⬡ PBQ ACTIVITY

Analyze Access Control Models
& Best Practices

A recent IT security audit has revealed multiple vulnerabilities. As the new IT Security Lead, configure the PAM application correctly using Privileged Credential Requirements.

□ Scenario

A recent IT security audit at a security corporation has revealed a long list of concerns that put multiple systems and applications at high risk. For example, system administrators are using shared credentials, recording them on a spreadsheet, and storing them on an open company shared drive. These credentials and other administrator accounts have not rotated passwords for almost 200 days. As well, the IT department set up administrator accounts for smart card access.


As the new IT security lead, you must incorporate a security policy or procedure to manage privileged accounts and further secure administrative access to servers and applications. You may use the internal Privileged Access Management (PAM) application to store and automatically manage privileged accounts on a password rotation schedule. The PAM application has specific safes that individual users can access (for personal admin accounts) or groups can access (for shared privilege accounts). PAM platforms provide mechanisms to manage privileged accounts based on the interactions between the specific platform and the individual accounts. Review the company policies and requirements to determine how to proceed.

Privileged Credential Requirements:

  • Use Role-based Access Control (RBAC).
  • Use service accounts for automated tasks.
  • Monitor access to service account credentials.
  • Use Two-Factor Authentication (2FA) for remote administrative access.
  • Use push notification if 2FA fails.
  • Expire accounts if password does not change at 60 days or more.

Service Accounts:

  • pamsvc – domain account for managing the PAM assets and services
  • virtualsvc – domain account for managing VMware vCenter assets and services
  • autosvc – domain account for managing automation applications and tasks

Group Accounts:

  • VMware Administrators
  • Automation Administrators
  • Windows Administrators
  • PAM Administrators

Administrator Accounts:

  • admjohnbenson – John Benson, IT Security Lead (personal admin account)
  • admbobsmith – Bob Smith, VMware Administrator

To return this interactive to its initial state, click Reset.

▣ Evaluation Results

0/10
Score
Based on the scenario, use the dropdown selectors and write-in fields to manage and add accounts to the PAM application, then use the checkboxes to specify administrator authentication methods for the remote servers.
ACCOUNT 1 Add admjohnbenson (administrator account) to the PAM platform:
ACCOUNT 2 Add the VMware service account to the PAM platform:
ACCOUNT 3 Add the automation service account to the PAM platform:
POLICY PAM Policy & Authentication Settings
The PAM application must change a managed account's password every:
Administrators will use which of the following when authenticating to a remote server:
What other method would provide user authentication if 2FA does not work?