If you’re planning to take the SY0-501 exam, you should have a good understanding of common account management practices, along with some basic principles used with account management. Improperly configured accounts don’t follow these principles, increasing risks.
For example, can you answer this practice test question?
Q. Lisa is a training instructor and she maintains a training lab with 18 computers. She has enough rights and permissions on these machines so that she can configure them as needed for classes. However, she does not have the rights to add them to the organization’s domain. Which of the following choices BEST describes this example?
A. Least privilege
B. Need to know
C. Group-based privileges
D. Location-based policies
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Account management is concerned with the creation, management, disablement, and termination of accounts. When the account is active, access control methods are used to control what the user can do. Additionally, administrators use access controls to control when and where users can log on.
Least Privilege
The principle of least privilege is an example of a technical control implemented with access controls. Privileges are the rights and permissions assigned to authorized users. Least privilege specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more. For example, if Lisa needs read access to a folder on a server, you should grant her read access to that folder, but nothing else.
A primary goal of implementing least privilege is to reduce risks. As an example, imagine that Carl works at the Nuclear Power Plant, but administrators have improperly configured accounts ignoring the principle of least privilege. In other words, Carl has access to all available data within the Nuclear Power Plant, not just the limited amount of data he needs to perform his job. Later, Lenny gets into trouble and needs money, so he convinces Carl to steal data from the power plant so that they can sell it. In this scenario, Carl can steal and sell all the data at the plant, which can result in serious losses.
In contrast, if administrators applied the principle of least privilege, Carl would only have access to a limited amount of data. Even if Lenny convinces him to steal the data, Carl wouldn’t be able to steal very much simply because he doesn’t have access to it. This limits the potential losses for the power plant.
This principle applies to regular users and administrators. As an example, if Marge administers all the computers in a training lab, it’s appropriate to give her administrative control over all these computers. However, her privileges don’t need to extend to the domain, so she wouldn’t have administrative control over all the computers in a network. Additionally, she wouldn’t have the privileges required to add these computers to the domain, unless that was a requirement in the training lab. Similarly, if a network administrator needs to review logs and update specific network devices, it’s appropriate to give the administrator access to these logs and devices, but no more.
Many services and applications run under the context of a user account. These services have the privileges of this user account, so it’s important to ensure that these accounts are only granted the privileges needed by the service or the application. In the past, many administrators configured these service and application accounts with full administrative privileges. When attackers compromised a service or application configured this way, they gained administrative privileges and wreaked havoc on the network.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Need to Know
The principle of need to know is similar to the principle of least privilege in that users are granted access only to the data and information that they need to know for their job. Notice that need to know is focused on data and information, which is typically protected with permissions. In contrast, the principle of least privilege includes both rights and permissions.
Rights refer to actions and include actions such as the right to change the system time, the right to install an application, or the right to join a computer to a domain. Permissions typically refer to permissions on files, such as read, write, modify, read & execute, and full control.
Credential Management
A credential is a collection of information that provides an identity (such as a username) and proves that identity (such as with a password). Over time, users often have multiple credentials that they need to remember, especially when they access many web sites. Credential management systems help users store these credentials securely. The goal is to simplify credential management for users, while also ensuring that unauthorized personnel do not have access to the users’ credentials.
As an example of a credential management system, Windows 10 includes the Credential Manager, accessible from Control Panel. Users are able to add credentials into the Credential Manager, which stores them securely in special folders called vaults. Then, when users access web sites needing credentials, the system automatically retrieves the credentials from the vault and submits them to the web site.
Similarly, web browsers such as Google Chrome use a credential management system to remember passwords. When you access a web site that needs your password, Chrome prompts you asking if you’d like Chrome to remember it. Later, when you visit the same web site, Chrome fills in the credentials for you.
Q. Lisa is a training instructor and she maintains a training lab with 18 computers. She has enough rights and permissions on these machines so that she can configure them as needed for classes. However, she does not have the rights to add them to the organization’s domain. Which of the following choices BEST describes this example?
A. Least privilege
B. Need to know
C. Group-based privileges
D. Location-based policies
Answer is A. When following the principle of least privilege, individuals have only enough rights and permissions to perform their job, and this is exactly what is described in this scenario.
Need to know typically refers to data and information rather than the privileges required to perform an action, such as adding computers to a domain.
Group-based privileges refer to giving permissions to groups, and then adding the users to the groups to give them appropriate privileges.
A location-based policy allows or blocks access based on location, but the scenario doesn’t indicate the location is being checked.
See Chapter 2 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on managing accounts.
