Page 981 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 981

headers.

               When the user logs on from the device, the authentication system
               checks the user account for a registered device. It then verifies the

               characteristics of the user’s device with the registered device. Even
               though some of these characteristics change over time, this has proven
               to be a successful device authentication method. Organizations
               typically use third-party tools, such as the SecureAuth Identity
               Provider (IdP), for device authentication.

               As mentioned previously, many MDM systems use context-aware
               authentication methods to identify devices. They typically work with

               network access control (NAC) systems to check the health of the device
               and grant or restrict access based on requirements configured within
               the NAC system.

               802.1x is another method used for device authentication. It can be
               used for port-based authentication on some routers and switches.
               Additionally, it is often used with wireless systems forcing users to log

               on with an account before being granted access to a network. More
               recently, some 802.1x solutions have been implemented with MDM
               and/or NAC solutions to control access from mobile devices. If the
               device or the user cannot authenticate through the 802.1x system, they
               are not granted access to the network.


               Service Authentication


               Many services also require authentication, and they typically use a
               username and password. A service account is simply a user account
               that is created for a service instead of a person.

               As an example, it’s common to create a service account for third-party
               tools monitoring email in Microsoft Exchange Server. These third-
               party tools typically need permission to scan all mailboxes looking for

               spam, malware, potential data exfiltration attempts, and more.
               Administrators typically create a Microsoft domain account and give
               the account the necessary privileges to perform the tasks.

               It’s common to set the properties of the account so that the password
               never expires. For a regular user, you’d set the maximum age to
   976   977   978   979   980   981   982   983   984   985   986