This week we started with a workshop which focused on providing client access and security.
Before completing the class activity we installed Windows server 2003 with active directory.
1. Recommendations for good passwords.
$izable1
Chelseafc1
$au$age$
2. User accounts......details of Chisholm account such as acceptable useage policy, passwords, expiry dates etc.
Class activity.
We created a user account on a college network pc in room R202
1. Click start and all programs
2. Click administrative tools & active directory users & computers
3. Right click the users folder in the left hand pane. select new then enter.
4. The new object-user dialog box appears. Enter details as follows.
First name:John
Last name:Smith
User logon name:jsmith
5. Click Next. The dialog box that opens gives the following account options:
o User must change password at next logon - user must change their password the first time they logon
o User cannot change password – only the administrator can change the password
o Password never expires – password never needs to change
o Account is disabled – prevents the use of the user account. This might be set if the user has not yet started at the organisations
6. The most common choice here is to check User must change password at next logon and enter a default password
7. Click Next, then click Finish
Configuring additional User settings
8. To configure additional settings for the new user, double click on the user you have just created in the Users folder
9. the john smith Properties dialog box appears
10. Click the Account tab
11. Click the Logon Hours... button. The Logon Hours dialog box for jsmith is displayed
12. By default, logon is permitted Sunday through Saturday from 12:00AM to 12:00AM
13. To restrict the logon hours, use the mouse top select the time range where logon is permitted and then click Logon Denied radio button
14. Click Ok
15. Click the Log On To... button. The Logon Workstations dialog box is displayed
16. By default Users are permitted to log on to all workstations
17. If you want to restrict the User to a particular workstation or workstations, click The following computers radio button and enter the name of the workstation the user is permitted to logon to the Computer name: box. Then click the Add button. Enter the computer name of the workstation that they are restricted to.
18. When finished, click the OK button
19. Click OK
20. Exit Active Directory Users and Computers
21. To test your account, logon at the client workstation as the user you have just created
Create additional users
Using Active Directory Users and Computers on your server, create the following three users:
• pnyugen (Peter Nyugen)
• atan (Amy Tan)
• thansen (Trevor Hansen)
Activity 4
To complete this activity you need to be logged on to the server with administrator privileges.
Creating a Global Security Group
1. Click Start, and then click All Programs
2. Click Administrative tools, and then click Active Directory Users and Computers
3. Right-click the Users folder in the left hand pane. Select New then Group
4. The New Object – Group dialog box appears. Enter the following group details:
Group Name: finance
Group scope: global
Group type: security
5. Click OK to create the group
6. To add members to the group, double click the group you just created and the Select Users, Contacts, or Computers dialog box appears
7. In the Enter the object names to select (examples): box type in the name of the user you want to add to the group, eg. jsmith
8. Click the Check Names button and to check that the directory can find the required user
9. Click OK
10. Users can also be added to groups by double clicking the user and then clicking the Member of tab
11. The Select Groups dialog box appears. Enter the group name. Check the name and then click OK
Create an additional group
Using Activity Directory Users and Computers on your server, create a global security group called teachers. Make pnyugen and atan members of the teachers global group.
Activity 5
To complete this activity you need to be logged on to the server with administrative privileges
In this activity you will create an auditing policy and then review the audit logs
Creating the audit policy
1. Logon to the server as administrator
2. Click Start, and then click All Programs
Create an additional group
Using Active Directory Users and Computers on your server, create a global security group called teachers. Make pnyugen and atan members of the teachers global group
3. Click Administrative tools, and then click Domain Controller Security Policies
4. In the left hand pane, select Local Policies and then Audit Policy
5. Double click Audit account logon events and the following dialog box will appear. Check the Success and Failure check boxes. Click Apply, then OK
6. Close Domain Controller Security Policies
Viewing the audit logs
7. Logon to the server as administrator
8. Click Start, and then click All Programs
9. Click Administrative tools, and then click Event Viewer
10. To view the account logon events that have been logged, select double click Security in the left hand pane
11. To view details about a specific event, double click on the event
12. Each event is identified by an Event ID. Event ID 538 signifies that “The logoff process was completed for a user”
13. If you want to know more about the event, visit TechNet at Microsoft at http://technet.microsoft.com/en-us/default.aspx and search for event ID 538
Notes for this lesson.....
Providing client access and security
Introduction
A feature of network operating systems is that they provide the ability to centrally manage network objects such as users, groups, printer, computers and shared folders. The ability to manage these objects is provided by the network operating system’s directory service and the operating system will also include utilities to administer the directory. The information about the network objects administered by the directory service is stored in a database, which means that it can be searchable and accessible by other applications.
Common network operating systems and their directory service are listed below:
• Windows 2003 Server – directory service provided by the Active Directory
• Novell NetWare – Directory service provided by the eDirectory (formally known as the NDS or NetWare Directory Service in NetWare 4.x and 5.x)
• Apple Mac OS X Server – Directory service provided by Open Directory
• Linux – Directory service provided by the open source software OpenLDAP
Most recent NOS directory services use the standard structures and naming conventions defined by the LDAP (Lightweight Directory Access Protocol). The big advantage of this is that other applications such as email services can access the directory service – for example, when creating a new user, the email application can access the directory service and create a new email account for the user at the same time.
Objects in the directory are stored with their attributes. These attributes depend on the object – for example, a user will have attributes of first name, last name, telephone number, email address etc., while a computer object has a different set of attributes – computer name, operating system etc.
Implementing security
As a network administrator, one of your tasks will be to provide user accounts in accordance with the organisations guidelines and then provide the user access to the IT resources such as applications and data. These guidelines are usually contained in the organisations IT security policy. A security policy is a general statement on how the organisation will conduct its business and interact with the organisation’s information services while maintaining an acceptable level of security.
User account requests
User accounts are usually created when people join an organisation or change positions. The organisations security policy will provide guidelines as to who can authorise the creation of new user accounts or changes to user accounts. A Request for User Account form will be completed by the authorised officer and acted upon by the network administrator.
Password policies
The primary method of authenticating a user on the network is by the user entering their user name and password. Good passwords are essential to the security. Good passwords are essential to the security of all operating systems.
It is therefore important that users be educated to select suitable passwords and the guidelines will be published in a password policy. Network operating systems have tools or utilities to enforce the guidelines in a password policy.
Groups
To simplify administration, users are placed into groups and permissions to resources are allocated to the group. These groups can be either.
• Built-in, or created at the time of the installation of the network operating system. These groups usually define what rights a user has to perform certain operating on the network operating system such as creating users or performing a backup
• Users defined, or created by the network administrator to group users who require access to common resources. For example, all users in an organizations finance section may be grouped together in a group called finance.
Access control
Users should be given access to network resources such as applications or data only at the minimum level that they need to perform their work duties. For example, if an employee needs to view but not alter the organisation’s Human Resource database assign the READ permission.
Home and group directories
One of the features or a network operating system is that files can be stored on a server and be available to users across the network. It is common practice to locate user home directories and group directories on a server (or servers) as it allows for centralised management or backups and access control.
Introduction to Windows Server 2003 Active Directory
A network administrator needs to be familiar with the two different security models that can be implemented with a Windows Server 2003 (either workgroups or domains) and the different roles that a server can hold.
Workgroups
A Windows workgroup is a logical group of computers that is characterised by de-centralised security and administration. Details of each user account are stored locally in the Security Account Manager (SAM) database. Although relatively simple to administer, it is only suitable for small networks with ten or less client systems attached. A Windows 2003 server is not strictly required for a workgroup, but it can be configured as part of a workgroup. If it is used in this manner, it is referred to as a standalone server.
Domains
A Windows domain is a logical group of computers that is characterised by a centralised administration and authentication. In the domain model, the centralised directory database is known as Active Directory. A server running Windows Server 2003 server must be configured to provide the directory service and is known as a domain controller. If a domain has more than one domain controller, changes to a database domain controller will be copied to the other domain controller in a process known as replication. Replication gives the network fault tolerance so that if one domain controller fails, user request can still be serviced.
If a server has a computer account in a domain but is not configured as a domain controller it is known as a member server.
Active Directory Structure
Active Directory has several components that allow a network administrator to design and administer the logical structure of the network. These include:
• Domains and organizational units
• Trees and Forests
Domains
Domains are a logical structure and may represent an organisation, a department, a geographical location or security requirements.
Organisational Unit
An Organisational Unit (OU) is a logical container that can be used to organisation objects within a single domain. For example, organisational units might be created to represent the organisations structure –a legal OU contains all the objects associated with the Legal department of the organisation, while a Sales OU contains all the objects associated with the Sales department. Group objects in OUs allows for more flexible network administration as tasks such as creation of user accounts can be performed at the OU level.
Tree
Sometimes there will be multiple domains within an organisation. This may be due to geographical reasons where a domain is created for each location or for larger organisations. At the base of the tree is the root domain and from the root domain, child domains branch out.
Forest
A forest is a collection of trees that do not share the same naming structure. For example, the acme company purchases another company called Toys4U with an existing domain of toys4u.com, the new Active Directory structure of the joined company’s might be a forest. The two domains can communicate with each other but each domain tree has its own Active Directory database.
Groups
When a Windows 2004 server is installed with Active Directory there are three types of groups that can be created:
• Domain local groups can contain user accounts from any domain
• Global groups are the most common type of group used. These groups allow user accounts from the same domain to be grouped together, ie. a global group created in Domain A can include objects from Domain A, but not from any other domain.
• Universal groups are created to group users from different domains
Groups can also contain other group, which is known as nesting of groups. It is recommended that only one level of nesting is used. This is because troubleshooting permissions can be quickly become quite complex when groups are nested.
The group types can be:
• Security groups which are used to assign permissions to resources. This is the most common type of group
• Distribution groups are used by applications such as an email application to send messages to all members of the group. They cannot be used for assigning permissions
Built-in groups
When Active Directory is installed, there are a number of groups created. You can use these predefined groups to help you control access to shared resources and delegate specific domain wide administrative roles.
These groups are stored in two locations in Active Directory – the Built-in folder and the Users folder.
The Built-in Container
The Built-in container contains a number of domain local security groups which are summarised in the table below:
The Users Container
The Users container contains a number of domain local and global security groups which are summarised in the table below:
Access Control and Auditing
Computer networks are designed so that legitimate users have access to the resources that they need to perform their work activities. The key terms in that statement is that users need to be legitimate, and they need access to resources.
Some of the methods that organisations use to maintain the security of their information systems that you have looked at in this and other units include:
• Physical Security - equipment such as servers are located in an area security with locks
• User Creation – user account creation needs to be authorized by an authorized person in the organization
• User Authentication – to gain access to the network users must have a valid username and password
• Acceptable Use Policies – what a user can or can’t do on the network is governed by an Acceptable Use Policy
• Restrictions – users can be restricted to specific workstations or have their hours of network access restricted
• Group Memberships – are assigned when user accounts are created. These groups may be either built into the network operating system or user defined
• Access Control Lists (ACLs) – ACLs are associated with a resource (such as a share or printer) and describes users or groups, and their permissions associated with that resource. When a user is authenticated on the network, they will gain access to network resources as defined in an ACL
To ensure that these controls are correctly in place, organisations will audit the network system. Auditing is the process of tracking users and their actions on the network. Some of the activities that can be audited include:
• Logging on or off the network
• Reading, writing, modifying or deleting files
• Using printers
• Using network services such as email
An organisations security policy will usually define the extent of auditing required. To perform the audit, modern network operating systems include tools that allow activities to be logged and monitored. As events occur they are written to a log file that should be regularly reviewed for any suspicious activity.
Revision questions.
Question 1
As well as file and printer services, networks can provide other services such as: Internet access, security, communication.
Question 2
Network user authentication usually consists of a Username and a password
Question 3 (True or False)
Users should be given access to network resources such as applications or data only at the level that they need to perform their work duties. True
Question 4
What does UNC stand for? Universal Naming Convention
Question 5
The UNC for a Windows system is as follows: servername\servershare
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment