1 00:00:01,210 --> 00:00:02,640 Users and groups. 2 00:00:02,640 --> 00:00:04,350 A lot of our access control systems 3 00:00:04,350 --> 00:00:07,270 rely upon the concepts of subjects and objects. 4 00:00:07,270 --> 00:00:09,840 Now, subjects can be users, those people. 5 00:00:09,840 --> 00:00:13,340 But objects can be things like files and folders and devices, 6 00:00:13,340 --> 00:00:15,590 but it can also be devices, computers 7 00:00:15,590 --> 00:00:17,350 and even groups of users. 8 00:00:17,350 --> 00:00:18,750 And each of those can have different 9 00:00:18,750 --> 00:00:20,620 permission levels granted to them. 10 00:00:20,620 --> 00:00:24,420 Now, computers can have multiple users and multiple groups. 11 00:00:24,420 --> 00:00:27,000 A group can have lots of different users inside of it, 12 00:00:27,000 --> 00:00:29,410 but a group can also contain other groups. 13 00:00:29,410 --> 00:00:32,010 So, for instance, we might have the IT department 14 00:00:32,010 --> 00:00:33,920 and then have subgroups under the IT department 15 00:00:33,920 --> 00:00:36,880 of administrators and power users, right? 16 00:00:36,880 --> 00:00:38,930 Going back to our role-based access control, 17 00:00:38,930 --> 00:00:41,110 we always want to assign users to groups 18 00:00:41,110 --> 00:00:43,590 and then assign the permissions to those groups. 19 00:00:43,590 --> 00:00:46,140 It's a lot easier to put somebody into a group and get them 20 00:00:46,140 --> 00:00:48,120 all the permissions they need when they get hired. 21 00:00:48,120 --> 00:00:49,990 It's also easier to take somebody out of a group 22 00:00:49,990 --> 00:00:51,900 and remove all the permissions at once 23 00:00:51,900 --> 00:00:54,920 if you're using groups using that role-based access. 24 00:00:54,920 --> 00:00:57,500 Now, here you have an example of ADUC. 25 00:00:57,500 --> 00:01:00,010 ADUC is the Active Directory Users and Computers. 26 00:01:00,010 --> 00:01:02,560 This is a program inside of Windows where you can explore 27 00:01:02,560 --> 00:01:04,850 all the users, the groups, and the computers. 28 00:01:04,850 --> 00:01:06,400 And you can see here all the lists 29 00:01:06,400 --> 00:01:08,820 of the users on this particular system. 30 00:01:08,820 --> 00:01:10,760 Now, as we go through, I want you to remember 31 00:01:10,760 --> 00:01:13,420 that there's two different ways that you can create a user. 32 00:01:13,420 --> 00:01:15,310 So, if you are a brand new person at our organization 33 00:01:15,310 --> 00:01:16,620 and we need to create you an account, 34 00:01:16,620 --> 00:01:18,020 we can do it one of two ways. 35 00:01:18,020 --> 00:01:20,560 The first way is to right-click an empty space 36 00:01:20,560 --> 00:01:24,710 in the users folder of the ADUC and select Create New User. 37 00:01:24,710 --> 00:01:26,940 This is using the graphical user interface. 38 00:01:26,940 --> 00:01:29,210 Now, the second way is to create a new user 39 00:01:29,210 --> 00:01:32,830 within the organizational unit within active directory. 40 00:01:32,830 --> 00:01:34,670 Each organizational unit is made 41 00:01:34,670 --> 00:01:36,860 to mimic a department within a company. 42 00:01:36,860 --> 00:01:38,450 If you're a small organization, 43 00:01:38,450 --> 00:01:39,870 you're going to do it the first way. 44 00:01:39,870 --> 00:01:41,940 If you're a really large organization, 45 00:01:41,940 --> 00:01:43,740 you're going to be using organizational units 46 00:01:43,740 --> 00:01:45,540 for each department or branch 47 00:01:45,540 --> 00:01:47,270 and then having your users added there. 48 00:01:47,270 --> 00:01:48,860 So, depending on which one you're going to use, 49 00:01:48,860 --> 00:01:51,430 it's depending on how big your organization is. 50 00:01:51,430 --> 00:01:54,230 Now, when you look at ADUC as you see in the example here, 51 00:01:54,230 --> 00:01:56,510 you can see there's two organizational units. 52 00:01:56,510 --> 00:01:58,130 The first one is called Org1 53 00:01:58,130 --> 00:02:00,350 and the other one is called testersunit. 54 00:02:00,350 --> 00:02:02,610 In your company, you may have one for sales, 55 00:02:02,610 --> 00:02:06,160 another one for HR, another one for IT, you get the idea. 56 00:02:06,160 --> 00:02:09,750 Organizational units match up to large departments. 57 00:02:09,750 --> 00:02:11,150 Now, when we talk about that, 58 00:02:11,150 --> 00:02:13,420 we also have to think about the concept of permissions 59 00:02:13,420 --> 00:02:14,940 for these users that we're creating, right? 60 00:02:14,940 --> 00:02:16,960 And that's known as user rights. 61 00:02:16,960 --> 00:02:18,930 User rights are basically whatever permissions 62 00:02:18,930 --> 00:02:20,960 you give to a particular user. 63 00:02:20,960 --> 00:02:22,850 This includes more than just file access, though, 64 00:02:22,850 --> 00:02:24,980 because it can be things like login hours, 65 00:02:24,980 --> 00:02:26,470 when your account's going to expire, 66 00:02:26,470 --> 00:02:28,350 how often you have to change your password, 67 00:02:28,350 --> 00:02:31,230 what devices can they login to, what printers can they use, 68 00:02:31,230 --> 00:02:32,970 and all sorts of those type of things. 69 00:02:32,970 --> 00:02:35,920 This all falls into this user-rights bucket. 70 00:02:35,920 --> 00:02:37,680 Now, when I look at a user, for instance, 71 00:02:37,680 --> 00:02:39,210 here's one called Bob. 72 00:02:39,210 --> 00:02:41,550 And you can see in this example that Bob has a login name 73 00:02:41,550 --> 00:02:44,670 of bob.smith, up there towards the top of the screen. 74 00:02:44,670 --> 00:02:46,370 Now, you could see his name is Bob Smith 75 00:02:46,370 --> 00:02:48,250 and you can see his account is unlocked. 76 00:02:48,250 --> 00:02:50,970 This is a local user account on a Windows 10 system. 77 00:02:50,970 --> 00:02:53,540 If I was on a domain, I would have a lot more options 78 00:02:53,540 --> 00:02:55,120 that I can do with Bob. 79 00:02:55,120 --> 00:02:56,760 Now, let's go ahead and look at one of those. 80 00:02:56,760 --> 00:02:59,330 One of those would be something like a login hours. 81 00:02:59,330 --> 00:03:01,000 So, here I can configure for Bob 82 00:03:01,000 --> 00:03:03,160 when he can log in to our domain. 83 00:03:03,160 --> 00:03:06,150 Here, you can see I have it set up that between nine to five, 84 00:03:06,150 --> 00:03:08,040 Monday through Friday, he can log in. 85 00:03:08,040 --> 00:03:10,920 So, if Bob comes to the office on Saturday at 3:00 a.m. 86 00:03:10,920 --> 00:03:13,190 Guess what, he can't log in to the network. 87 00:03:13,190 --> 00:03:15,320 And that's okay, because we want to force Bob 88 00:03:15,320 --> 00:03:16,640 to be there during working hours 89 00:03:16,640 --> 00:03:18,230 so everybody else can see what Bob's doing 90 00:03:18,230 --> 00:03:20,460 and make sure he's not stealing from us, right? 91 00:03:20,460 --> 00:03:22,610 By preventing Bob from being able to come in at 3:00 a.m., 92 00:03:22,610 --> 00:03:23,880 it prevents him from coming in, 93 00:03:23,880 --> 00:03:25,330 downloading the entire shared drive, 94 00:03:25,330 --> 00:03:26,700 and walking out the front door 95 00:03:26,700 --> 00:03:28,350 and giving it to your competitor. 96 00:03:28,350 --> 00:03:31,020 Now again, I know I'm being kind of mean and sarcastic 97 00:03:31,020 --> 00:03:33,900 and being pessimistic of people, 98 00:03:33,900 --> 00:03:35,850 but if you ever been in security for a long time, 99 00:03:35,850 --> 00:03:37,300 you'll see all this type of stuff happen. 100 00:03:37,300 --> 00:03:39,630 So, you want to start preventing when people can log in 101 00:03:39,630 --> 00:03:42,240 and make sure it matches up to normal business hours 102 00:03:42,240 --> 00:03:43,980 that you would have other people in the office 103 00:03:43,980 --> 00:03:45,500 cause people who come in on their own 104 00:03:45,500 --> 00:03:47,710 usually are the ones you have to watch closely. 105 00:03:47,710 --> 00:03:49,850 Now, the next thing we have is we take all these users, 106 00:03:49,850 --> 00:03:51,170 we want to collect them together, 107 00:03:51,170 --> 00:03:53,470 and we collect them into what's called a group. 108 00:03:53,470 --> 00:03:55,270 Groups are simply a collection of users 109 00:03:55,270 --> 00:03:56,760 based on common attributes. 110 00:03:56,760 --> 00:03:59,720 Normally, we're going to group them together into work roles. 111 00:03:59,720 --> 00:04:02,240 This way, we can say, okay, all the admins go together, 112 00:04:02,240 --> 00:04:03,660 all the receptionist go together, 113 00:04:03,660 --> 00:04:05,090 all the salespeople go together. 114 00:04:05,090 --> 00:04:07,570 And I set permissions based on those groups. 115 00:04:07,570 --> 00:04:09,450 Now, as we look at groups, you can see here 116 00:04:09,450 --> 00:04:11,660 that Bob is a member of a couple of groups. 117 00:04:11,660 --> 00:04:14,770 I have him inside of the users group, the accounting group, 118 00:04:14,770 --> 00:04:16,000 the backup operators group, 119 00:04:16,000 --> 00:04:17,650 and the remote desktop users group, 120 00:04:17,650 --> 00:04:19,700 and each of those gives him different permissions. 121 00:04:19,700 --> 00:04:22,730 As a user, he has access to log in to the domain, maybe. 122 00:04:22,730 --> 00:04:23,950 As accounting, he has access 123 00:04:23,950 --> 00:04:26,190 to get into our financial systems. 124 00:04:26,190 --> 00:04:29,100 As a backup operator, he can back up his financial system 125 00:04:29,100 --> 00:04:30,400 to our taped backup system. 126 00:04:30,400 --> 00:04:33,030 And as remote desktop user, he can log in from home 127 00:04:33,030 --> 00:04:34,140 during his login hours, 128 00:04:34,140 --> 00:04:37,210 because maybe Bob was given permission to work at home. 129 00:04:37,210 --> 00:04:38,870 All of these things are going to be set 130 00:04:38,870 --> 00:04:40,830 based on the permissions of those groups, 131 00:04:40,830 --> 00:04:42,030 and they're cumulative. 132 00:04:42,030 --> 00:04:44,200 So, whichever one gives them permission out of those groups 133 00:04:44,200 --> 00:04:46,270 is the permission he's going to be able to use. 134 00:04:46,270 --> 00:04:47,530 Now, as we look at this, 135 00:04:47,530 --> 00:04:49,120 you can also see how groups are used 136 00:04:49,120 --> 00:04:50,910 for file and folder permissions. 137 00:04:50,910 --> 00:04:53,080 So, here I have the accounting folder on the shared drive. 138 00:04:53,080 --> 00:04:55,200 And when you look at the permissions here, you can see 139 00:04:55,200 --> 00:04:56,950 that only members of administrators 140 00:04:56,950 --> 00:04:58,960 or accounting have access. 141 00:04:58,960 --> 00:05:01,330 Now, Bob was part of the accounting group, right? 142 00:05:01,330 --> 00:05:03,110 So, he's going to be able to get access to this folder. 143 00:05:03,110 --> 00:05:04,400 But Susan down in sales, 144 00:05:04,400 --> 00:05:06,020 she won't have access to this folder 145 00:05:06,020 --> 00:05:07,400 because she's not part of accounting 146 00:05:07,400 --> 00:05:09,710 and she doesn't need access to that financial data. 147 00:05:09,710 --> 00:05:10,820 That's the idea here why we have 148 00:05:10,820 --> 00:05:13,230 users and groups and the permissions we set. 149 00:05:13,230 --> 00:05:16,360 Now, permissions in Windows can be set into multiple ways. 150 00:05:16,360 --> 00:05:19,020 You can have full control, you can have modify, 151 00:05:19,020 --> 00:05:20,840 you can have read and execute, you can have 152 00:05:20,840 --> 00:05:23,960 listing of the folder contents, reading or writing. 153 00:05:23,960 --> 00:05:25,780 And depending on which permission you set, 154 00:05:25,780 --> 00:05:28,560 is what actions that user is going to be able to do. 155 00:05:28,560 --> 00:05:29,890 Now, when we look at our permissions, 156 00:05:29,890 --> 00:05:32,750 they're usually broken down in Linux into three categories. 157 00:05:32,750 --> 00:05:34,350 Read, write, and execute. 158 00:05:34,350 --> 00:05:37,140 They're much simpler than what you saw there in Windows. 159 00:05:37,140 --> 00:05:38,620 Now, when we look at this, though, 160 00:05:38,620 --> 00:05:40,970 we actually have these assigned to our owners, 161 00:05:40,970 --> 00:05:43,120 our groups, and all users. 162 00:05:43,120 --> 00:05:46,380 And for some reason, owners is called U, groups is called G, 163 00:05:46,380 --> 00:05:49,400 and all users is either symbolized by O or A. 164 00:05:49,400 --> 00:05:50,650 Why are owners call U? 165 00:05:50,650 --> 00:05:52,780 Because, really, think about it, as in user, right? 166 00:05:52,780 --> 00:05:55,540 So, users, groups, and all users, that's the idea here. 167 00:05:55,540 --> 00:05:57,780 Now, as we consider permissions in Linux, 168 00:05:57,780 --> 00:05:59,320 there's a program you have to be familiar with 169 00:05:59,320 --> 00:06:02,350 and it's called Change Mod, chmod. 170 00:06:02,350 --> 00:06:03,720 This is a program in Linux that's used 171 00:06:03,720 --> 00:06:06,670 to change the permissions or rights of a file or folder 172 00:06:06,670 --> 00:06:08,780 by using a shorthand numbering system. 173 00:06:08,780 --> 00:06:11,240 And for the Security+ exam, you do want to be aware 174 00:06:11,240 --> 00:06:12,810 of this shorthand numbering system. 175 00:06:12,810 --> 00:06:14,590 So, we're going to cover it right now. 176 00:06:14,590 --> 00:06:16,660 Basically, it comes down to three numbers. 177 00:06:16,660 --> 00:06:18,990 If you have read permissions, you're a four. 178 00:06:18,990 --> 00:06:20,890 If you have write permissions, you're a two. 179 00:06:20,890 --> 00:06:23,130 And if you have execute permissions, you're a one. 180 00:06:23,130 --> 00:06:26,410 But just like Windows, you can combine these permissions. 181 00:06:26,410 --> 00:06:29,260 So, if I combined read and write, I would get six. 182 00:06:29,260 --> 00:06:31,830 If I had read, write, and execute, I'd have a seven. 183 00:06:31,830 --> 00:06:33,330 Now, how do I use these digits? 184 00:06:33,330 --> 00:06:35,050 Well, it looks something like this. 185 00:06:35,050 --> 00:06:37,740 change mod 760 filename. 186 00:06:37,740 --> 00:06:40,180 And that would be giving the 760 permissions 187 00:06:40,180 --> 00:06:41,120 to the filename. 188 00:06:41,120 --> 00:06:43,110 The seven is what the owner can do, 189 00:06:43,110 --> 00:06:45,440 and they can read, write, or execute. 190 00:06:45,440 --> 00:06:47,210 The six is what the group can do 191 00:06:47,210 --> 00:06:49,490 cause it's a second position, they can read and write. 192 00:06:49,490 --> 00:06:51,360 And then the third piece is the zero, 193 00:06:51,360 --> 00:06:54,000 which is for all users, in this case, no access. 194 00:06:54,000 --> 00:06:56,610 And so, based on those numbers there in the change mod, 195 00:06:56,610 --> 00:06:59,210 I'm assigning those permissions to that filename. 196 00:06:59,210 --> 00:07:01,930 So, if I ever 777 in Linux, 197 00:07:01,930 --> 00:07:03,920 what that tells you is that the person 198 00:07:03,920 --> 00:07:05,700 has read, write, and execute. 199 00:07:05,700 --> 00:07:08,450 Both the owner, the group, and all users, 200 00:07:08,450 --> 00:07:10,760 because the seven is in all three positions. 201 00:07:10,760 --> 00:07:12,080 So, you can see how this change mod 202 00:07:12,080 --> 00:07:13,730 and this numbering system works. 203 00:07:13,730 --> 00:07:15,930 For the exam, you're probably going to see a question 204 00:07:15,930 --> 00:07:18,200 that gives you something with a change mode command, 205 00:07:18,200 --> 00:07:19,290 and you'll have to be able to figure out 206 00:07:19,290 --> 00:07:20,940 what permissions each person has. 207 00:07:20,940 --> 00:07:22,520 So, keep that in mind, as well. 208 00:07:22,520 --> 00:07:24,000 Now, another thing you need to worry about 209 00:07:24,000 --> 00:07:27,370 with users and groups permissions is called privilege creep. 210 00:07:27,370 --> 00:07:28,650 This occurs when a user gets 211 00:07:28,650 --> 00:07:30,180 additional permissions over time 212 00:07:30,180 --> 00:07:32,720 as they rotate through different positions or roles. 213 00:07:32,720 --> 00:07:34,400 So, I talked about in the last lesson 214 00:07:34,400 --> 00:07:36,200 how job rotation was good. 215 00:07:36,200 --> 00:07:38,490 And if I took you from sales to marketing, 216 00:07:38,490 --> 00:07:39,323 what would happen? 217 00:07:39,323 --> 00:07:41,040 The IT group would take you and add you 218 00:07:41,040 --> 00:07:42,880 into the marketing distributions, right? 219 00:07:42,880 --> 00:07:44,490 And the marketing permissions. 220 00:07:44,490 --> 00:07:45,760 But the problem with that is if they forget 221 00:07:45,760 --> 00:07:47,060 to take you out of the sales group, 222 00:07:47,060 --> 00:07:49,037 you still now have the sales permissions 223 00:07:49,037 --> 00:07:50,500 and the marketing permissions. 224 00:07:50,500 --> 00:07:53,230 And then, if you went and did a tour inside the HR field, 225 00:07:53,230 --> 00:07:55,240 now, you're going to have all three of those. 226 00:07:55,240 --> 00:07:57,800 And if somebody's been with the organization for many years, 227 00:07:57,800 --> 00:07:58,930 often, you'll see that they have 228 00:07:58,930 --> 00:08:00,550 all of these different permissions 229 00:08:00,550 --> 00:08:02,530 because they've creeped up over time. 230 00:08:02,530 --> 00:08:04,670 Now, you always want to be checking people's permissions 231 00:08:04,670 --> 00:08:06,690 to make sure that privilege creep isn't happening 232 00:08:06,690 --> 00:08:08,760 because privilege creep is going to violate 233 00:08:08,760 --> 00:08:09,970 all of the good principles 234 00:08:09,970 --> 00:08:12,670 of the least privilege concepts that we've talked about. 235 00:08:12,670 --> 00:08:14,540 Now, to do this, we use a thing called 236 00:08:14,540 --> 00:08:16,530 user-access recertification. 237 00:08:16,530 --> 00:08:19,000 This is a process where each user's rights and permissions 238 00:08:19,000 --> 00:08:21,520 are revalidated to ensure that they're correct. 239 00:08:21,520 --> 00:08:23,840 This may be done annually, once a year, 240 00:08:23,840 --> 00:08:26,080 or it may be done whenever they switch permissions. 241 00:08:26,080 --> 00:08:27,480 Or it may be done anytime they ask 242 00:08:27,480 --> 00:08:29,090 for new permissions to be added. 243 00:08:29,090 --> 00:08:33,120 So, for example, if I moved Jim from accounting over to HR. 244 00:08:33,120 --> 00:08:34,950 Well, at that point, we want to take away 245 00:08:34,950 --> 00:08:37,330 his permissions from accounting and add HR. 246 00:08:37,330 --> 00:08:39,010 At the same time, we would go back and look and say 247 00:08:39,010 --> 00:08:40,910 hey, what else does Jim have access to 248 00:08:40,910 --> 00:08:42,720 and does he need access for all of that? 249 00:08:42,720 --> 00:08:45,000 It's really important to always check these permissions 250 00:08:45,000 --> 00:08:46,840 because they do end up getting overtime 251 00:08:46,840 --> 00:08:48,430 just added and added an added, 252 00:08:48,430 --> 00:08:50,370 and people forget to take them away. 253 00:08:50,370 --> 00:08:53,190 Now, there are three times in every employee's career 254 00:08:53,190 --> 00:08:54,900 where their permissions tend to either get 255 00:08:54,900 --> 00:08:56,540 added or taken away. 256 00:08:56,540 --> 00:08:58,890 Usually, it's when they're hired, when they're fired, 257 00:08:58,890 --> 00:09:00,030 or when they're promoted. 258 00:09:00,030 --> 00:09:02,910 So, any of those three things should automatically trigger 259 00:09:02,910 --> 00:09:04,930 a user-access recertification 260 00:09:04,930 --> 00:09:06,870 to make sure that they have the right permissions 261 00:09:06,870 --> 00:09:08,750 and they don't have excessive permissions. 262 00:09:08,750 --> 00:09:11,120 Remember, least permission and least privilege 263 00:09:11,120 --> 00:09:12,570 is the name of the game here.