20744B_02.pptx - Module 2 Protecting credentials and privileged access Module Overview Understanding user rights Computer and service accounts

20744B_02.pptx - Module 2 Protecting credentials and...

This preview shows page 1 - 10 out of 41 pages.

Module 2 Protecting credentials and privileged access
Image of page 1

Subscribe to view the full document.

Module Overview Understanding user rights Computer and service accounts Protecting credentials Privileged Access Workstations and jump servers Local administrator password solution
Image of page 2
Lesson 1: Understanding user rights Principle of least privilege Configuring user rights Configuring account-security options Demonstration: Configuring user rights and account-security options Configuring account-policy settings Protected users, authentication policies, and authentication-policy silos Delegating privileges Demonstration: Delegating privileges
Image of page 3

Subscribe to view the full document.

Principle of least privilege Principle of least privilege: Assign only the minimum privilege to an account If an account is compromised, attacker can only perform a limited number of tasks Avoid single over privileged accounts Create accounts for specific administrative tasks IT ops staff should use nonprivileged user accounts for daily tasks such as browsing, email, and word processing Only use privileged accounts to perform administrative tasks Developers and IT operations staff should not sign in to their workstations with accounts that have local administrator privileges
Image of page 4
Configuring user rights
Image of page 5

Subscribe to view the full document.

Configuring account-security options Configure the following settings to increase privileged account security: Logon Hours Logon Workstations Smart card is required for interactive logon Account is sensitive and cannot be delegated Account Expires Do not enable the following settings, as these decrease security: Do not require Kerberos preauthentication Password Never Expires Use only Kerberos DES encryption types for this account
Image of page 6
Demonstration: Configuring user rights and account-security options In this demonstration, you will learn how to configure account-security options and user rights
Image of page 7

Subscribe to view the full document.

Configuring account-policy settings Password policy determines: How many previous passwords are remembered Maximum password age Minimum password age Minimum password length Whether password must meet complexity requirements Account lockout policy determines: How long an account is locked when a specified number of incorrect passwords are typed. The default is no lockout How many incorrect passwords must be typed in succession, during a specific time before Windows locks the account How much time must pass before the account lockout counter is reset
Image of page 8
Protected users, authentication policies, and authentication-policy silos Provides method of protecting highly privileged accounts User accounts added to the Protected Users group will not have their credentials cached and cannot use NTLM authentication or older cipher suites for Kerberos pre-authentication Authentication policies specify settings that mitigate exposure to credential theft Authentication policy silos allow administrators to define a relationship between the User, Computer and managed service accounts: Accounts only can belong to a single authentication policy silo Accounts in an authentication policy silo are associated with a silo claim
Image of page 9

Subscribe to view the full document.

Image of page 10
  • Fall '17
  • Dr. John Kincaid

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask 0 bonus questions You can ask 0 questions (0 expire soon) You can ask 0 questions (will expire )
Answers in as fast as 15 minutes