Chapter 5: Identity and Access Management (Domain 5) 359
man-in-the-middle attack would not be visible in the authentication log. A rainbow table
attack is used when attackers already have password hashes in their possession and would
also not show up in logs.- During the Kerberos authentication process, the steps take place in the following order:
E. User provides authentication credentials
C. Client/TGS key generated
B. TGT generated
A. Client/server ticket generated
D. User accesses service- B. Decentralized access control can result in less consistency because the individuals
tasked with control may interpret policies and requirements differently and may perform
their roles in different ways. Access outages, overly granular control, and training costs
may occur, depending on specific implementations, but they are not commonly identified
issues with decentralized access control. - B. A callback to a landline phone number is an example of a “somewhere you are” factor
because of the fixed physical location of a wired phone. A callback to a mobile phone
would be a “something you have” factor. - D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory
environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is
a transitive trust between parts of a domain tree or forest that shortens the trust path, a
forest trust is a transitive trust between two forest root domains, and an external trust is a
nontransitive trust between AD domains in separate forests. - B. TACACS+ is the only modern protocol on the list. It provides advantages of both
TACACS and XTACACS as well as some benefits over RADIUS, including encryption of
all authentication information. Super TACACS is not an actual protocol. - D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication
Services (CAS) are all SSO implementations. RADIUS is not a single sign-on
implementation, although some vendors use it behind the scenes to provide authentication
for proprietary SSO. - C. Interface restrictions based on user privileges is an example of a constrained interface.
Least privilege describes the idea of providing users with only the rights they need to
accomplish their job, while need to know limits access based on whether a subject needs
to know the information to accomplish an assigned task. Separation of duties focuses on
preventing fraud or mistakes by splitting tasks between multiple subjects. - D. When the owner of a file makes the decisions about who has rights or access privileges
to it, they are using discretionary access control. Role-based access controls would grant
access based on a subject’s role, while rule-based controls would base the decision on a set
of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an
environment to manage access. Nondiscretionary access controls include rule-, role-, and
lattice-based access controls.