WEBVTT 1 00:00:00.000 --> 00:00:01.320 In this lesson, 2 00:00:01.320 --> 00:00:04.290 we will learn about access control. 3 00:00:04.290 --> 00:00:07.500 Access control manages and enforces 4 00:00:07.500 --> 00:00:11.850 who can access specific resources within a system 5 00:00:11.850 --> 00:00:16.050 based on predefined policies and user roles. 6 00:00:16.050 --> 00:00:21.050 Access control concepts include Single Sign-On, or SSO, 7 00:00:21.120 --> 00:00:25.470 Kerberos, and Privileged Access Management, or PAM. 8 00:00:25.470 --> 00:00:30.120 Single Sign-On, or SSO, is an authentication process 9 00:00:30.120 --> 00:00:33.930 that allows users to access multiple applications 10 00:00:33.930 --> 00:00:38.820 or services with one set of login credentials. 11 00:00:38.820 --> 00:00:42.510 Kerberos is a network authentication protocol 12 00:00:42.510 --> 00:00:45.300 that uses tickets to allow entities 13 00:00:45.300 --> 00:00:49.020 to securely prove their identity to one another 14 00:00:49.020 --> 00:00:51.330 over a non-secure network. 15 00:00:51.330 --> 00:00:54.360 And Privileged Access Management, or PAM, 16 00:00:54.360 --> 00:00:57.840 controls and monitors access to critical systems 17 00:00:57.840 --> 00:00:59.880 and sensitive information 18 00:00:59.880 --> 00:01:03.720 by granting elevated privileges only when needed. 19 00:01:03.720 --> 00:01:07.410 Let's learn more about Single Sign-On, Kerberos, 20 00:01:07.410 --> 00:01:10.080 and Privileged Access Management. 21 00:01:10.080 --> 00:01:12.780 First, we have Single Sign-On. 22 00:01:12.780 --> 00:01:17.070 Single Sign-On, or SSO, is an authentication method 23 00:01:17.070 --> 00:01:20.820 that allows users to access multiple applications 24 00:01:20.820 --> 00:01:25.200 or services with a single set of login credentials 25 00:01:25.200 --> 00:01:28.260 within a domain or organization. 26 00:01:28.260 --> 00:01:31.890 This process simplifies user experience 27 00:01:31.890 --> 00:01:33.210 by reducing the need 28 00:01:33.210 --> 00:01:37.110 to remember multiple usernames and passwords, 29 00:01:37.110 --> 00:01:39.540 making it easier and faster 30 00:01:39.540 --> 00:01:43.080 for users to log in to various systems. 31 00:01:43.080 --> 00:01:45.630 SSO increases security 32 00:01:45.630 --> 00:01:48.810 because users are less likely to write down 33 00:01:48.810 --> 00:01:50.940 or forget their credentials, 34 00:01:50.940 --> 00:01:55.590 reducing the chances of password related security breaches. 35 00:01:55.590 --> 00:01:58.650 It also allows organizations to manage 36 00:01:58.650 --> 00:02:02.460 and enforce password policies more effectively 37 00:02:02.460 --> 00:02:06.720 since there is only one set of credentials to maintain. 38 00:02:06.720 --> 00:02:09.000 Second, we have Kerberos. 39 00:02:09.000 --> 00:02:12.420 Kerberos is a network authentication protocol 40 00:02:12.420 --> 00:02:16.470 designed to provide secure identity verification 41 00:02:16.470 --> 00:02:18.840 over non-secure networks. 42 00:02:18.840 --> 00:02:20.940 And it is widely used 43 00:02:20.940 --> 00:02:24.450 in Microsoft active directory environments. 44 00:02:24.450 --> 00:02:27.660 Kerberos uses a ticket-based system 45 00:02:27.660 --> 00:02:30.630 to authenticate users and services, 46 00:02:30.630 --> 00:02:33.750 allowing them to securely prove their identity 47 00:02:33.750 --> 00:02:36.660 and communicate across the network. 48 00:02:36.660 --> 00:02:39.420 The Kerberos authentication process 49 00:02:39.420 --> 00:02:43.440 begins with a user requesting access to a service 50 00:02:43.440 --> 00:02:46.740 by authenticating to a Kerberos server. 51 00:02:46.740 --> 00:02:49.650 But instead of sending the plain text password 52 00:02:49.650 --> 00:02:51.300 across the network, 53 00:02:51.300 --> 00:02:55.980 the user's password is used locally to encrypt the request. 54 00:02:55.980 --> 00:03:00.480 Once authenticated, Kereberos uses time-stamped tickets, 55 00:03:00.480 --> 00:03:03.450 specifically a ticket granting ticket, 56 00:03:03.450 --> 00:03:07.530 and service tickets to manage session security. 57 00:03:07.530 --> 00:03:10.140 Each ticket has a limited lifespan, 58 00:03:10.140 --> 00:03:13.290 which ensures that access is time bound 59 00:03:13.290 --> 00:03:18.180 and reduces the risk of misuse if a ticket is intercepted. 60 00:03:18.180 --> 00:03:21.870 So, when a user attempts to access a resource, 61 00:03:21.870 --> 00:03:24.060 they present a service ticket, 62 00:03:24.060 --> 00:03:26.700 which is issued by the Kerberos server 63 00:03:26.700 --> 00:03:29.070 after the user has authenticated 64 00:03:29.070 --> 00:03:32.010 and received a ticket granting ticket. 65 00:03:32.010 --> 00:03:33.900 The service being accessed 66 00:03:33.900 --> 00:03:37.170 then verifies the service tickets validity 67 00:03:37.170 --> 00:03:39.240 granting or denying access 68 00:03:39.240 --> 00:03:42.780 based on the credentials within the service ticket. 69 00:03:42.780 --> 00:03:46.650 Kerberos also supports mutual authentication, 70 00:03:46.650 --> 00:03:49.680 meaning both the user and the service 71 00:03:49.680 --> 00:03:52.410 verify each other's identity, 72 00:03:52.410 --> 00:03:55.290 adding an extra layer of security. 73 00:03:55.290 --> 00:03:57.600 Kerberos is commonly integrated 74 00:03:57.600 --> 00:04:00.060 into Single Sign-On systems, 75 00:04:00.060 --> 00:04:04.320 providing a secure method for managing authentication 76 00:04:04.320 --> 00:04:06.540 across multiple services 77 00:04:06.540 --> 00:04:09.990 without repeatedly asking for credentials. 78 00:04:09.990 --> 00:04:14.790 Third, and finally, we have Privileged Access Management. 79 00:04:14.790 --> 00:04:17.640 Privileged Access Management, or PAM, 80 00:04:17.640 --> 00:04:20.730 is a security strategy that controls 81 00:04:20.730 --> 00:04:24.060 and monitors access to critical systems 82 00:04:24.060 --> 00:04:26.610 by managing user privileges. 83 00:04:26.610 --> 00:04:31.110 PAM focuses on ensuring that only authorized users 84 00:04:31.110 --> 00:04:35.310 can gain elevated access to sensitive resources 85 00:04:35.310 --> 00:04:38.280 and perform high-risk tasks. 86 00:04:38.280 --> 00:04:41.670 PAM does this by granting privileged access 87 00:04:41.670 --> 00:04:44.550 on a just-in-time basis, 88 00:04:44.550 --> 00:04:46.770 meaning elevated privileges 89 00:04:46.770 --> 00:04:50.820 are only given when needed for specific tasks. 90 00:04:50.820 --> 00:04:54.270 This approach helps to minimize the risks 91 00:04:54.270 --> 00:04:58.860 associated with excessive or unnecessary access rights, 92 00:04:58.860 --> 00:05:02.820 reducing the potential for unauthorized actions 93 00:05:02.820 --> 00:05:05.640 that could compromise system security. 94 00:05:05.640 --> 00:05:09.780 PAM works by enforcing strict access controls 95 00:05:09.780 --> 00:05:11.640 and policies that govern 96 00:05:11.640 --> 00:05:15.720 who can access sensitive resources and when. 97 00:05:15.720 --> 00:05:18.660 It involves tools and technologies 98 00:05:18.660 --> 00:05:21.450 that automatically manage, audit, 99 00:05:21.450 --> 00:05:25.050 and monitor the use of privileged accounts. 100 00:05:25.050 --> 00:05:27.480 For example, PAM Solutions 101 00:05:27.480 --> 00:05:30.495 can automatically rotate passwords, manage sessions, 102 00:05:30.495 --> 00:05:35.430 and enforce multi-factor authentication 103 00:05:35.430 --> 00:05:38.400 to ensure that only the right users 104 00:05:38.400 --> 00:05:41.160 have access at the right time. 105 00:05:41.160 --> 00:05:44.790 By continuously monitoring privileged activities, 106 00:05:44.790 --> 00:05:47.730 PAM can detect suspicious behavior 107 00:05:47.730 --> 00:05:51.000 and respond quickly to potential threats, 108 00:05:51.000 --> 00:05:54.120 providing a critical layer of defense 109 00:05:54.120 --> 00:05:58.290 against both internal and external attacks. 110 00:05:58.290 --> 00:06:00.930 Another key component of PAM 111 00:06:00.930 --> 00:06:04.500 is its ability to provide detailed auditing 112 00:06:04.500 --> 00:06:07.620 and reporting of privileged access. 113 00:06:07.620 --> 00:06:10.230 This allows organizations to track 114 00:06:10.230 --> 00:06:13.680 and record all actions taken by users 115 00:06:13.680 --> 00:06:15.990 with elevated privileges, 116 00:06:15.990 --> 00:06:19.230 providing accountability and visibility 117 00:06:19.230 --> 00:06:23.820 into how sensitive systems are being accessed and used. 118 00:06:23.820 --> 00:06:28.590 This level of monitoring helps meet compliance requirements 119 00:06:28.590 --> 00:06:33.090 and ensures that security policies are being followed. 120 00:06:33.090 --> 00:06:36.990 By controlling and monitoring privileged access, 121 00:06:36.990 --> 00:06:41.430 PAM significantly reduces the risk of data breaches, 122 00:06:41.430 --> 00:06:45.630 insider threats, and other security incidents. 123 00:06:45.630 --> 00:06:49.230 Now let's take a look at Privileged Access Management 124 00:06:49.230 --> 00:06:53.490 or PAM configuration on a Linux machine. 125 00:06:53.490 --> 00:06:55.590 Configuring a sudoers file 126 00:06:55.590 --> 00:06:58.830 is an example of Privileged Access Management. 127 00:06:58.830 --> 00:07:02.250 The sudoers file controls which users have the ability 128 00:07:02.250 --> 00:07:05.820 to execute commands with elevated privileges 129 00:07:05.820 --> 00:07:08.760 by specifying permissions for certain commands 130 00:07:08.760 --> 00:07:10.410 or groups of commands. 131 00:07:10.410 --> 00:07:13.530 This helps enforce the principle of least privilege, 132 00:07:13.530 --> 00:07:17.280 ensuring that users only have the access necessary 133 00:07:17.280 --> 00:07:19.320 to perform their roles. 134 00:07:19.320 --> 00:07:22.350 By carefully configuring the sudoers file, 135 00:07:22.350 --> 00:07:26.310 administrators can manage and limit privileged actions, 136 00:07:26.310 --> 00:07:28.410 thereby enhancing security 137 00:07:28.410 --> 00:07:31.980 and reducing the risk of unauthorized access 138 00:07:31.980 --> 00:07:34.230 to sensitive functions. 139 00:07:34.230 --> 00:07:37.620 I am logged into this Kali Linux virtual machine 140 00:07:37.620 --> 00:07:41.100 with the Kali user, which is an administrator, 141 00:07:41.100 --> 00:07:44.550 so it has elevated privileges and permissions. 142 00:07:44.550 --> 00:07:47.340 Let's demonstrate that with a few commands. 143 00:07:47.340 --> 00:07:51.750 We'll start out with sudo apt update, 144 00:07:51.750 --> 00:07:54.150 and you can see the update occurred. 145 00:07:54.150 --> 00:07:59.150 Now let's install a simple package, sudo apt install htop. 146 00:08:01.710 --> 00:08:04.830 The package is installing and once it's installed, 147 00:08:04.830 --> 00:08:07.530 we'll open it up just to show that it's working. 148 00:08:07.530 --> 00:08:08.850 There it is. 149 00:08:08.850 --> 00:08:12.510 Now let's uninstall that package, 150 00:08:12.510 --> 00:08:15.813 sudo apt remove htop. 151 00:08:18.990 --> 00:08:21.420 Okay, the package is removed, 152 00:08:21.420 --> 00:08:25.170 but remember that was all done with my Kali login, 153 00:08:25.170 --> 00:08:26.970 which is an administrator. 154 00:08:26.970 --> 00:08:31.050 So let's create a simple user called Jeremiah, 155 00:08:31.050 --> 00:08:35.070 sudo adduser jeremiah. 156 00:08:35.070 --> 00:08:36.370 We'll type in a password 157 00:08:39.990 --> 00:08:42.063 and some information about the account. 158 00:08:44.920 --> 00:08:48.483 Okay, now let's switch to the user Jeremiah. 159 00:08:54.540 --> 00:08:56.940 Because this is a user level account, 160 00:08:56.940 --> 00:08:59.580 it doesn't have the administrative permissions 161 00:08:59.580 --> 00:09:02.460 to install updates or packages. 162 00:09:02.460 --> 00:09:06.873 Let's go ahead and test this out, sudo apt update, 163 00:09:08.040 --> 00:09:09.210 type in the password. 164 00:09:09.210 --> 00:09:12.660 Ah, Jeremiah is not in the sudoers file. 165 00:09:12.660 --> 00:09:14.700 We'll find the same thing true 166 00:09:14.700 --> 00:09:18.453 if we try to install htop. 167 00:09:20.610 --> 00:09:22.830 Again, not in the sudoers file. 168 00:09:22.830 --> 00:09:25.650 So let's take a look at the sudoers file. 169 00:09:25.650 --> 00:09:27.993 First, we'll exit out of this account. 170 00:09:29.460 --> 00:09:32.613 Now we'll go to the sudo file. 171 00:09:35.340 --> 00:09:38.640 Alright, I have a command already written in here 172 00:09:38.640 --> 00:09:41.850 that will give the user Jeremiah the privileges 173 00:09:41.850 --> 00:09:46.850 and permissions to use apt update and apt install htop. 174 00:09:48.660 --> 00:09:51.300 Notably, I'm not giving this account 175 00:09:51.300 --> 00:09:54.930 the ability to remove the htop package 176 00:09:54.930 --> 00:09:56.790 once it's been installed. 177 00:09:56.790 --> 00:10:00.120 So, I have un-commented out the line 178 00:10:00.120 --> 00:10:03.063 and I'll go ahead and save the sudoers file. 179 00:10:05.250 --> 00:10:09.153 Now, let's log back in to that Jeremiah account. 180 00:10:11.820 --> 00:10:15.690 Okay, now since Jeremiah is in the sudoers file, 181 00:10:15.690 --> 00:10:17.910 there should be some elevated privileges 182 00:10:17.910 --> 00:10:22.623 and permissions that can be run, specifically apt update. 183 00:10:25.140 --> 00:10:26.880 And you can see it's running. 184 00:10:26.880 --> 00:10:29.700 Also recall that we added in the ability 185 00:10:29.700 --> 00:10:32.250 to install the package htop. 186 00:10:32.250 --> 00:10:35.043 Sudo apt install htop. 187 00:10:36.030 --> 00:10:38.370 And you can see it's installing. 188 00:10:38.370 --> 00:10:39.390 Once it's installed, 189 00:10:39.390 --> 00:10:42.180 we'll open it up just to show that it's working. 190 00:10:42.180 --> 00:10:44.070 What we notably didn't do 191 00:10:44.070 --> 00:10:47.190 was give the permissions in the sudoers file 192 00:10:47.190 --> 00:10:50.253 to remove this package, but let's try it. 193 00:10:57.090 --> 00:11:02.090 Ah, not allowed to execute apt remove htop as root on kali. 194 00:11:03.270 --> 00:11:06.450 So, you can see that this user is restricted 195 00:11:06.450 --> 00:11:09.900 in what privileges and permissions it can use. 196 00:11:09.900 --> 00:11:12.960 So to summarize, in this demonstration, 197 00:11:12.960 --> 00:11:14.970 we created a user account 198 00:11:14.970 --> 00:11:18.870 and verified that it did not initially have permissions 199 00:11:18.870 --> 00:11:21.000 to run administrative commands 200 00:11:21.000 --> 00:11:24.420 as it was not included in this sudoers file. 201 00:11:24.420 --> 00:11:27.330 By adding the user to the sudoers file 202 00:11:27.330 --> 00:11:30.480 with specific permissions for apt update 203 00:11:30.480 --> 00:11:33.030 and apt install htop, 204 00:11:33.030 --> 00:11:36.480 we controlled their access to only these commands. 205 00:11:36.480 --> 00:11:39.240 Then, switching to the user account, 206 00:11:39.240 --> 00:11:41.790 we confirmed that the user could now perform 207 00:11:41.790 --> 00:11:43.710 those administrative tasks, 208 00:11:43.710 --> 00:11:46.950 but nothing beyond what was explicitly allowed. 209 00:11:46.950 --> 00:11:50.130 Remember, we did not explicitly give permission 210 00:11:50.130 --> 00:11:51.780 to remove the package. 211 00:11:51.780 --> 00:11:54.330 So when we tried, it failed. 212 00:11:54.330 --> 00:11:57.960 This setup exemplifies Privileged Access Management 213 00:11:57.960 --> 00:12:01.530 as it restricted and managed elevated access, 214 00:12:01.530 --> 00:12:06.120 ensuring the user could only execute the specified commands 215 00:12:06.120 --> 00:12:08.970 necessary for their role. 216 00:12:08.970 --> 00:12:13.950 So remember, access control is a security measure 217 00:12:13.950 --> 00:12:18.000 that manages who can access specific resources 218 00:12:18.000 --> 00:12:22.590 within a system based on policies and user roles. 219 00:12:22.590 --> 00:12:26.550 It includes methods like Single Sign-On, Kerberos, 220 00:12:26.550 --> 00:12:28.920 and Privileged Access Management, 221 00:12:28.920 --> 00:12:33.060 each serving a unique purpose in securing access. 222 00:12:33.060 --> 00:12:36.960 Single Sign-On simplifies user authentication 223 00:12:36.960 --> 00:12:40.170 by allowing access to multiple services 224 00:12:40.170 --> 00:12:42.600 with one set of credentials. 225 00:12:42.600 --> 00:12:46.650 Next, Kerberos provides secure authentication 226 00:12:46.650 --> 00:12:50.910 using a ticket-based system that verifies identities 227 00:12:50.910 --> 00:12:55.350 without sending plain text passwords across the network. 228 00:12:55.350 --> 00:12:58.290 Finally, Privileged Access Management 229 00:12:58.290 --> 00:13:02.040 controls elevated access to sensitive systems, 230 00:13:02.040 --> 00:13:05.250 granting privileges only when necessary, 231 00:13:05.250 --> 00:13:07.380 and continuously monitoring 232 00:13:07.380 --> 00:13:09.810 for unauthorized activity, 233 00:13:09.810 --> 00:13:14.610 like a series of failed logins or a not secure password 234 00:13:14.610 --> 00:13:17.583 to protect against security threats.