Account Restrictions
- Policy-based restrictions can be used to mitigate some risks of account compromise through the theft of credentials
Location-Based Policies
- A user or device can have a logical network location, identified by an IP address, subnet, virtual LAN (VLAN), or organizational unit (OU)
- can be used as an account restriction mechanism
- geographical location of a user or device can be calculated using a geolocation mechanism:
- IP address
- can be associated with a map location to varying degrees of accuracy based on information published by the registrant
- including name, country, region, and city
- registrant is usually the Internet service provider (ISP)
- information you receive will provide an approximate location of a host based on the ISP
- large ISP is more difficult to pinpoint the location of the host
- Software libraries, such as GeoIP, facilitate querying this data
- Location services
- methods used by the OS to calculate the device’s geographical position
- device with a GPS sensor can report a highly accurate location when outdoors
- where GPS is not supported
- Location services can triangulate to cell towers, Wi-Fi hotspots, and Bluetooth signals
Time-based Restrictions
- four main types of time-based policies:
- time-of-day restrictions policy
- establishes authorized login hours for an account
- duration-based login policy
- establishes the maximum amount of time an account may be logged in for
- impossible travel time/risky login policy
- tracks the location of login events over time
- If these do not meet a threshold, the account will be disabled
- e.g., user logs in to an account from a device in New York City
- couple of hours later, a login attempt is made from Los Angeles
- is refused and an alert is raised because it is not feasible for the user to be in both locations
- temporary permissions policy
- removes an account from a security role or group after a defined period