Authentication, Authorization, Accounting & Non-Repudiation | CompTIA IT Fundamentals FC0-U61 | 6.4

In this video you will learn about authentication, authorization, accounting and non-repudiation concepts.

Authentication

Authentication is the act of proving an assertion, such as the identity of a computer system user. Authentication simply means that the individual is who the user claims to be. For example, when a user logs into a computer, network, or email service, the user must provide one or more items to prove identity.

Single Factor

Single-factor authentication (SFA) is the simplest form of authentication methods.  SFA is authentication in which a user or device must provide a single form of identification, such as a username/password combination.  A single-factor login can be secure if a password is complex and difficult to guess or crack, but it can also be extremely insecure if a password is short or easy to guess.  For this reason, multi-factor authentication is favored whenever possible.

Multi-factor

Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.  Typically, multi-factor authentication works with some combination of the following:

  • What the user knows (password or PIN)
  • What the user has (smart card or fob)
  • Who the user is (biometric data)
  • Something the user does (walking gait, handwriting)
  • Where the user is (trusted or untrusted locations)

Examples of Factors

Many types of authentication factors can be combined to create a strong authentication scheme.

Password

A password is the most typical authentication factor.  Unfortunately, passwords can be compromised in a myriad of ways.

PIN

A personal identification number (PIN) is a useful alternative to a password used to prove positive identification.  It is often used with automated bank teller machines, accessing wireless networks, mobile devices, etc.

One-Time Password

A one-time password (OTP) is a password that is valid for only one login session or transaction, on a computer system or other digital device.  OTPs are an effective way of dealing with security risks when logging into email, e-commerce, through remote access, or other types of services from public devices.  Here are some examples of using OTP:

  • Generating a list of passwords that can be used to log in to a remote site just once.
  • Asking users who want to log in to Wi-Fi or another wireless service to provide a mobile phone number to receive a one-time password to the wireless network.

Software Token

A software token (aka a soft token) is a piece of a two-factor authentication security device that may be used to authorize the use of computer services.  Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated.

Hardware Token

A hardware token may be a physical device that an authorized user of computer services is given to ease authentication. This may be a USB dongle that provides a key, or a device the person carries with them that displays a set of numbers that change with time such as an RSA SecurID to provide two factor authentication.

RSA SecurID Hardware Token

Biometrics

Biometrics uses recognition of a body part via a fingerprint, face, or retinal scan to determine the user’s identity.  Many corporate laptop computers include fingerprint readers, and fingerprint readers that support Windows and macOS can be connected to a USB port.  Several iOS and Android smartphones and tablets also include fingerprint readers.

Biometric Fingerprint Scanner

Specific Location

With some software, you can restrict access based on a device’s IP address or specific location.  Here are a few examples:

  • With Microsoft OneDrive for Business, the Device Access dialog allows a network manager to restrict access to specific IP addresses.
  • Microsoft Azure’s Active Directory (Azure AD) conditional access feature has options such as requiring multi-factor authentication for users who are not connected to the corporate network and blocking access for users in specified locations.

Somewhere You Are

With some software, you can restrict access based on somewhere you are, such as:

  • Restricting specific logins to a particular global positioning system (GPS) zone
  • Restricting access based on the time of day
  • Restricting access via specific console terminal requirements

Security Questions

Security questions are typically used to help reauthorize a user who needs to replace a lost password.  Here are some typical security questions:

  • Where were you born?
  • Where did you graduate high school?
  • What is your mother’s maiden name?

Single Sign-On

Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems.  Some SSO implementations require the user to sign in just once, whereas others can detect the correct credentials when the user connects and perform a silent or promptless login.  SSO is available in Windows, Linux, and cloud networks. Some of the benefits and risk of SSO are:

Benefits

  • Users have fewer username and password combinations to remember.
  • Users get to work faster because they spend less time entering passwords.
  • Users don’t need to ask for assistance from help desk employees because of lost passwords.
  • SSO makes managing the security profiles of individual users easier.

Risks

  • A compromised SSO password puts all resources accessible with SSO at risk.
  • A disgruntled employee with SSO access can cause problems with all resources accessible with SSO.
  • A lost or forgotten SSO password prevents the employee from doing any work until a new password is set up.

Authorization

Authorization is the function of specifying an authenticated user has access rights/privileges to resources.

Permissions

Permissions (sometimes referred to as rights or privileges) are access details given by users or network administrators that define access rights to files on a local machine or network. Network permissions apply to any remote (network) user of a shared resource such as a folder or file. In Unix/Linux and macOS, local and remote users are managed the same.  In Windows, network permissions are handled through the properties sheet for an object. Select Advanced Sharing to change network permissions on a per-user or per-group basis.

Advanced Sharing settings in Windows

In macOS, network permissions are handled through System Preferences, Sharing.  Click File Sharing, then click the plus sign (+) in the Shared Folders folder to select a new folder to share.  Click each user or group and select Read & Write, Read Only, or other options that may be present.  To share with a Windows user, click Options and select a user.  macOS can also run Unix/Linux permissions commands from a Terminal session.  In Unix/Linux, network permissions and file system permissions are the same. The file/folder permission changes made with sudo chmod and ownership changes made with sudo chown work with either local or network users.  Some Linux distros include a GUI for setting permissions.

Least Privilege Model

The least privilege model, also known as the principle of least privilege, is the concept and practice of restricting access rights for users, accounts,and computing processes to only those resources absolutely required to perform routine, legitimate activities.  For example, if a user needs to update a file inside of a folder, the user should not have full control of the folder which could allow for the user to possibly delete the folder or perform other actions outside of the scope of updating a file residing inside of the folder.  Four access control methods are covered in IT Fundamentals+: role-based access, rule-based access, mandatory access control,and discretionary access control.

Role-Based Access

Role-based access control (RBAC) restricts network access based on a person’s role within an organization and has become one of the main methods for advanced access control.  For example, assume that there are four groups:

  • If you are in the HR group, you have read/write/change access to HR folders only.
  • If you are in the Marketing group, you have read/write/change access to Marketing folders only.
  • If you are in the Finance group, you have read/write/change access to Finance folders and read access to HR and Marketing folders only.
  • If you are in the I.T. group, you have read/write/change access to HR, Marketing, and Finance folders.

This method is also referred to as non-discretionary access control.

User Account Types

In Windows, there are three built-in user account categories:  Administrator, Standard, & Guest.

  • Administrators can perform any task, including installing new apps, deleting existing users, and much more.
  • Standard users can manage their own accounts but must provide the name and password for an administrator before they can perform administrator-level tasks.  Standard accounts can be set up using Family Safety as children’s accounts that can be supervised and have content limited by age.
  • Guest accounts are designed for temporary use by different users, and cannot access other users’ files or make changes to system settings, users, or passwords.

In Windows 10, Guest accounts must be added through Local Users and Groups, Command Prompt, or Group Policy.

In macOS, open the Apple menu, System Preferences, Users & Groups to set up one of four types of accounts:  Administrator, Standard, Managed with Parental Controls, or Sharing only (can access shared files remotely).  You can also set up a group, convert a standard or managed user to an administrator, or set up a Guest user that can be managed optionally with Parental Controls.

In Linux, some distributions, such as Ubuntu, disable the administrator (root) account by default.  To perform root tasks on these distributions, users use the command sudo commandname and the user’s own password.  The sudo adduser username command is used to add a standard user in Ubuntu and other Desbian-based distributions.  The sudo addgroup groupname creates a group, and sudo adduser username groupname adds a specified user to a specified group.

The account setup process for an iOS device (iPhone, iPad) varies according to whether you are setting up your first iOS device, moving from another iOS device, or moving from an Android device.  An important part of the setup process for new users is creating an Apple ID. The account setup process for an Android smartphone varies according to the device manufacturer and whether you are a new user or moving from another Android device.  An important part of the setup process for new users is signing up for a Google account.

Rule-Based Access

Rule-based access control (RBAC) is when a request is made for access to a network or network resource, the controlling device checks properties of the request against a set of rules to control access.  For example, internet access is only available during business hours (9am to 6pm) to the Office group; however, the I.T. group can access the internet 24 hours a day.  The rules for a particular network resource are enforced with access control lists (ACLs).

Mandatory Access Controls

Mandatory access control (MAC) is a set of security policies constrained according to system classification, configuration and authentication.  MAC is a top-down method of managing access. Users have no options to make changes in how a resource can be accessed.  Access is controlled by administrator-provided settings that define the object’s classification and the category that can use the object.

Discretionary Access Controls

Discretionary access controls (DAC) is a type of security access control that grants or restricts access via an access policy determined by an object’s owner group and/or subjects.  DAC enables users to determine which users and groups can have access to their resources, and at what level. For example, in Windows, files and folders have owners. The owner of a file or folder can grant read, read/write, or other access levels to other users.  DAC can be limited by mandatory access controls.

Accounting

Accounting is the process of keeping track of a user’s activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Three common methods include logs, tracking, and web browser history.

Logs

A log file is a file that keeps a registry of events, processes, messages and communication between various communicating software applications and the operating system.  A system administrator can view these files remotely (if your computer is on a network) to see what you and your computer have been doing.

Windows 7 and later versions store their event logs in this folder:

  • System Drive(usually C:)\Windows\System32\winevt\Logs

The Windows Security log records all login and logout information by account and type.  You can open a log file by double-clicking it or by opening Computer Management and using the menus shown in the image below.  Use the filter options to view certain types of security information.

Security Logs

The Windows Application log records all application information.  Click Filter Current Log to open the dialog shown in the image below to view specific types of entries.

Viewing errors in the Application Log
Filter Current Log

Linux & macOS logs many types of events.  You can see logs by opening Console.

macOS Log Information with Console

Tracking

Online tracking refers to a website or company that tracks the pages you visit, searches you perform, and other activities to improve their services or sell to other companies.  Tracking can also monitor your device’s geographical location. Location tracking is used by mobile devices that run Android and iOS as well as devices running Windows 10 and macOS High Sierra and later editions.  This feature can be added to Linux devices with apps such as Location Magic. Location tracking helps bring you more accurate and complete location-based information, (ex: “gas stations near me”), but at a cost in privacy.

To disable location tracking in Windows 10, open Settings, Privacy, and Location.  You can disable location settings by app or disable all location services.  To disable location tracking in macOS, open System Preferences, Security & Privacy, Privacy, Location Services.  You can disable all location tracking or disable tracking by app.  To disable location tracking in iOS 11, open Settings, Privacy, Location Services, System Services, Significant Locations, and turn it off.  To disable location tracking in Android, open Settings, Connections, Location, and turn off Location.  To disable Wi-Fi scanning, tap Improve Accuracy and turn off Wi-Fi scanning.  To disable Bluetooth scanning, tap Improve Accuracy and turn off Bluetooth scanning (even if these interfaces are disabled, they will continue to scan for nearby Wi-Fi and Bluetooth devices if these settings are left on).

Web Browser History

All web browsers track where you’ve gone in a feature called web browser history.  Web browser histories can be deleted by caching or clearing the browser history.

Non-repudiation

Nonrepudiation is a method of guaranteeing message transmission between parties via digital signature and/or encryption.  Nonrepudiation is also a legal term that refers to any situation in which an individual cannot challenge their authorship of a document.  Nonrepudiation has also been extended to refer to situations in which an individual cannot deny being present in a location as well. Nonrepudiation methods include video, biometrics, signature, and receipt.

Video

High quality video recordings of an individual entering, leaving, or occupying a space can be used to determine if someone was present in an unauthorized location.

Biometrics

Biometric identification is a highly effective way of determining an individual’s presence physically or on a computer system or network.

Signature

When combined with a hardware token, a digital signature provides a high degree of validity of the sender of a message.

Receipt

Digital receipts are just that, receipts proving that a message was sent from a sender to a receiver. Digital receipts can provide a high degree of certainty of the ID of the sender.  Due to malware being used to send a message, a receipt alone is not absolute proof of the ID of the sender.