original access request packet.
CHAP stands for Challenge-Handshake Authentication Protocol. This point-to-point protocol (PPP) is the authentication protocol of choice for dial-up connections.
CHAP uses a challenge-response security mechanism and offers clients who use it one-way encryption via DES and MD5 encryption. You will have to properly configure it on the Remote Access Services (RAS) server for proper client handshakes. To perform this, simply select Challenge Handshake Authentication Protocol under Advanced Security Settings on the RAS server as the required method of data encryption.
Password Authentication Protocol, or PAP, is an insecure logon method which verifies identity via a password login. This protocol is one of the least secure methods of access and identity verification.
Not to be left out from leaving their mark on the world of identity and access services, Microsoft released its own variants of CHAP: MS-CHAP and MS-CHAP-v2. This will need to be configured on the RAS server, but you will have to select MS-CHAP as the required method of data encryption. Also please note that version 2 of MS-CHAP allows for mutual authentication, which gives it more information security appeal.
Remote Authentication Dial-In User Service, or RADIUS, is a remote access-control system that runs over UDP transport and provides authentication and access control for a network. RADIUS provides credentials for authorization and access to resources on the network. A RADIUS server provides centralized administration of access rights and can handle authorization verification requests from multiple client servers. As a protocol, RADIUS is an IETF standard.
Security Assertion Markup Language, or SAML, is a markup language that allows for the exchanging of authorization and authentication information between identity providers and service providers.
OpenID Connect is an authentication service that can be used to sign into any website or web app that accepts it. This authentication service is often provided by a third party.
Open Standard for Authorization is an authorization service that can be used to gain access to information. The main use for OAUTH is to share information with third party applications.
Operationally speaking, OAUTH works with HTTP to allow access tokens to be allotted to third-party clients under the approval of the owner of the information resources. An example real-world scenario involving OAUTH is when a social media website user authorizes a third-party to access their data.
This identity solution is an open-sourced, federated single sign-on (SSO) system that runs on SAML. Most users of Shibboleth are research and educational institutions. Whereas most federated systems are designed to only with identity and service providers in the same organization, Shibboleth works on an interorganizational basis.
Secure tokens are protected data sets, sometimes encrypted, that serve as verification for users and systems. Benefits of using secure tokens include the fact that secure tokens do not leak information about credentials and that impersonation of secure tokens is not easy.
New Technology LAN Manager, or NTLM, is a proprietary Microsoft Windows password hash storage system. NTLM is a challenge-response protocol system that has enhanced security because it is nonreversible. NTLM is often used in active directory environments that do not provide for user logon authentication via TACACS or Radius.
On the CompTIA Security+ exam you will be tested on an array of identity and access services technologies. By using the body of this article as a rough outline, peppered with your own notes on this subject, you will be up to speed with what you are expected to know on this area for the certification exam.
Emmett Dulaney and Chuck Easttom, CompTIA Security+ Study Guide