Upload
blusmurfydot1
View
366
Download
0
Tags:
Embed Size (px)
Citation preview
11
MANAGING USERS AND GROUPS
Chapter 13
Chapter 13: MANAGING USERS AND GROUPS 2
OVERVIEW
Configure and manage user accounts
Manage user account properties
Manage user and group rights
Configure user account policy
Manage and troubleshoot cached credentials
Chapter 13: MANAGING USERS AND GROUPS 3
USER ACCOUNTS
Identify users to the system and to each other
Used to grant access to resources
Collect information about users
Chapter 13: MANAGING USERS AND GROUPS 4
Extra
You can grant users access to resources by associating their: security identifier (SID), a part of their
identity
with discretionary access control lists (DACLs) belonging to objects.
This association, embodied in an access control entry (ACE), forms the foundation for security in Windows XP.
Chapter 13: MANAGING USERS AND GROUPS 5
GROUPS
Collections of user accounts
Simplify access to resources
Can be used for security and messaging (Active Directory)
Chapter 13: MANAGING USERS AND GROUPS 6
Active Directory?
In Active Directory, groups can be designated for security or distribution. Distribution groups are used to simplify messaging.
In Active Directory, user accounts are even more important—they are the repository for data about the user. They can contain a user’s address, phone/fax numbers, and even personnel data.
Chapter 13: MANAGING USERS AND GROUPS 7
BUILT-IN USER ACCOUNTS
Configured during setup
Used for administration or guest access
Can be renamed but not deleted
Chapter 13: MANAGING USERS AND GROUPS 8
More detail…
Built-in accounts are created during setup of the operating system:
The Administrator account is intended for system administration tasks and has the appropriate rights and permissions to perform any maintenance and configuration task on the system.
The Administrator account can be renamed, but it retains its distinctive SID and is a favorite target for hackers because it cannot be locked out
Chapter 13: MANAGING USERS AND GROUPS 9
More detail…
Built-in accounts are created during setup of the operating system:
The Guest account is for granting temporary access to guests. It is disabled by default. This account does not have any administrative function or permissions.
The Guest account is usually left disabled, and guests are instead added to the Guests local group.
Chapter 13: MANAGING USERS AND GROUPS 10
More detail…
Built-in accounts are created during setup of the operating system:
The System account - it does not have interactive logon ability, but it is the account most system processes are executed under.
It is equal in power and permissions to the Administrator account.
Chapter 13: MANAGING USERS AND GROUPS 11
BUILT-IN GROUPS
Created during setup
Designed for specific use or administrative roles
User accounts can be added as members
Built-in user accounts cannot be removed
Chapter 13: MANAGING USERS AND GROUPS 12
IMPLICIT GROUPS
Membership can change dynamically
Do not appear in user administration tools
Used to grant permissions based on circumstances
Used to control access to resources based on how those resources are accessed
Chapter 13: MANAGING USERS AND GROUPS 13
SERVICE ACCOUNTS
Grant services access to system resources
Include built-in and user-defined accounts
Require special accommodations
Service accounts allow system services and services required by installed applications to access resources. Permissions can be granted to the accounts as if they were real users.
Chapter 13: MANAGING USERS AND GROUPS 14
Built-In Service Accounts
Built-in service accounts: Service, Local Service, and Network Service. Some of the user rights (such as Log On As A Service) required for a service to use a service account properly. Service accounts should be configured to not allow passwords to expire.
Some of the service accounts (such as IUSR_<system name>, are used by Windows XP to support IIS and other applications).
Chapter 13: MANAGING USERS AND GROUPS 15
DOMAIN ACCOUNTS AND GROUPS
Include built-in and user-defined accounts and groups
Provide logon and resource access to local system
Can be placed into local groups
Chapter 13: MANAGING USERS AND GROUPS 16
LOCAL USERS AND GROUPS
Chapter 13: MANAGING USERS AND GROUPS 17
CONTROL PANEL USER ACCOUNTS
Chapter 13: MANAGING USERS AND GROUPS 18
ACTIVE DIRECTORY USERS AND COMPUTERS
Chapter 13: MANAGING USERS AND GROUPS 19
MANAGING USERS WITH NET.EXE
The NET USER command can be called from batch files to automate repetitive management tasks. It is useful for scripted user account additions and changes.
Chapter 13: MANAGING USERS AND GROUPS 20
PLANNING USERS AND GROUPS
Chapter 13: MANAGING USERS AND GROUPS 21
USER ACCOUNT NAMING CONVENTIONS
Chapter 13: MANAGING USERS AND GROUPS 22
PASSWORD COMPLEXITY
Create passphrases
Use uppercase, lowercase, and nonalphanumeric characters
Consider enforcing complexity with Group Policy
Two main hacker attacks against passwords: Dictionary attack, where the attacker uses word
combinations to guess the password
Brute force attack, where the attacker uses every combination of letter, number, and special characters until he guesses the password
Chapter 13: MANAGING USERS AND GROUPS 23
CHANGING HOW USERS LOG ON OR LOG OFF
Chapter 13: MANAGING USERS AND GROUPS 24
MANAGING USERS WITH LOCAL USERS AND GROUPS
Chapter 13: MANAGING USERS AND GROUPS 25
USER RIGHTS ASSIGNMENT
Chapter 13: MANAGING USERS AND GROUPS 26
MANAGING GROUPS WITH LOCAL USERS AND GROUPS
Chapter 13: MANAGING USERS AND GROUPS 27
MANAGING GROUPS WITH NET.EXE
Chapter 13: MANAGING USERS AND GROUPS 28
MANAGING USERS WITH USER ACCOUNTS
Chapter 13: MANAGING USERS AND GROUPS 29
USER MANAGEMENT BEST PRACTICES
Give administrators a limited account for nonadministrative use
Limit the number of users in the Administrators group
Rename or disable the Administrator account
Rename and leave the Guest account disabled
Observe the principle of least privilege
Chapter 13: MANAGING USERS AND GROUPS 30
MANAGING USER RIGHTS ASSIGNMENTS
Chapter 13: MANAGING USERS AND GROUPS 31
MANAGING PASSWORD POLICY
Chapter 13: MANAGING USERS AND GROUPS 32
MANAGING ACCOUNT LOCKOUT POLICY
Chapter 13: MANAGING USERS AND GROUPS 33
CACHED CREDENTIALS
Cached credentials are used for mobile systems that are not always connected to a domain and to speed startup and logon by letting users log on before network services are fully started. Cached credentials use the following guidelines: Users must log on to the domain once to cache
credentials for future logons.
Users whose passwords were changed might be able to log on with their previous password.
Disabled or deleted users can log on if their credentials have not been deleted.
Chapter 13: MANAGING USERS AND GROUPS 34
MANAGING CACHED CREDENTIALS
Chapter 13: MANAGING USERS AND GROUPS 35
TROUBLESHOOTING CACHED CREDENTIALS
Cached credentials are out of date
User does not have credentials cached
Cached credentials are disabled on a notebook computer
Chapter 13: MANAGING USERS AND GROUPS 36
SUMMARY
User accounts help manage resource access.
User groups simplify administration.
Naming conventions uniquely identify users.
Complex passwords strengthen security.
Cached credentials allow access when the domain is unavailable.