350 likes | 491 Views
Windows 2003 Server Overview. Ayaz. Account Management. Process by which administrator configures the network to allow users Access to what they need No access to things they don’t need
E N D
Windows 2003 ServerOverview Ayaz Windows Server 2003 Overview
Account Management • Process by which administrator configures the network to allow users • Access to what they need • No access to things they don’t need • Each user account is represented on the network as an object (their username) that has membership in one or more groups Windows Server 2003 Overview
Planning • Plan, plan, plan • Don’t just start adding users and other objects • Set up organizational units and groups before adding other objects Windows Server 2003 Overview
Objects • Every element on the network from people to machines represented in the AD by an object • Represent one specific element with its own properties and configuration elements • Active Directory Users and Computers • Administrative Tools tool that allows administrator to manage users, groups, and other elements of the AD Windows Server 2003 Overview
Organizational Units • Way to logically organize resources within the domain • Identify any groups or resources in organization that need to be kept separate from other areas • “Container”: Any object in the directory into which other objects can be placed. • Can delegate separate administrative control Example • Departments Windows Server 2003 Overview
Rights & Permissions • Rights • Allow you to do a task • Permissions (Perms) • Concern type of access to a particular resource Example • User has right to log on to the network and must also have perm to use a particular resource Windows Server 2003 Overview
Groups • Plan your groups • User accounts are created to identify individuals on the network • Groups • Objects that enable a number of users to be administered as a “single account” • Groups are created for the purpose of assigning permissions • Users can be assigned perms directly buy not recommended • Create groups instead, even if group only has 1 member! Windows Server 2003 Overview
Types of Groups • NT 4 • Global groups • Local groups • Windows Server 2003 • Domain local groups • Global groups • Universal groups • Local groups • Windows Server 2003 has a number of built-in groups of each type Windows Server 2003 Overview
Group Types con’t. • Universal Groups • Users from any domain can be members • Can be given permissions to resources in any domain • Generally used only in large multidomain networks • No built-in universal groups • Local Groups • Used to assign permissions only to resources that are on the machine the groups was created on • Available when AD not installed Windows Server 2003 Overview
Domain Local Group Scope • Members include: • Allows user accounts from any domain to be members • Global and universal groups from any domain • Domain local groups from same domain • Can only access resources within domain they are created in • Generally used to identify resources that have a similar function on the network • Groups with domain local scope should be used to define and manage resources within a single domain Windows Server 2003 Overview
Global and Universal Group Scope • Global Group Members include: • User accounts from same domain • Global groups from the same domain • One user may be a member of several global groups • Can access resources in any domain • Generally used to organize users with similar roles in the organization • Universal Group Members include: • User from any domain can be members • Global groups from any domain • Universal groups from any domain Windows Server 2003 Overview
Domain Local Group Scope Scenario • Example: • To give 5 users access to a particular printer (resource); create a domain local group and assign it permission to access the printer (resource). Put the 5 user accounts in a global group and add this group to the domain local group. In the future, if you want to give these 5 users access to a new printer (resource), assign the domain local group permission to access the new printer (resource). All members of the global group will automatically receive access to the new printer (resource). Windows Server 2003 Overview
Microsoft “Way” Group Membership • Create user and place into one or more global groups • Global groups are then placed into domain local groups • Domain local groups are given permissions to the resources Windows Server 2003 Overview
AGLP and UGLR • AGLP • Accounts into Global groups, into Domain Local groups, which are given permissions to the resources • UGLR • Users into Global groups, into Domain Local groups, permissions assigned to Resources Windows Server 2003 Overview
Creating a Group • Built-in groups • Default groups • Create your own • ADUC tool • Select a container for the new group • Create the group using the New Object-Group window • Add users to the group now or later using right-click Properties, Members tab, and selecting users • Can also add groups to other groups Windows Server 2003 Overview
Reasons for Using Groups • Easier to organize permissions by groups than on an individual basis • AGLP “standard” known • MCSE tests want the “right” way (the Microsoft way) Windows Server 2003 Overview
Five Default Groups • Not based on who the user is, but rather on how they are connected to a resource • Cannot configure through AD but can be used when setting permissions • Everyone: all users are members!!!!! • Authenticated Users • Creator Owner: user who created resource • Network: users accessing shares • Interactive: users logged on locally Windows Server 2003 Overview
Distribution and Security Groups • Distribution groups • Used only with e-mail applications such as Exchange to send email to collections of users • Security groups • Used to assign access to network resources • Rights: Tasks users can perform in a domain; some automatic such as Backup Operators • Permissions: • Determine who can access a resource and the level of access • Assign permission to the resource using security groups rather than individual users Windows Server 2003 Overview
User Accounts • Matching users with resources they need • Users represent a “role” in the company, not “individuals” • Individual users “should not” have any permissions to resources • Never give explicit user permissions to resources • Difficult to manage for administrator • Groups have the permissions Windows Server 2003 Overview
Default Account: Administrator • Most powerful account on the domain • Full control • Cannot delete or removed • Can be renamed • Can be disabled • Access to all resources and configuration information • Need strong password • Automatically a member of Administrators, Domain Admins, etc. Windows Server 2003 Overview
Default Account: Guest • Guest • For people who don’t have a user account in the domain • No password required • Default is disabled • Provide anonymous access to certain resources on the network • Low security option • Might use for visitor access in a kiosk for read-only access Windows Server 2003 Overview
Creating User Accounts • Develop acceptable naming convention • Auditors prefer user account names! • Create a user account for every individual on the network • Use ADUC • Select container you wish to create the user in • Default is the Users Folder or can place user in an organizational unit • Right-click, New, User, enter information Windows Server 2003 Overview
User Configuration Windows Server 2003 Overview
Configuring User Accounts • Additional options to add or restrict account on network • ADUC, right-click, Properties • Informational: address, telephone • Organizational: manager, department • Security • Account tab: logon name, logon hours, workstation restrictions, account options, account expiration • Profile tab: profile, logon script, home folder • Member Of tab: group memberships • Dial-in tab: remote access, callback, IP address information Windows Server 2003 Overview
User Account Security • Logon Script: • Map drives for a user • Attach printers • Set system or user variables • Profile: standardize desktop, restrict programs and options user can use • Local • Roaming • Mandatory • Home folders: users have own workspace on server to store files • Logon Hours and Workstation Restrictions: specify times and machines • Account options: set password options Windows Server 2003 Overview
User Authentication and Authorization • Create individual user account for each user • Strong passwords • Reduce risk of “intelligent” guessing and dictionary attacks • Account lockout policy • How many failed logon attempts before account disabled • Decreases possibility of attacker compromising system through repeated logon attempts Windows Server 2003 Overview
Windows 2003 Policies • Account policy • Password restrictions and unsuccessful login attempts • User Rights policy • Determines what users and groups can perform specific actions on the system • Audit policy • Determines the amount and type of security logging • System policy • Can be used to provide uniform environment in a domain • Group policy • Applies to all members of the group they are set for unless member has an individual policy • If user in multiple groups, highest priority group’s policy applies Windows Server 2003 Overview
Windows 2003 Account Policy • Account Policy • Determines how passwords are validated and enforced • Determines how unsuccessful login attempts are handled • Can be set for OUs, domains, domain controllers, and local computers • Password policy • Account lockout policy • Kerberos policy Windows Server 2003 Overview
Account Policy Options • User must change password at next logon • Ensures user only person to know their password • User cannot change password • Use to maintain control over an account • Password never expires • Need a strong password! • Store passwords using reversible encryption • Allows user to log onto Windows network from Apple computers • Account is disabled • Prevents user from logging on • Smart Card is required for interactive logon • Requires user to possess a smart card to logon; requires smart card reader attached to computer and valid PIN • 4 others not discussed in this class Windows Server 2003 Overview
Password Policy • Enforce password history • Number of passwords that must be used before an old password can be reused • Maximum password age • If 0, passwords never need to be changed • Minimum password age • If 0, passwords can be changed anytime • Used to prevent “recycling” back to previous • Minimum password length • 0-14 characters, if 0 passwords are not required • Passwords must meet complexity requirements • Uppercase, lowercase, numeric, and special characters • Store passwords using reversible encryptions for all users Windows Server 2003 Overview
Account Lockout Policy • Account Lockout Threshold • Number of consecutive unsuccessful logon attempts before account is locked • If 0 account is not locked • Account Lockout Duration • How long accounts remain locked • “Not defined” user is never locked out • 0 to 99,999 minutes, if 0 account lockout until administrator re-enables the account • Reset Account Lockout After • How long between bad logon attempts before account lockout threshold counter is reset • “Not defined” user is never locked out • 1-99,999 minutes Windows Server 2003 Overview
Kerberos Policy • Used for authentication from domain controllers • Enforce user logon restrictions • Maximum lifetime for service ticket • Maximum lifetime for user ticket • Maximum lifetime for user ticket renewal • Maximum tolerance for computer clock synchronization Windows Server 2003 Overview
Setting Account Policies • Effective when user logs off and back on again • In Administrative Tools, • If domain, select Domain Security Policy • If domain controller, select Domain Controller Security Policy • If OU, select Active Directory Users and Computers • If local computer, use Control Panel Administrative Tools applet and select Local Security Policy Windows Server 2003 Overview
User Rights Policies • Shutdown computer from remote location • Access the computer via the network • User the computer locally • Backup or restore directories and files • Change time • Delete or add device drivers • Change the security logging policy • Shut down the system • Take file ownership Windows Server 2003 Overview
Audit Policies • Event Viewer allows viewing of events specified by audit policy • Auditing must be enabled in the Audit Policy window • System • Logs system errors, driver errors, etc • Security • Bad logon attempts • Application • Each message has an event ID number • Logs have “maximum” size before overwrite • Be selective in auditing, creates “overhead” Windows Server 2003 Overview