Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
21 Cards in this Set
- Front
- Back
|
Is a computer network authentication protocol, which allows host to prove their identity over a non-secure network in a secure manner, It can also provide mutual authentication, so both the server and user verify each other's identity
|
Kerberos
|
|
|
maintains a database of secret keys
|
KDC
|
|
|
What is Kerberos?
|
It is a secure protocol that supports ticketing authentication, it's security and authentication is based on secret key technology, and every time a host logs onto the network, the KDC(part of the DC) issues them a secret key
|
|
|
How does Kerberos work?
|
When a user logs into a network resource using Kerberos, the client transmits the username and authentication server(AS) along with the SPN of the service the user wants to connect to such as a SQL server.
|
|
|
What must the clients and Kerberos have in common to ensure security and authentication?
|
The must both have the same time
|
|
|
restricts which services are allowed to delegate user credentials by specifying, for each application pool or service, the services to which a Kerberos ticket can be forwarded
|
Constrained Delegation
|
|
|
is the name by which a client uniquely identifies a instance of a service
|
SPN
|
|
|
What does the SPN consist of?
|
Service type, host name, & port
|
|
|
How do you establish a spn for https://portal.contonso.com on port 443
|
setspn -s https/portal.contonso.com:443
The service class is: HTTP(includes both https and http) |
|
|
SPN are associated with what?
|
With application pools and services, not the server
|
|
|
allows a Kerberos ticket to be created for another service on the originating user's behalf
|
Kerberos Delegation
|
|
|
is an account under which an Operating System, process, or service runs; Can allow the application or service specific rights and permissions to function properly while minimizing the permissions required for other using the application server
|
Service Account
is a standard user account, created with AD Users and Computers console. |
|
|
What is the difference between a Service Account and User Account?
|
With traditional user accounts, we would specify how often a password gets changed; With Service Accounts, there is no interactive login prompting a change of password, Therefore we will configure the password not to expire, which unfortunately makes it vulnerable.
|
|
|
How do I reduce the risk of service accounts?
|
1.Requires a unique account to run the service on each server.
2.If possible set up the account as a local account rather than a global domain account. 3.Use a strong password for the service account. 4.Make sure the password changes often, and that you also change it in the services console at the same time 5.Give the account the least amount of access rights, ntfs, and share permissions. 6.Do not share the password and store the password in a safe location |
|
|
enables automatic password management and spn management every 30 days, inherits characteristics of a user and computer class. Enables it to fulfill user like functions such as providing authentication, and security context, while it can still automatically update its password
|
MSA
|
|
|
To create and manage MSAs, what are the requirements?
|
Net Framework 3.5
Server 2008R2 and up Active Directory Module for Powershell |
|
|
What cmdlet must be ran before I can create a MSA?
|
Add-KDSRootKey -EffectiveTime ((Get-Date).AddHOurs(-10))
|
|
|
How can you create a MSA and associate it with a computer?
|
1.Create an Active Directory service account:
New-ADServiceAccount -name Web1 -dnshostname mydc.domain.com -passthru 2.Associate the MSA with a computer account in the ADDS domain: Add-AdComputerServiceAccount -Identity Com1 -ServiceAccount Web1 -passthru 3.Install the MSA on a host computer in the domain, which will make the MSA available for use by services on that computer: Install-ADServiceAccount -Identity Web1 |
|
|
How can I use the MSA with a service now?
|
Open the services console, click a service, Type the name of the MSA followed by a $
|
|
|
If you move a service to another computer and you want to use the same MSA on the target system, what must you do?
|
Uninstall-ADServiceAccount -Identity Web1
|
|
|
When you create a new MSA, how can I go ahead and specify the SPN as well?
|
New-AdServiceAccount -name Web1 -dnshostname mydc.domain.com "-ServicePrincipalName" mssqlsv/mydc.domain.com:####
|
