Information Technology /Security+ (SY0-701): Lesson 4: Implement Identity Part 3
Security+ (SY0-701): Lesson 4: Implement Identity Part 3
This flashcard deck covers key concepts and definitions related to identity implementation, including password vaulting, ephemeral credentials, directory services, and authentication protocols.
Define 'Password Vaulting/Brokering'
Privileged account must be 'checked out' from a repository and is available for a limited amount of time.
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/36
Key Terms
Term
Definition
Define 'Password Vaulting/Brokering'
Privileged account must be 'checked out' from a repository and is available for a limited amount of time.
Define 'Ephemeral Credentials'
System generates or enables an account to use to perform the administrative task and then destroys or disables it once the task has been performed.
Where are local windows credentials stored?
Security Accounts Manager (SAM) database in the Registry
What mechanism compares a subjects submitted plaintext/hash password to the hash value stored in the Security Accounts Manager (SAM) database?
Local Security Authority Subsystem Service (LSASS)
What mechanism delivers credentials to Active Directory for authentication?
Local Security Authority Subsystem Service (LSASS)
What are examples of remote sign-in?
VPN, enterprise Wi-Fi, web portal.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
Define 'Password Vaulting/Brokering' | Privileged account must be 'checked out' from a repository and is available for a limited amount of time. |
Define 'Ephemeral Credentials' | System generates or enables an account to use to perform the administrative task and then destroys or disables it once the task has been performed. |
Where are local windows credentials stored? | Security Accounts Manager (SAM) database in the Registry |
What mechanism compares a subjects submitted plaintext/hash password to the hash value stored in the Security Accounts Manager (SAM) database? | Local Security Authority Subsystem Service (LSASS) |
What mechanism delivers credentials to Active Directory for authentication? | Local Security Authority Subsystem Service (LSASS) |
What are examples of remote sign-in? | VPN, enterprise Wi-Fi, web portal. |
Where are local user account names stored in Linux? | /etc/passwd |
Where are passwords stored in Linux? | /etc/shadow |
Define 'pluggable authentication module (PAM)' | Package for enabling different authentication providers; smart-card log-in, Directory services |
Define a 'directory service' | Network service that stores identity information and attributes about all the objects in a particular network; Users, groups, servers, client computers, and printers. |
What is the most common service used for a directory service? | Lightweight Directory Access Protocol (LDAP) |
Define 'Lightweight Directory Access Protocol (LDAP)' | X.500 Protocol used to access network directory databases. |
Define a 'distinguished name (DN)' | A collection of attributes that define a unique identifier for any given resource within an X.500-like directory. |
What makes up a 'distinguished name (DN)'? | Attribute-value pairs, separated by commas; The most specific attribute is listed first, and successive attributes become progressively broader. |
Define 'single sign-on (SSO)' | Authentication technology that enables a user to authenticate once and receive authorizations for multiple services following the initial authentication. |
Define 'Kerberos' | A single sign-on authentication and authorization protocol that is based on a time-sensitive, ticket-granting system. |
Define a 'key distribution center (KDC)' | A component of Kerberos that authenticates users and issues tickets (tokens). |
What are the two services that make up key distribution center (KDC)? |
|
Who/what can authenticate with Kerberos? | A principal; A user or service |
Define a 'Ticket Granting Ticket (TGT)' | Encrypted using KDC's secret key; A token issued to an authenticated account to allow access to authorized application servers. |
How is a Ticket Granting Ticket (TGT) requested by a principal (user/service)? | Principal sends the authentication service a request for a TGT by encrypting the time and date with the users password hash as the key. |
How does a directory service verify a request for Ticket Granting Ticket (TGT)? | If the request hasn't expired, authentication service checks that the user account is present and the hash in the database matches the decoded hash. |
What does a principal receive if the authorization service accepts its request for Ticket Granting Ticket (TGT)? | Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) session key. |
What information is provided in a Ticket Granting Ticket (TGT)? | Name, IP address, time stamp, and validity period. |
Define a 'Ticket Granting Service (TGS)' session key | Encrypted using a hash of the principal's password; Communicates between the client and the Ticket Granting Service (TGS) |
Define 'Federation' | Method of linking a user's identity across multiple separate identity management systems in different organizations. |
Define an 'identity provider (IdP)' | In a federated network, the service that holds the user account and performs authentication. |
Define 'Security Assertion Markup Language (SAML)' | An XML-based data format used to exchange authentication information between a client and a service. |
What language is used to create Security Assertion Markup Language (SAML)? | Written in extensible Markup Language (XML) |
What protocols are used to establish communications between a client/principal and an identity provider (IdP)? | Using HTTP/HTTPS and Simple Object Access Protocol (SOAP). |
Define the 'Simple Object Access Protocol (SOAP)' | XML-based web services protocol used to exchange messages. |
What mechanism is used to trust an identity provider (IdP)? | A digital signature/certificate |
Define 'Representational State Transfer (REST)' | Stateless framework used by application programming interfaces (APIs) for communication and integration. |
What protocol does a 'Representational State Transfer (REST)' API use for authentication and authorization? | Open Authorization (OAuth) |
Define the 'Open Authorization (OAuth)' protocol | Facilitates sharing of data within a user profile between sites. |
Define 'JavaScript Object Notation (JSON)' | JavaScript file that uses attribute-value pairs to define configurations. |