ch 3_082946.pdf

Full Transcript

Chapter three
3. User administration concepts and mechanism
Most users have read-only access to all components of the product. However, they will not have
the privilege to access, configure, or edit different documents. On the other hand, system
administrators can perform all administrative activities like creating new monitor groups,
creating new actions, adding new users, resetting user passwords, and changing how users
interact with the product by assigning users to preference groups.
The primary difference between a standard user and an administrator is the level of access that
the user has over core, protected areas of the computer. Administrators can change the system
state, turn off the firewall, configure security policies, install a service or a driver that affects
every user on the computer, and install software for the entire computer. Standard users cannot
perform these tasks, and they can only install per-user software.
User Account Control (UAC) is a security component that enables users to perform common
tasks as non-administrators (called standard users), and as administrators without having to
switch users, log off, or use Run As. User accounts that are members of the local Administrators
group run most applications as a standard user. By separating user and administrator functions,
UAC helps users move toward using standard user rights by default.
Active directory authentication module is implemented in application manager in order to ease
the user administration. Using active directory authentication module one can import users from
active directory, which enables users to log in to application manager if they have an account in
active directory domain.
3.1. User Accounts
 To access Windows 2008 network a user needs an account
 Account determines 3 factors:
❖ when a user may log on
❖ where within the domain/workgroup
❖ what privilege level a user is assigned
 Any object trying to access resource must do it through a user account

Birana College, Department of computer Science 1
 3.1.1 Types of user account
I. Local Accounts
Local account is an account setup on the machine. By default, there are some accounts. You can
have both. You can have a domain user and then have that user as a local admin so they can
perform admin stuff on the computer itself.
Local accounts Supported on all Windows 2000, 2003 and 2008 systems except DCs (on
member servers participating in domains and on standalone systems participating in
workgroups)
It is maintained on the local system, not distributed to other systems.
Local user account authenticates the user for local machine access only; access to resources
on other computers is not supported
In Windows, a local user is one whose username and encrypted password are stored on the
computer itself. When you log in as a local user, the computer checks its own list of users and its
own password file to see if you are allowed to log into the computer. The computer itself then
applies all the permissions (e.g., "can use the CD-ROM", "can install programs") and restrictions
(e.g., "cannot install programs") that are assigned to you for that computer.
II. Domain Accounts
Domain account is when you login using a domain account on a network. You would need a
domain controller to be able to setup accounts to login. You would then join the computer to the
domain and use a login from the central database. The point of having a domain account is to
control what can be done on the computer and if you are able to login.
◼ Permit access throughout a domain and provide centralized user administration through AD
◼ Created within a domain container in AD database and propagated to all other DCs
◼ Once authenticated against AD database using GC, a user obtains an access token for the
logon session, which determines permissions to all resources in the domain.
A domain user is one whose username and password are stored on a domain controller rather
than the computer the user is logging into. When you log in as a domain user, the computer asks
the domain controller what privileges are assigned to you. When the computer receives an
appropriate response from the domain controller, it logs you in with the proper permissions and
restrictions.
Domain users evolved in response to the challenges administrators face when managing large
numbers of computers, peripherals (e.g., printers, network storage), services, and users. When a

Birana College, Department of computer Science 2
network has a large population of users on various computers, it is difficult to maintain
information for every user on each individual computer. The task of managing so many users is
simplified by allowing each computer to validate access through a central source to see if each
user can log in and use computing resources. With one centralized source of user information
network administrators have only a small set of computers on which to maintain user
information.
3.2. What is security
Security is an important aspect of operating system design because it safeguards against access to
resources by unauthorized users.
The security mechanism can be broken in two steps: authentication and authorization.
Authentication involves identifying a user, while authorization ensures that an identified user has
access only to resources that has been permitted to use.
Access control mechanism is a mechanism that
✓ Permits authorized access to a system, such as a communication, computer, and data
processing system
✓ Prevents unauthorized access to the system
✓ Is considered to have failed when unauthorized access is permitted or when authorized
access is prevented.
3.2.1. Access Control
Access control is a more general way of talking about controlling access to a resource. Access
can be granted or denied based on a wide variety of criteria, such as the network address of the
client, the identity of the person who wants access, or the browser which the visitor is using.
Access control is analogous to locking the gate at closing time, or only letting people onto the
ride who are more than 48 inches tall. It is important by controlling access to know who has
access and who does not have access to a resource. This information’s could be stored in an
access matrix.
3.2.1.1. Access Matrix
The access matrix model is a visualization of access rights, and has several implementations such
as access control lists (ACLs) and capabilities. It is used to describe which users have access to
what objects. The matrix can be modified only by the owner or the administrator.
The access matrix model has 2 dimensions:
A list of objects. Objects could be files, processes, or disk drivers

Birana College, Department of computer Science 3
 A list of subjects (processes)

Example of an access matrix with access rights: read, write, execute, and delete.

3.2.1.2. Access Control List
An access control list (ACL) is a list that tells the operating system which access rights each user
has to a particular system object, such as a file directory or individual file. The most common
rights include the ability to read a file (or all the files in a directory), to write to the file (s), and to
execute the file (if it is executable).
Advantage and disadvantage of ACLs
In access control lists, it is easy to see all subjects that have access rights on an object and it is
also easy to revoke access rights.
The disadvantage with ACL's is that the list could be very large. It takes a lot of time to
determine for a subject all the objects on which he has access rights. Since one have to read
through all ACLs.

3.2.1.3. Offiline files
Ofiline files is a document management features that provides the user with consitent online and
offline access to network files.
Advantages of using offline files are:
Support for mobile users
Authomatic synchorization
The data is avilable with out internet connection

Birana College, Department of computer Science 4
 3.3. User Profiles
Profiles customize user environment, store profiles on server (roaming), restrict changes through
mandatory profiles.
A user profile is a collection of a user’s personal files and settings that define his or her working
environment

Some key folders in a user’s profile (N/A denotes that folder doesn’t exist in Windows XP)
– AppData (N/A) – Favorites
– Desktop – Music (My Music)
– Documents (My Documents) – Pictures (My Pictures)
– Downloads (N/A) – Ntuser.dat

3.3.1. Types of User profile
3.3.1.1. Local profile

A local profile is a user profile stored on the same system where the user logs on

Local profiles are created from a default profile when the user first logs on to a specific machine

Changes on one local profile will not migrate to another local profile on another machine

For consistent profiles that reflect changes made on multiple machines, use roaming profiles

Any changes made to your local user profile are specific to the computer on which you made the
changes.

3.3.1.2. Roaming profile

Roaming Profiles is what allows a user to logon onto any computer in an organization and have
all their personal files and setting apply to that computer as it was the last time, they used a
computer. This is really a Win/Win for Users and IT Professional as for a user this is a big-time
saver as they no longer need to waste time setting up their drives, printers and other personal
settings when they have to use another computer. IT professional also benefit when there is an
un-expected failure or loss of a computer then they don’t have to go through what could be a
lengthily, costly and if not impossible, process of recovering the user’s data.

Roaming profiles have the advantage of users have their personal settings and files available on
all computers they login to. But the only problem is increased network activity during logon and

Birana College, Department of computer Science 5
logoff. Roaming profiles work by copying the user’s profile to the client computer on which the
user logs on and when the user logs off the files are copied back to the server. Folder permissions
and policies have to be configured properly to ensure the privacy of user files are maintained,
while the administrator is able to have access to the user profiles.

The followings are the major characteristics of roaming profile:-

A roaming profile follows the user no matter which computer he or she logs on to.

Profile is copied from a network share when the user logs on to a computer in the network

Creates a local copy of the roaming profile, called a profile’s cached copy

Changes made to the profile are then replicated from locally cached copy back to the profile on
the network share when the user logs off

A roaming user profile is created by your system administrator and is stored on a server.

This profile is available every time you log on to any computer on the network.

Changes made to your roaming user profile are updated on the server.

The roaming profile is created from one of two locations

The NETLOGON share

The Default profile on the local system

Roaming user profiles have the following advantages:

Automatic resource availability. A user's unique profile is automatically available when
he or she logs on to any computer on the network. Users do not need to create a profile on
each computer they use on a network.
Simplified computer replacement and backup. When a user's computer must be replaced,
it can be replaced easily because all of the user's profile information is maintained
separately on the network, independent of an individual computer. When the user logs on
to the new computer for the first time, the server copy of the user's profile is copied to the
new computer.

Birana College, Department of computer Science 6
The user's profile is not loaded automatically when the user is logged on using the Logon User
function. To load a roaming user profile programmatically, use the LoadUserProfile function.
To unload a roaming user profile loaded by LoadUserProfile, call the UnloadUserProfile
function.

3.3.1.3. Mandatory Profiles
A mandatory user profile is a special type of pre-configured roaming user profile that
administrators can use to specify settings for users. With mandatory user profiles, a user can
modify his or her desktop, but the changes are not saved when the user logs off. The next time
the user logs on, the mandatory user profile created by the administrator is downloaded. There
are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.

User profiles become mandatory profiles when the administrator renames the NTuser.dat file
(the registry hive) on the server to NTuser.man. The.man extension causes the user profile to be
a read-only profile.

User profiles become super-mandatory when the folder name of the profile path ends in.man;
for example, \\server\share\mandatoryprofile.man\.

Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that
users who have super-mandatory profiles cannot log on when the server that stores the
mandatory profile is unavailable. Users with normal mandatory profiles can log on with the
locally cached copy of the mandatory profile.

The followings are the major characteristics of mandatory profile

Used when you don’t want users to be able to change their profile, or only have the ability to
make temporary changes

Mandatory profiles are fixed profile in which the user changes will not be saved.

Only administrators can make changes to mandatory profiles.

Commonly used in situations where a common logon is assigned for multiple users

Works like a roaming profile, but changes made to the profile will not be copied to the server

Birana College, Department of computer Science 7
 3.3.2. Home folder
Home folders are centralized locations of the user files (data). Home folders make it easier for an
administrator to back up user files by collecting all users’ files in one location. Whenever the user logs on
to any computer in a domain, home folders will be available in the form of network drive or network
location.

3.4. Automating Administrative tasks
Automation system is designed to extend the capacity of systems to perform certain tasks
formerly done by humans, and to control sequences of operations without human intervention.
The term automation has also been used to systems in which programmed or automatic devices
can operate independently or nearly independently of human control. Run automated tasks on
one computer and distribute and run task on many computers to make all the tasks are
automated.

Tasks which a system administrator performs repeatedly should be automated to save your time,
to save your money and prevents human related errors. Automation of administrative tasks are
done through scripting, specialized software and system scheduling.

Automate administrative tasks such as: automate software installation, automate FTP upload and
download, broadcast messages to all users on the network, delete all empty file from the folder,
zip files that are more than 5MB files. For Example AccessRed.Vbs is used to read Ms-Access
data base files without using Ms-access.

3.5. Change password policy settings
If your computer is on a domain, only your network administrator can change password policy
settings. Password policy setting can help protect your computer by customizing your password
policy settings, including requiring users to change their password regularly, specifying a
minimum length for passwords, and requiring passwords to meet certain complexity
requirements.

Birana College, Department of computer Science 8
 3.5.1. Types of password policy
1. Enforce password history

Enforce password history sets how frequently old passwords can be reused. It prevents users
from creating a new password that is the same as their current password or a recently used
password. To specify how many passwords are remembered, provide a value. For example a
value of 1 means that only the last password will be remembered, and a value of 5 means that the
previous five passwords will be remembered. So the recommended enforce password history
must be greater than one (1).

2. Maximum password age

Maximum password age determines how long users can keep a password before they have to
change it. Set the maximum number of days that a password is valid. After this number of days,
the user will have to change the password.

The default expiration date is 42 days; however, it can be set to any value from 0 to 999. A value
of zero specifies that passwords do not expire. Although it may be tempting to set no expiration
date, users should change passwords regularly to ensure the network's security. Where security is
a concern, good values are 30, 60, or 90 days. Where security is less important, good values are
120, 150, or 180 days.. Setting the number of days too high provides hackers with an extended window of opportunity
to crack the password. Setting the number of days too low might be frustrating for users who
have to change their passwords too frequently.

3. Minimum password Age

Minimum password age determines how long users must keep a password before they can
change it. This field can be set to prevent users from cheating the password system by entering a
new password and then changing it right back to the old one. To prevent this, set a specific
minimum age. Reasonable settings are from three to seven days. In this way, users are less

Birana College, Department of computer Science 9
inclined to switch back to an old password but are able to change their passwords in a reasonable
amount of time if they want to. If you are not concerned about someone in your office or home
using your computer, however, using no password gives you better protection against a hacker
trying to break into your computer from the Internet or another network than an easily guessed
password would. If you use no password, Windows automatically prevents anyone from logging
on to your computer from the Internet or another network.

4. Minimum password length

Minimum password length sets the minimum number of characters for a password. If it hasn't
been changed already, the default setting should be changed immediately. The default is to allow
empty passwords (passwords with zero characters), which is definitely not a good idea. For
security reasons, passwords of at least eight characters are required. The reason for this is that
long passwords are usually harder to crack than short ones. If greater security is needed, the
minimum password length can be set to a maximum of 14 characters.

Note: The minimum password length for the Evaluated Configuration is 8 characters.

5. Passwords must meet complexity requirements
Determine whether password complexity is enforced. If this setting is enabled, user passwords
meet the following requirements:
The password is at least six characters long.
The password contains characters from at least three of the following five categories:
✓ English uppercase characters (A - Z)
✓ English lowercase characters (a - z)
✓ Base 10 digits (0 - 9)
✓ Non-alphanumeric (For example: !, $, #, or %)
✓ Unicode characters
✓ The password does not contain three or more characters from the user's account
name.
If the account name is less than three characters long, this check is not performed because the
rate at which passwords would be rejected is too high. When checking against the user's full

Birana College, Department of computer Science 10
name, several characters are treated as delimiters that separate the name into individual tokens:
commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token
that is three or more characters long, that token is searched for in the password; if it is present the
password change is rejected. For example, the name "Erin M. Hagens" would be split into three
tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it
would be ignored. Therefore, this user could not have a password that included either "erin" or
"hagens" as a substring anywhere in the password. All of these checks are case insensitive.
These complexity requirements are enforced upon password change or creation of new
passwords. It is recommended that you enable this setting.

5.7. Grant a Member the Right to Logon Locally

Domain controllers, by default, restrict the types of user accounts that have the ability to log on
locally. By default, only members of the Account Operators, Administrators, Backup Operators,
Print Operators, and Server Operators groups have the Allowed logon locally system right. If
you want to grant a user account the ability to log on locally to a domain controller, you must
either make that user a member of a group that already has the Allowed logon locally system
right or grant the right to that user account.

5.8. Account Lockout policy

Normally the account lockout duration security setting determines the number of minutes a
locked-out account remains locked out before automatically becoming unlocked. If the account
lockout duration is set to 0 minutes, then a locked-out user account will be locked out until an
administrator manually unlocks that locked out user account.
This will show you how to manually unlock a user account that was locked out when it reached
its account lockout threshold of invalid logon attempts.
N.B. You will only be able to do this while logged in as an administrator.

Further reading assignment

1. Security, distribution, domain local, universal and global groups
2. Registry

Birana College, Department of computer Science 11