ch 3_082946.pdf
Document Details
Uploaded by ImportantRooster
A-B Tech
Tags
Full Transcript
Chapter three 3. User administration concepts and mechanism Most users have read-only access to all components of the product. However, they will not have the privilege to access, configure, or edit different documents. On the...
Chapter three 3. User administration concepts and mechanism Most users have read-only access to all components of the product. However, they will not have the privilege to access, configure, or edit different documents. On the other hand, system administrators can perform all administrative activities like creating new monitor groups, creating new actions, adding new users, resetting user passwords, and changing how users interact with the product by assigning users to preference groups. The primary difference between a standard user and an administrator is the level of access that the user has over core, protected areas of the computer. Administrators can change the system state, turn off the firewall, configure security policies, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks, and they can only install per-user software. User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users), and as administrators without having to switch users, log off, or use Run As. User accounts that are members of the local Administrators group run most applications as a standard user. By separating user and administrator functions, UAC helps users move toward using standard user rights by default. Active directory authentication module is implemented in application manager in order to ease the user administration. Using active directory authentication module one can import users from active directory, which enables users to log in to application manager if they have an account in active directory domain. 3.1. User Accounts To access Windows 2008 network a user needs an account Account determines 3 factors: ❖ when a user may log on ❖ where within the domain/workgroup ❖ what privilege level a user is assigned Any object trying to access resource must do it through a user account Birana College, Department of computer Science 1 3.1.1 Types of user account I. Local Accounts Local account is an account setup on the machine. By default, there are some accounts. You can have both. You can have a domain user and then have that user as a local admin so they can perform admin stuff on the computer itself. Local accounts Supported on all Windows 2000, 2003 and 2008 systems except DCs (on member servers participating in domains and on standalone systems participating in workgroups) It is maintained on the local system, not distributed to other systems. Local user account authenticates the user for local machine access only; access to resources on other computers is not supported In Windows, a local user is one whose username and encrypted password are stored on the computer itself. When you log in as a local user, the computer checks its own list of users and its own password file to see if you are allowed to log into the computer. The computer itself then applies all the permissions (e.g., "can use the CD-ROM", "can install programs") and restrictions (e.g., "cannot install programs") that are assigned to you for that computer. II. Domain Accounts Domain account is when you login using a domain account on a network. You would need a domain controller to be able to setup accounts to login. You would then join the computer to the domain and use a login from the central database. The point of having a domain account is to control what can be done on the computer and if you are able to login. ◼ Permit access throughout a domain and provide centralized user administration through AD ◼ Created within a domain container in AD database and propagated to all other DCs ◼ Once authenticated against AD database using GC, a user obtains an access token for the logon session, which determines permissions to all resources in the domain. A domain user is one whose username and password are stored on a domain controller rather than the computer the user is logging into. When you log in as a domain user, the computer asks the domain controller what privileges are assigned to you. When the computer receives an appropriate response from the domain controller, it logs you in with the proper permissions and restrictions. Domain users evolved in response to the challenges administrators face when managing large numbers of computers, peripherals (e.g., printers, network storage), services, and users. When a Birana College, Department of computer Science 2 network has a large population of users on various computers, it is difficult to maintain information for every user on each individual computer. The task of managing so many users is simplified by allowing each computer to validate access through a central source to see if each user can log in and use computing resources. With one centralized source of user information network administrators have only a small set of computers on which to maintain user information. 3.2. What is security Security is an important aspect of operating system design because it safeguards against access to resources by unauthorized users. The security mechanism can be broken in two steps: authentication and authorization. Authentication involves identifying a user, while authorization ensures that an identified user has access only to resources that has been permitted to use. Access control mechanism is a mechanism that ✓ Permits authorized access to a system, such as a communication, computer, and data processing system ✓ Prevents unauthorized access to the system ✓ Is considered to have failed when unauthorized access is permitted or when authorized access is prevented. 3.2.1. Access Control Access control is a more general way of talking about controlling access to a resource. Access can be granted or denied based on a wide variety of criteria, such as the network address of the client, the identity of the person who wants access, or the browser which the visitor is using. Access control is analogous to locking the gate at closing time, or only letting people onto the ride who are more than 48 inches tall. It is important by controlling access to know who has access and who does not have access to a resource. This information’s could be stored in an access matrix. 3.2.1.1. Access Matrix The access matrix model is a visualization of access rights, and has several implementations such as access control lists (ACLs) and capabilities. It is used to describe which users have access to what objects. The matrix can be modified only by the owner or the administrator. The access matrix model has 2 dimensions: A list of objects. Objects could be files, processes, or disk drivers Birana College, Department of computer Science 3 A list of subjects (processes) Example of an access matrix with access rights: read, write, execute, and delete. 3.2.1.2. Access Control List An access control list (ACL) is a list that tells the operating system which access rights each user has to a particular system object, such as a file directory or individual file. The most common rights include the ability to read a file (or all the files in a directory), to write to the file (s), and to execute the file (if it is executable). Advantage and disadvantage of ACLs In access control lists, it is easy to see all subjects that have access rights on an object and it is also easy to revoke access rights. The disadvantage with ACL's is that the list could be very large. It takes a lot of time to determine for a subject all the objects on which he has access rights. Since one have to read through all ACLs. 3.2.1.3. Offiline files Ofiline files is a document management features that provides the user with consitent online and offline access to network files. Advantages of using offline files are: Support for mobile users Authomatic synchorization The data is avilable with out internet connection Birana College, Department of computer Science 4 3.3. User Profiles Profiles customize user environment, store profiles on server (roaming), restrict changes through mandatory profiles. A user profile is a collection of a user’s personal files and settings that define his or her working environment Some key folders in a user’s profile (N/A denotes that folder doesn’t exist in Windows XP) – AppData (N/A) – Favorites – Desktop – Music (My Music) – Documents (My Documents) – Pictures (My Pictures) – Downloads (N/A) – Ntuser.dat 3.3.1. Types of User profile 3.3.1.1. Local profile A local profile is a user profile stored on the same system where the user logs on Local profiles are created from a default profile when the user first logs on to a specific machine Changes on one local profile will not migrate to another local profile on another machine For consistent profiles that reflect changes made on multiple machines, use roaming profiles Any changes made to your local user profile are specific to the computer on which you made the changes. 3.3.1.2. Roaming profile Roaming Profiles is what allows a user to logon onto any computer in an organization and have all their personal files and setting apply to that computer as it was the last time, they used a computer. This is really a Win/Win for Users and IT Professional as for a user this is a big-time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computer. IT professional also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the user’s data. Roaming profiles have the advantage of users have their personal settings and files available on all computers they login to. But the only problem is increased network activity during logon and Birana College, Department of computer Science 5 logoff. Roaming profiles work by copying the user’s profile to the client computer on which the user logs on and when the user logs off the files are copied back to the server. Folder permissions and policies have to be configured properly to ensure the privacy of user files are maintained, while the administrator is able to have access to the user profiles. The followings are the major characteristics of roaming profile:- A roaming profile follows the user no matter which computer he or she logs on to. Profile is copied from a network share when the user logs on to a computer in the network Creates a local copy of the roaming profile, called a profile’s cached copy Changes made to the profile are then replicated from locally cached copy back to the profile on the network share when the user logs off A roaming user profile is created by your system administrator and is stored on a server. This profile is available every time you log on to any computer on the network. Changes made to your roaming user profile are updated on the server. The roaming profile is created from one of two locations The NETLOGON share The Default profile on the local system Roaming user profiles have the following advantages: Automatic resource availability. A user's unique profile is automatically available when he or she logs on to any computer on the network. Users do not need to create a profile on each computer they use on a network. Simplified computer replacement and backup. When a user's computer must be replaced, it can be replaced easily because all of the user's profile information is maintained separately on the network, independent of an individual computer. When the user logs on to the new computer for the first time, the server copy of the user's profile is copied to the new computer. Birana College, Department of computer Science 6 The user's profile is not loaded automatically when the user is logged on using the Logon User function. To load a roaming user profile programmatically, use the LoadUserProfile function. To unload a roaming user profile loaded by LoadUserProfile, call the UnloadUserProfile function. 3.3.1.3. Mandatory Profiles A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles. User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to NTuser.man. The.man extension causes the user profile to be a read-only profile. User profiles become super-mandatory when the folder name of the profile path ends in.man; for example, \\server\share\mandatoryprofile.man\. Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile. The followings are the major characteristics of mandatory profile Used when you don’t want users to be able to change their profile, or only have the ability to make temporary changes Mandatory profiles are fixed profile in which the user changes will not be saved. Only administrators can make changes to mandatory profiles. Commonly used in situations where a common logon is assigned for multiple users Works like a roaming profile, but changes made to the profile will not be copied to the server Birana College, Department of computer Science 7 3.3.2. Home folder Home folders are centralized locations of the user files (data). Home folders make it easier for an administrator to back up user files by collecting all users’ files in one location. Whenever the user logs on to any computer in a domain, home folders will be available in the form of network drive or network location. 3.4. Automating Administrative tasks Automation system is designed to extend the capacity of systems to perform certain tasks formerly done by humans, and to control sequences of operations without human intervention. The term automation has also been used to systems in which programmed or automatic devices can operate independently or nearly independently of human control. Run automated tasks on one computer and distribute and run task on many computers to make all the tasks are automated. Tasks which a system administrator performs repeatedly should be automated to save your time, to save your money and prevents human related errors. Automation of administrative tasks are done through scripting, specialized software and system scheduling. Automate administrative tasks such as: automate software installation, automate FTP upload and download, broadcast messages to all users on the network, delete all empty file from the folder, zip files that are more than 5MB files. For Example AccessRed.Vbs is used to read Ms-Access data base files without using Ms-access. 3.5. Change password policy settings If your computer is on a domain, only your network administrator can change password policy settings. Password policy setting can help protect your computer by customizing your password policy settings, including requiring users to change their password regularly, specifying a minimum length for passwords, and requiring passwords to meet certain complexity requirements. Birana College, Department of computer Science 8 3.5.1. Types of password policy 1. Enforce password history Enforce password history sets how frequently old passwords can be reused. It prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered. So the recommended enforce password history must be greater than one (1). 2. Maximum password age Maximum password age determines how long users can keep a password before they have to change it. Set the maximum number of days that a password is valid. After this number of days, the user will have to change the password. The default expiration date is 42 days; however, it can be set to any value from 0 to 999. A value of zero specifies that passwords do not expire. Although it may be tempting to set no expiration date, users should change passwords regularly to ensure the network's security. Where security is a concern, good values are 30, 60, or 90 days. Where security is less important, good values are 120, 150, or 180 days.. Setting the number of days too high provides hackers with an extended window of opportunity to crack the password. Setting the number of days too low might be frustrating for users who have to change their passwords too frequently. 3. Minimum password Age Minimum password age determines how long users must keep a password before they can change it. This field can be set to prevent users from cheating the password system by entering a new password and then changing it right back to the old one. To prevent this, set a specific minimum age. Reasonable settings are from three to seven days. In this way, users are less Birana College, Department of computer Science 9 inclined to switch back to an old password but are able to change their passwords in a reasonable amount of time if they want to. If you are not concerned about someone in your office or home using your computer, however, using no password gives you better protection against a hacker trying to break into your computer from the Internet or another network than an easily guessed password would. If you use no password, Windows automatically prevents anyone from logging on to your computer from the Internet or another network. 4. Minimum password length Minimum password length sets the minimum number of characters for a password. If it hasn't been changed already, the default setting should be changed immediately. The default is to allow empty passwords (passwords with zero characters), which is definitely not a good idea. For security reasons, passwords of at least eight characters are required. The reason for this is that long passwords are usually harder to crack than short ones. If greater security is needed, the minimum password length can be set to a maximum of 14 characters. Note: The minimum password length for the Evaluated Configuration is 8 characters. 5. Passwords must meet complexity requirements Determine whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements: The password is at least six characters long. The password contains characters from at least three of the following five categories: ✓ English uppercase characters (A - Z) ✓ English lowercase characters (a - z) ✓ Base 10 digits (0 - 9) ✓ Non-alphanumeric (For example: !, $, #, or %) ✓ Unicode characters ✓ The password does not contain three or more characters from the user's account name. If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected is too high. When checking against the user's full Birana College, Department of computer Science 10 name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password; if it is present the password change is rejected. For example, the name "Erin M. Hagens" would be split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it would be ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. All of these checks are case insensitive. These complexity requirements are enforced upon password change or creation of new passwords. It is recommended that you enable this setting. 5.7. Grant a Member the Right to Logon Locally Domain controllers, by default, restrict the types of user accounts that have the ability to log on locally. By default, only members of the Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators groups have the Allowed logon locally system right. If you want to grant a user account the ability to log on locally to a domain controller, you must either make that user a member of a group that already has the Allowed logon locally system right or grant the right to that user account. 5.8. Account Lockout policy Normally the account lockout duration security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. If the account lockout duration is set to 0 minutes, then a locked-out user account will be locked out until an administrator manually unlocks that locked out user account. This will show you how to manually unlock a user account that was locked out when it reached its account lockout threshold of invalid logon attempts. N.B. You will only be able to do this while logged in as an administrator. Further reading assignment 1. Security, distribution, domain local, universal and global groups 2. Registry Birana College, Department of computer Science 11