When an account is active, access control methods are used to control what the user can do. Additionally, administrators use access controls to control when and where users can log on. If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of managing accounts. This includes differentiating common account management practices, along with some basic principles used with account management.
For example, can you answer this practice test question?
Q. Members of a project team chose to meet at a local library to complete some work on a key project. All of them are authorized to work from home using a VPN connection and have connected from home successfully. However, they found that they were unable to connect to the network using the VPN from the library and they could not access any of the project data. Which of the following choices is the MOST likely reason why they can’t access this data?
A. Role-based access control
B. Time-of-day access control
C. Location-based policy
D. Discretionary access control
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Time-of-Day Restrictions
Time-of-day restrictions specify when users can log on to a computer. If a user tries to log on to the network outside the restricted time, the system denies access to the user.
As an example, imagine a company operates between 8:00 a.m. and 5:00 p.m. on a daily basis. Managers decide they don’t want regular users logging on to the network except between 6:00 a.m. and 8:00 p.m., Monday through Friday. You could set time-of-day restrictions for user accounts, as shown in the figure. If a user tries to log on outside the restricted time (such as during the weekend), the system prevents the user from logging on.
User account properties with time restrictions
If users are working overtime on a project, the system doesn’t log them off when the restricted time arrives. For example, if Maggie is working late on a Wednesday night, the system doesn’t log her off at 8:00 p.m. (assuming the time restrictions are set as shown in the figure). However, the system will prevent her from creating any new network connections.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Location-Based Policies
Location-based policies restrict access based on the location of the user. For example, geolocation technologies can often detect a location using the IP address, and block any traffic from unacceptable addresses, such as from foreign countries. It’s also possible to identify a set of IP addresses as the only addresses that are acceptable. This is often referred to as whitelisting the IP addresses.
Within a network, it’s possible to restrict access based on computer names or MAC addresses. For example, imagine Bart has been logging on to multiple computers with his account. It is possible to restrict his account to only his computer. When he tries to log on to his account, he is successful. If he tries to log on to another computer, the location-based policy blocks him.
Remember this
Time-of-day restrictions prevent users from logging on during restricted times. They also prevent logged-on users from accessing resources during certain times. Location-based policies restrict access based on the location of the user.
Expiring Accounts and Recertification
It’s possible to set user accounts to expire automatically. When the account expires, the system disables it, and the user is no longer able to log on using the account.
If you look back at the figure, it shows the properties of an account. The Account Expires section is at the bottom of the page, and the account is set to expire on September 1. When September 1 arrives, the account is automatically disabled and the user will no longer be able to log on.
It’s common to configure temporary accounts to expire. For example, an organization may hire contractors for a 90-day period to perform a specific job. An administrator creates accounts for the contractors and sets them to expire in 90 days. This automatically disables the accounts at the end of the contract.
If the organization extends the contract, it’s a simple matter to recertify the account. Administrators verify that the contract has been extended, change the expiration date, and enable the account.
Account Maintenance
Administrators routinely perform account maintenance. This is often done with scripts to automate the processes.
As an example, it’s relatively simple to create and run a script listing all enabled accounts that haven’t been used in the last 30 days in a Microsoft AD DS domain. This provides a list of inactive accounts. Often, these are accounts of ex-employees or temporary employees who are no longer at the organization. Ideally, an account disablement policy would ensure that the accounts are disabled as soon as the employee leaves. The scripts provide an additional check to ensure inactive accounts are disabled.
Additionally, account maintenance includes deleting accounts that are no longer needed. For example, if an organization has a policy of disabling accounts when employees leave, but deleting them 60 days later, account maintenance procedures ensure the accounts are deleted.
Q. Members of a project team chose to meet at a local library to complete some work on a key project. All of them are authorized to work from home using a VPN connection and have connected from home successfully. However, they found that they were unable to connect to the network using the VPN from the library and they could not access any of the project data. Which of the following choices is the MOST likely reason why they can’t access this data?
A. Role-based access control
B. Time-of-day access control
C. Location-based policy
D. Discretionary access control
Answer is C. A location-based policy restricts access based on location, such as with an IP address, and this is the best possible answer of those given. The scenario indicates they could use the virtual private network (VPN) connection from home, but it was blocked when they tried to access it from the library.
A time-of-day access control restricts access based on the time of day, but the scenario doesn’t indicate the time.
Neither a discretionary access control model nor a role-based access control model restricts access based on location.
See Chapter 2 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on managing accounts.
