WEBVTT

00:00.270 --> 00:06.000
There are a lot of questions on the exam that talk about how we deal with user accounts.

00:06.030 --> 00:11.000
Now as you can imagine user accounts are a big issue when it comes to security in general.

00:11.130 --> 00:16.020
But in this episode I just want to kind of enumerate a number of really really important issues that

00:16.020 --> 00:17.720
you're going to see on the exam.

00:17.760 --> 00:23.040
So we need to take this a little bit bigger than for example well I know I'm going to be setting up

00:23.100 --> 00:29.820
users and groups so I know things like for example Microsoft best practices users go into groups who

00:29.820 --> 00:31.110
gets rights and permissions.

00:31.110 --> 00:33.060
I mean we you should know that.

00:33.120 --> 00:38.160
But what I want to do is break this down and enumerate it a little bit more tightly to tie into what

00:38.160 --> 00:39.470
you're going to see on the exam.

00:39.480 --> 00:42.480
So let's start off with number one continuous monitoring

00:47.190 --> 00:53.530
your number one best buddy when it comes to user account issues is continuous access monitoring.

00:53.700 --> 01:00.810
You should be monitoring 24/7 what your users are getting into to be able to have an idea of what's

01:00.810 --> 01:03.240
going on within your infrastructure.

01:03.240 --> 01:07.440
So that could be hundreds of different things under hundreds of different types of applications.

01:07.560 --> 01:12.810
But in general and for the exam Remember it's always good to track when people are logging in or logging

01:12.810 --> 01:17.970
off to a particular resource and also keeping very close track of file access.

01:18.000 --> 01:23.310
In particular if you have large database files or if you have personnel files something that's really

01:23.310 --> 01:29.520
really important and you want to know what people are doing continuous monitoring of that file access

01:29.790 --> 01:33.060
can really help you if you run into trouble in the future.

01:33.500 --> 01:43.380
OK the next one I want to talk about is a big problem and that's shared accounts.

01:43.410 --> 01:47.580
The bottom line is is that shared accounts are a bad thing.

01:47.610 --> 01:54.090
If I see people using shared accounts it usually just shows that they're being lazy in terms of doing

01:54.090 --> 01:55.220
good security.

01:55.230 --> 01:58.710
Probably one of the worst examples and everybody everybody's guilty of this.

01:58.800 --> 02:06.150
Are these home networks where you're set up as a work group and each individual system has the same

02:06.240 --> 02:09.540
user and everybody just logs in whatever they want to log into.

02:09.540 --> 02:11.320
Well maybe for your house that's OK.

02:11.430 --> 02:15.590
But in an enterprise environment that is utterly utterly unacceptable.

02:15.600 --> 02:22.080
The bottom line is is that continuous user access monitoring is going to be the tool that helps us watch

02:22.080 --> 02:23.370
out for that type of stuff.

02:23.520 --> 02:28.920
I guess about the only excuse I would ever see for shared accounts is you have some weird resource like

02:28.920 --> 02:33.780
a old print or something that could only have one account and even that's pretty much rare.

02:33.780 --> 02:37.990
So bottom line is don't do shared accounts.

02:38.040 --> 02:39.960
So go into the opposite of that.

02:39.960 --> 02:42.060
Now let's talk about multiple accounts

02:47.310 --> 02:50.790
multiple accounts sometimes just has to happen.

02:50.790 --> 02:54.570
Shared accounts is a sign of being a bad security person.

02:54.630 --> 02:57.600
Multiple accounts sometimes just has to happen.

02:57.600 --> 03:00.120
So let's talk about those types of scenarios.

03:00.120 --> 03:04.860
Number one if you're going to be using multiple accounts use different usernames and passwords.

03:05.010 --> 03:11.550
Now what we're talking about here is where you've got a Windows domain log in with one user name and

03:11.550 --> 03:17.520
password and you use that same username and password to get into your e-mail server or whatever it might

03:17.520 --> 03:18.330
be.

03:18.420 --> 03:24.130
That's a bad idea if you're going to be using multiple accounts for one person like this.

03:24.150 --> 03:26.740
Always try to use different usernames and passwords.

03:26.880 --> 03:29.060
While we're at it always use different groups.

03:29.130 --> 03:34.470
So if you are let's just stick with Windows so you're logging into a domain and you have two or three

03:34.470 --> 03:36.550
different groups for one reason or another.

03:36.600 --> 03:42.750
Make sure that those users are in different groups when they log in if they're all in the same group

03:42.750 --> 03:44.660
or if even a few are in the same group.

03:44.700 --> 03:49.260
That's often a good sign that you're not doing good security.

03:49.260 --> 03:55.080
The third big issue is that in a lot of situations we will give people who would ordinarily not have

03:55.080 --> 03:56.940
really high privileges.

03:56.940 --> 03:59.190
Sometimes we give them very very high privileges.

03:59.190 --> 04:05.880
So a great example is I got this guy in my accounting department who they print like crazy I mean they're

04:05.880 --> 04:06.690
always printing.

04:06.690 --> 04:12.300
So I need somebody down in the accounting department who can clear the print queue or do whatever they

04:12.300 --> 04:16.100
need to do his regular account doesn't have those permissions.

04:16.110 --> 04:21.330
So what I did is I gave him a special account that he can log in with and just do whatever he needs

04:21.330 --> 04:23.760
to do at that local accounting printer.

04:23.760 --> 04:30.300
The important thing here is that if you give someone a second account with elevated privileges make

04:30.300 --> 04:35.970
sure they understand they will go ahead and log in with the elevated privileges only to do what they

04:35.970 --> 04:37.680
need to do and then log off.

04:37.680 --> 04:42.630
So if he's got a problem on the printer he logs off with his regular account logs in with his privilege

04:42.630 --> 04:45.930
account does what needs do with the printer and then gets off.

04:45.930 --> 04:52.320
It's very very easy for people to just try to stay and do their normal work with an elevated privilege

04:52.320 --> 04:52.650
account.

04:52.680 --> 04:54.120
And that's a big no no.

04:54.480 --> 04:55.250
OK.

04:55.590 --> 05:00.150
The fourth thing and this is a big one is when you're in a scenario where you have a lot of multiple

05:00.150 --> 05:06.360
accounts log everything you really want to keep close track on multiple account scenarios to make sure

05:06.360 --> 05:08.230
people are doing the right thing.

05:08.610 --> 05:09.280
OK.

05:09.450 --> 05:13.920
So the last one I want to talk about is probably the biggest issue of all when it comes to user account

05:13.920 --> 05:16.960
issues and that's default and generic user names.

05:21.750 --> 05:25.980
Your networks are filled with generic and default usernames.

05:25.980 --> 05:31.710
I mean at the very top of it is you've always got like your admin account or your supervisor account

05:31.710 --> 05:38.590
or whatever it might be for logging in to a router or to your domain control or whatever it might be.

05:38.700 --> 05:45.510
If you've got databases a lot of them have D-B admin is their default account to log in with if you

05:45.510 --> 05:49.440
have these types of accounts what you want to do is not use those.

05:49.440 --> 05:54.570
If you can disable then great if you can delete them great what you want to do instead is always use

05:54.570 --> 05:56.790
dedicated service accounts.

05:56.790 --> 06:02.730
That way you'll always know who's logging into what if you have somebody who needs elevated privileges

06:02.970 --> 06:09.840
to do something crazy at the top of all your routers and you create a router you Mike's router account

06:09.870 --> 06:15.300
or something like that that makes it easy to log easy to understand and easy to track to see what people

06:15.300 --> 06:16.220
are doing.

06:16.590 --> 06:21.000
So we've gone through a number of very specific user account issues you're going to be seeing all these

06:21.000 --> 06:21.850
on the exam.

06:21.870 --> 06:22.390
Take a minute.

06:22.410 --> 06:36.610
Memorize them all.