An organization’s authentication servers are some of the most important services on the network. In this video, you’ll learn about TACACS and RADIUS misconfigurations, domain configurations, default passwords, and backdoors.
<< Previous: Troubleshooting Malicious User ActivitiesNext: Troubleshooting WAN Interfaces >>
One common method of centralizing authentication is using a TACACS server or RADIUS server. And that’s because there are so many different places where people can log in. They can log into their domain login on their workstation. They could log in through VPN.
You might need to log into routers and firewalls as part of your job to be able to administer those devices. And you can centralize all of those logins with a single username and a single password by taking advantage of these TACACS and RADIUS authentication servers.
In reality, there’s probably a single database that’s used to administer all the usernames and passwords. And you’re using TACACS and RADIUS as the front end process to allow this authentication process to occur. This is something that’s either going to work, or it’s not going to work.
Once you set this up for the first time, you’ll be able to perform a sample authentication. And at that point, the process generally is going to operate just fine. If you are having problems, though, there are usually logs available to tell you why this process is not occurring and where the problem is happening.
If you’re trying to set up this centralized authentication, some of the problems you might run into are things like having the incorrect address for the database. If you don’t have the IP address properly, you’re obviously not going to be able to authenticate to that device.
Or you might have locked credentials or expired credentials. Because you have to be able to access this database using one centralized set of credentials. And if you’re using the wrong credentials, you’ll never be able to authenticate anybody against that database. And there might be some type of network filtering between your authentication server and the database that’s on the back end.
It’s very common on our modern networks to assign users to particular groups and then assign rights and access to the group itself. That way, you can add and remove people to the group. And that will affect what type of access they have to different resources on the network.
Because this network access is often tied to a group, there’s usually a formal process around adding or removing somebody from these centralized groups. There’s usually a change control process or some type of tracking in place so that you know exactly who was added to a group and when that particular addition was made.
There may be also limitations on adding or removing so that it has to go through only certain users. And only those users can make changes to those group databases. This is also often part of the on-boarding or off-boarding process. When somebody arrives and they are part of the accounting department, they may be added to a default set of accounting groups. And when a person leaves the organization, they are automatically removed from having access to any of those groups.
It’s also important to perform periodic audits to the members that might be in these groups to make sure that it’s only the people who are authorized to be in those groups. I’ve gone through these audits myself. And we will occasionally find somebody who’s been added to the administrator group who really should not be there.
You also have to be careful that people are not able to authenticate with the default username and password. These devices that we’re connecting to our networks, whether they’re servers or routers or firewalls or switches, all have a default username and a default password. We want to be sure to change those defaults as soon as they are installed into the network.
You don’t want to have a system running a default configuration when it’s running in production. This is exactly what happened in 2014 with a test server at healthcare.gov. A machine was deployed. And it had the default username and default password. And it did not take long for the people on the internet to find that device and gain access to that test server.
This is not just a concern at work when you have IT professionals who are able to change these defaults. It’s also a concern for your devices at home. Your home routers and switches also have default logins. So you want to be sure that those are all changed and that nobody can access them with the defaults.
Occasionally, you’ll find a device that has a back door. A back door means that you can access this device, but not with the normal authentication process. And sometimes there’s no authentication at all. By performing a particular function against a device, you’re able to gain access to everything that’s in that particular service.
This can be placed on your computers by downloading malware. That’s one of the first things that malware does, is open a back door to your computer. And now other devices on the internet can access your device and install even more software on your computer.
Some devices might include a back door as part of their operating systems. This is obviously not something that you want to have happen. Very old Linux kernels had a back door inside of them. Sometimes applications will include a back door because the developers have added one.
And interestingly enough, in 2014 they found that Linksys and Netgear DSL modems had an administrative back door that could also be accessed over the internet. You want to always keep your applications and operating systems up to date. Because very often, they’re closing some of these doors that would allow someone in without any type of authentication.