View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Chapter 8
Chapter 8: Managing the Server Through Accounts and Groups
Chapter 8: Managing the Server Through Accounts and Groups
Chapter 8
Learning ObjectivesLearning Objectives
Work with users on setting up their Work with users on setting up their accountsaccounts
Set up account-naming guidelinesSet up account-naming guidelines Develop guidelines for user account Develop guidelines for user account
policies and set up account policiespolicies and set up account policies Explain how to manage Windows NT Explain how to manage Windows NT
domainsdomains
continued
Chapter 8
Learning ObjectivesLearning Objectives
Explain how groups are used in Explain how groups are used in Windows NT Server, and create and Windows NT Server, and create and configure group policiesconfigure group policies
Create, copy, disable, delete, and Create, copy, disable, delete, and rename user accountsrename user accounts
Set up account auditingSet up account auditing
Chapter 8
Obtaining Input from UsersObtaining Input from Users
AdvantagesAdvantages Secure user interest in making installation workSecure user interest in making installation work Ensure set up of server meets user needsEnsure set up of server meets user needs
Key issuesKey issues Naming conventions for user accountsNaming conventions for user accounts User account policiesUser account policies Use of server for home directoriesUse of server for home directories Use and composition of groupsUse and composition of groups Group policiesGroup policies Hours for server to be availableHours for server to be available
Chapter 8
Setting Up Account-naming Conventions
Setting Up Account-naming Conventions
Based on account user’s actual nameBased on account user’s actual name ex. “rknauerh” or “robk”ex. “rknauerh” or “robk” use enough of name to be uniqueuse enough of name to be unique
ex. include middle initialsex. include middle initials
works well for E-mail as wellworks well for E-mail as well Based on function within organizationBased on function within organization
ex. “shift1mgr” or “retail-clerk7”ex. “shift1mgr” or “retail-clerk7” good if people often change jobsgood if people often change jobs possible security holepossible security hole
Chapter 8
User Account PoliciesUser Account Policies
Network administrator establishes Network administrator establishes general password and logon security general password and logon security stipulations for user accountsstipulations for user accounts
Chapter 8
Password SecurityPassword Security
Only effective if used properlyOnly effective if used properly Account policy optionsAccount policy options
Password expirationPassword expiration Password lengthPassword length Password historyPassword history Account lockoutAccount lockout
Chapter 8
User Home DirectoriesUser Home Directories
Home directoryHome directory: A dedicated location : A dedicated location on a file server or a workstation for a on a file server or a workstation for a specific account holder to store filesspecific account holder to store files
User home directories in a small officeUser home directories in a small office
Chapter 8
User Home DirectoriesUser Home Directories
User home directories in a large organizationUser home directories in a large organization
Chapter 8
Domain Services ManagementDomain Services Management
Preserves idea of work groupings without Preserves idea of work groupings without managing them individuallymanaging them individually Allows network administrator to manage Allows network administrator to manage
resources and users as one unitresources and users as one unit Saves time as administrator sets up users, Saves time as administrator sets up users,
privileges, and groupsprivileges, and groups Provides a powerful management toolProvides a powerful management tool
One domain can be home to 26,000 users and One domain can be home to 26,000 users and 250 groups250 groups
Chapter 8
Ethernet
An Example of Two DomainsAn Example of Two Domains
Primary domain
controller (domain A)
Backup domain
controller (B)
Primary domain
controller (B)
Backup domain
controller (A)
Ethernet
Chapter 8
Domain Trust RelationshipsDomain Trust Relationships
Trusted domainTrusted domain: The domain that is granted : The domain that is granted security access to resourcessecurity access to resources
Trusting domainTrusting domain: The domain that grants the : The domain that grants the access to its resourcesaccess to its resources
One-way trustOne-way trust: One domain is trusted, the other : One domain is trusted, the other trusting; not reciprocaltrusting; not reciprocal
Two-way trustTwo-way trust: Both domains are trusted and : Both domains are trusted and trustingtrusting Universal trustUniversal trust: Two-way trusts among more than two : Two-way trusts among more than two
domainsdomains
Chapter 8
Trusting domainTrusting domain Access to business Access to business
server prohibitedserver prohibited
Trusted domainTrusted domain Access to Access to
manufacturing servers manufacturing servers allowedallowed
One-way TrustOne-way Trust
Manufacturing domain
Business domain
Chapter 8
Two-way TrustTwo-way Trust
Business office domain
Production branch domain
Trusted and trusting Trusted and trusting domaindomain
Trusted and trusting Trusted and trusting domaindomain
Chapter 8
Domain ManagementDomain Management
Single-master domain modelSingle-master domain model Management control of several domains Management control of several domains
centralized in only one domaincentralized in only one domain Works well for small organizationsWorks well for small organizations
Multiple-master domain modelMultiple-master domain model Management of many domains located in Management of many domains located in
two or more domains two or more domains Works well for larger organizationsWorks well for larger organizations
Chapter 8
Advantages of the Single-master Domain
Advantages of the Single-master Domain
Accounts and resources are centrally Accounts and resources are centrally managedmanaged
Resources are available to all usersResources are available to all users One consistent security policy applies across One consistent security policy applies across
organizationorganization Groups can be tailored across organizational Groups can be tailored across organizational
unit boundariesunit boundaries SAM data is easy to maintain and keep SAM data is easy to maintain and keep
synchronized within the master domainsynchronized within the master domain
Chapter 8
Advantages of the Multiple-master Domain
Advantages of the Multiple-master Domain
Administration can be centralized or Administration can be centralized or decentralizeddecentralized
Thousands of users can share Thousands of users can share resources throughout the worldresources throughout the world
Groups can be formed to span domainsGroups can be formed to span domains Security policies can be standardized Security policies can be standardized
for thousands of users and resourcesfor thousands of users and resources
Chapter 8
Multiple-master Domain ModelMultiple-master Domain Model
Chapter 8
Using GroupsUsing Groups
Management of domain resourcesManagement of domain resources By individual user: Most labor-intensive By individual user: Most labor-intensive
methodmethod By resource: Still labor-intensiveBy resource: Still labor-intensive By group: Saves time by eliminating By group: Saves time by eliminating
repetitive steps in managing user and repetitive steps in managing user and resource accessresource access
Chapter 8
Group Management ConceptGroup Management Concept
Users belong to one or more groups Users belong to one or more groups having same access needshaving same access needs
Types of groups in Windows NT ServerTypes of groups in Windows NT Server Local groupsLocal groups: Used to manage accounts : Used to manage accounts
and resources within a single domain or on and resources within a single domain or on a single servera single server
Global groupsGlobal groups: Used to enable resource : Used to enable resource sharing across domainssharing across domains
Chapter 8
Local GroupsLocal Groups
Used to help manage rights and permissions Used to help manage rights and permissions on a server within a domainon a server within a domain
User accounts can be members of local User accounts can be members of local groupsgroups
Domain resources can be assigned to local Domain resources can be assigned to local groupsgroups
Global groups can belong to local groupsGlobal groups can belong to local groups Local groups can be used to make domain Local groups can be used to make domain
resources available to trusted domainsresources available to trusted domains
Chapter 8
Windows NT Predefined Local Groups
Windows NT Predefined Local Groups
Local Group Description
Account Operators Rights to create, delete, and manageaccounts on a server or domain
Administrators Access to all server & administrative functions
Backup Operators Rights to back up all files on a server or withina domain
Guests Limited access to a server or domain
Print Operators Can manage designated print services
Replicator A unique group for automating the replicationof files, such as databases
Server Operators Privileges to manage specific server functions
Users Regular users on a server or domain whoaccess server files or applications
Chapter 8
Global GroupsGlobal Groups
Provide rights access across domains by Provide rights access across domains by linking rights from trusting domains to groups linking rights from trusting domains to groups in trusted domainsin trusted domains
Global groups can have domain user accounts Global groups can have domain user accounts as members but not local groups, to avoid as members but not local groups, to avoid circular group relationshipscircular group relationships
Global groups can be members of local groupsGlobal groups can be members of local groups Global groups cannot have resources as Global groups cannot have resources as
membersmembers
Chapter 8
Windows NT Predefined Global Groups
Windows NT Predefined Global Groups
Global Group Description
Domain Administrators Enables network administrators tohave administrative rights acrossdomains
Domain Users Used to manage user accessrights across multiple domains
Domain Guests Enables network administrators tomanage guest account accessacross multiple domains
Chapter 8
Adding GroupsAdding Groups
New local and global New local and global groups can be groups can be added at any timeadded at any time
Business group compositionBusiness group composition
Chapter 8
Managing AccountsManaging Accounts
Creating accountsCreating accounts Copying an accountCopying an account Deleting an accountDeleting an account Disabling an accountDisabling an account Renaming an accountRenaming an account
Chapter 8
Creating AccountsCreating Accounts
Two accounts are created when Two accounts are created when Windows NT Server was installedWindows NT Server was installed Administrator accountAdministrator account: Provides complete : Provides complete
access and control over the serveraccess and control over the server Guest accountGuest account: Can be set up with : Can be set up with
controlled access for guest userscontrolled access for guest users
Chapter 8
Completing New Account Information
Completing New Account Information
Chapter 8
Assigning Users to a GroupAssigning Users to a Group
Accounts that have same security and Accounts that have same security and access requirements can be assigned access requirements can be assigned as members of a groupas members of a group
Chapter 8
Customizing User AccessCustomizing User Access
User account environment can be User account environment can be customized through user profiles, logon customized through user profiles, logon scripts, and home directoriesscripts, and home directories ex. make everyone run a virus checkerex. make everyone run a virus checker ex. user “fred” wants to always set up ex. user “fred” wants to always set up
certain programs whenever/wherever he certain programs whenever/wherever he logs inlogs in
Chapter 8
Windows NT Logon Script Commands
Windows NT Logon Script Commands
Script Command Function
%Homepath% Establishes path to user’s homedirectory
%Homedrive% Sets drive letter for system hard diskdrive
%Username% Specifies user’s logon name
%Userdomain% Specifies domain to which user belongs
%OS% Specifies operating system being used
%Processor% Specifies type of processor
%Homeshare% Specifies home directory on shared drive
Chapter 8
Configuring the Server HoursConfiguring the Server Hours
Server administrator Server administrator can set up user can set up user accounts so they accounts so they cannot access cannot access server at designated server at designated times (e.g, during times (e.g, during backups and other backups and other system work)system work)
Logon Hours dialog boxLogon Hours dialog box
Chapter 8
Securing Account Access from Designated Workstations
Securing Account Access from Designated Workstations
Server administrator can limit where a Server administrator can limit where a user can log on to the domainuser can log on to the domain
Ensures that certain accounts can onlyEnsures that certain accounts can onlybe accessed from designated be accessed from designated workstationsworkstations
Chapter 8
Account Expiration and TypeAccount Expiration and Type
Expiration date is useful for an account Expiration date is useful for an account that is needed for a specific time period that is needed for a specific time period (e.g., guests or temporary employees)(e.g., guests or temporary employees)
Can be designated global or localCan be designated global or local
Chapter 8
Copying an AccountCopying an Account
Accounts can be modeled after a Accounts can be modeled after a master accountmaster account
Saves time when there are many Saves time when there are many accounts to createaccounts to create
Chapter 8
Deleting an AccountDeleting an Account
Completely erases account from Completely erases account from security databasesecurity database
Before deleting an account, consider Before deleting an account, consider disabling it for a period of time in case disabling it for a period of time in case there is a need to reactivate it for there is a need to reactivate it for access at a later dateaccess at a later date
Chapter 8
Disabling an AccountDisabling an Account
Good security practiceGood security practice A disabled account cannot be used to A disabled account cannot be used to
log on to the system but all other log on to the system but all other settings and configuration options settings and configuration options remain intactremain intact
Chapter 8
Renaming an AccountRenaming an Account
To prevent intruders familiar with the default To prevent intruders familiar with the default account names from gaining access to the account names from gaining access to the systemsystem
To change an account name if an account is To change an account name if an account is associated with a specific job is assigned to associated with a specific job is assigned to another individualanother individual
To comply with changes in organization’s To comply with changes in organization’s naming conventionnaming convention
To reflect a user’s name changeTo reflect a user’s name change
Chapter 8
Account AuditingAccount Auditing
AuditingAuditing: Tracking success or failure of : Tracking success or failure of events by recording selected types of events by recording selected types of events in an event log or a server or a events in an event log or a server or a workstationworkstation use carefully; can overload systemuse carefully; can overload system
disk spacedisk space CPU time available to programsCPU time available to programs
Chapter 8
Events that Can Be AuditedEvents that Can Be Audited
Logon and logoff activityLogon and logoff activity Access to files and objectsAccess to files and objects How often user rights are exercisedHow often user rights are exercised User and group management functionsUser and group management functions Security policy changesSecurity policy changes Restarting, shutting down, other activitiesRestarting, shutting down, other activities Starting processes or software applicationsStarting processes or software applications
Chapter 8
Creating GroupsCreating Groups
Organizational units, workgroups, or Organizational units, workgroups, or departmentsdepartments
Authorized users of network resources Authorized users of network resources or applicationsor applications
Events, projects, or special assignmentsEvents, projects, or special assignments Geographical or location-based groupsGeographical or location-based groups Individual job descriptions or functionsIndividual job descriptions or functions
Chapter 8
Setting Group PoliciesSetting Group Policies
Rights grant privileges to perform Rights grant privileges to perform functionsfunctions Accessing serverAccessing server Adding workstations to the domainAdding workstations to the domain Changing system timeChanging system time Backing up filesBacking up files
Chapter 8
Setting Group PoliciesSetting Group Policies
Standard rightsStandard rights: Apply to everyday users : Apply to everyday users and groups (see next slide)and groups (see next slide)
Advanced rightsAdvanced rights: For programmers and : For programmers and system developers who have technical system developers who have technical access needsaccess needs Debugging programsDebugging programs Gaining access to operating system internalsGaining access to operating system internals Controlling memory swappingControlling memory swapping
Chapter 8
Default NT Server User RightsDefault NT Server User Rights
Right Granted to by Default Description
Access thiscomputer fromnetwork
Administrators,Everyone
Allows connection toserver from connectionon network
Addworkstations todomain
No default group;should be granted toAdministrators
Ability to add server orNT workstation toexisting domain
Back up filesand directories
Administrators, BackupOperators, ServerOperators
Includes permission toread all files anddirectories to be able toback them up
Change systemtime
Administrators, ServerOperators
Privilege to resetserver’s time clock
continued
Chapter 8
Default NT Server User RightsDefault NT Server User Rights
Right Granted to by Default Description
Force shutdownfrom a remotesystem
Administrators, ServerOperators
Reserved but not yetavailable on NT Server
Load/unloaddevice drivers
Administrators Privilege to copy andremove device driversfrom server
Log on locally Administrators; Backup,Print, Server, andAccount Operators
Ability to log on to theserver from the serverconsole
Manageauditing andsecurity log
Administrators Privilege to specifywhat to audit and tomaintain audit logs
continued
Chapter 8
Default NT Server User RightsDefault NT Server User Rights
Right Granted to by Default Description
Restore filesand directories
Administrators, Serverand Backup Operators
Permission to write toany file or directory onserver
Shut down thesystem
Administrators; Server,Account, Backup, andPrint Operators
Privilege to shut downthe server
Take ownershipof files or otherobjects
Administrators Ability to takeownership of files andfolders created byanother user
Chapter 8
Chapter SummaryChapter Summary
Do some preliminary research before Do some preliminary research before setting up accounts and groups.setting up accounts and groups. User feedback helps to ensure accounts User feedback helps to ensure accounts
match user needsmatch user needs Develop guidelines for account namesDevelop guidelines for account names Develop account policies for setting up Develop account policies for setting up
passwords and account lockout featurespasswords and account lockout features
continued
Chapter 8
Chapter SummaryChapter Summary
Windows NT domains are a tool to help Windows NT domains are a tool to help manage a server.manage a server. Local and global groupsLocal and global groups Reduce time spent managing individual Reduce time spent managing individual
accountsaccounts
continued
Chapter 8
Chapter SummaryChapter Summary
Creating an account is multiple step Creating an account is multiple step process.process. User and password informationUser and password information Group assignmentsGroup assignments Home directory assignmentsHome directory assignments Hours to access accountHours to access account Security optionsSecurity options