Networking reflective journal week 8

Bonjour toutes les peoples.

This week we did the usual install of windows server 2003 with all the trimmings plus concentrated on security access with regards to users and groups.

Class notes as follows:

Managing Users

Introduction

The main method for a user to gain access to resources on an organisation’s network is to have a user account created which will be authenticated at logon by the user providing the correct password.

Implementing a user account policy
Section: User account management
Policy
Access to computer systems will be controlled by usernames and passwords
To implement a user account policy, the procedures established will need to address the following points:
• Who has the authority to approve the creation of a new user account, or approve the modification of an account?
• What are the requirements for passwords and how can these requirements be enforced?
• Will a legal notice be displayed before logon?
• What happens when an employee leaves?
• Do the operating system default user settings match the requirement security settings?
User accounts need to be issued to users in accordance with the organisation’s user account policy so that they can gain access to network resources and services. For most organisations, passwords are the main way of authenticating users to the network or computer system, but if greater security is required biometrics devices such as fingerprint readers can be used.
To simplify administration, users are placed into groups and permissions to resources are allocated to the group. These groups can be either:
• Built-in or created at the time of the installation of the network operating system. These groups usually define what rights a user has to perform certain operation on the network operating system such as creating users or performing a backup
• User define or created by the network administrator to group users who require access to common resources
Authorising the creation or modification of new user account
User accounts are usually created upon receipt of a Request for User Account from that has been signed by an authorised officer and the User Account policy may define who is an authorised officer. When a user signs this form, usually they are signing to say that they have read and understood the organisations Acceptable Use Policy and agree to abide by those conditions.

Passwords

The requirements for the user with respect to passwords will be usually be published in the organisation’s Acceptable Use policy or in a Password policy. It is important that users are aware of the password policy so that they can select a suitable password when required. Most policies will state that the password is to be kept confidential and is not to be written down anywhere.
Recommendations for ‘strong’ passwords include:
• Use a minimum of 8 characters
• Use a mix of upper and lower case characters
• Use a mix of alphabet characters, numeric characters and non-alphanumeric characters such as ? # @
• Don’t use a dictionary word
• Don’t use something familiar about yourself such as your birth date, car make or pets name
• It is better to use an administrative tool in the network operating system to enforce any password policy rather than relying on the user to create a suitable password.

Display a legal notice
Some organisations display a banner that will display before a user logs on to the network. Usually this banner is a legal notice reminding users that they have agreed to abide by the Acceptable Use policy of the organisation.

When an employee leaves
When an employee leaves an organisation, there will be a process to be followed usually in the form of a checklist to ensure that all keys, access cards and equipment has been returned to the organisation. Different sections of the organisation need to be notified, the human resources section needs to modify its records, the financial departments will need to issue termination payments and the IT department of the organisation also needs to be notified.
The IT section may have their own checklist to remove the user access to the organisations IT service. All accounts will need to be disabled and any equipment such as a laptop returned.

Default User Settings
When a network Operating System is first installed, a user account is created that will allow the administration of the system and this account is known as administrator. In a windows system the administrator is placed into the Administrators built-in groups and staff authorised to perform network administration duties would be placed into this group.
The other primary group created is for standard users and it is important to know what permissions are assigned to this user group by default and this varies with the network operating system installed. One of the fundamental principles that underlies a security policy is that users and/or groups should be granted the most restrictive set of permissions needed to perform their work related duties.

Managing Access Control

Introduction
When planning a folder structure for your server, there are two considerations that need to be taken into account:
• Security – access to files and folders should be in accordance with the organisation’s security requirements
• Convenience – folders with similar security requirements should be grouped together, for example all user home folders should be grouped together. This allows the administration of backups and restores simpler
Designing the Folder System for a Server
When designing access to network resources, users will need access to several different types of shared folders. These are:
• User home folders
• Group shared folders
• Application folders
As a network administrator you might choose to store these folders on a separated drive or partition depending on the expected total storage capacity required. A separate partition would be recommended. To make the administration of backups easier, they should be separate from operating system and server application folders. When planning a folder system one thing to remember is that the one sure thing you can say about hard disk storage space is that you can never have too much.
It is also important to remember that permissions assigned to a folder will normally be ‘inherited’ by the subfolders contained within the folder unless that permission is explicitly blocked.

File System Access Control
Access for users to network resources such as applications or data is controlled by permissions assigned through the operating system. User s should be given access to network resources applications or data only at the level that they need to perform their work duties. When assigning permissions assign them to groups, not users as this simplifies the administration.
To document the file system access control an access control list (ACL) or a capability table are created. Both have the same information but in a different format.




Access Control List
RESOURCES Legend:
• F – Full
• W – Write
• R – Read
• X – Execute
• N - None
USER GROUPS Personnel Payroll Accounts General
Administrator F F F F
Users N N N R
Accounts N N F R
Payroll RX W N F
Management R R R F
Human Resources F R N F
Capability Table
Resources User Groups Legend:
• F – Full
• W – Write
• R – Read
• X – Execute
• N – None
Personnel Administrator F
Payroll RX
Payroll Administrator F
Payroll W
Management R
Human Resources R
Accounts Administrator F
Accounts F
Management R
General Administrator F
Users R
Accounts R
Payroll F
Management F
Human Resources F
Complete Activity 1
Giving users access to shared folders
To allow users access to a shared network folder, the most common method is to map a network drive. Mapping allocates an available drive letter which points to the shared folder location.
To locate a shared folder resource, UNC, or Universal Naming Convention, is used to specify the shared folder. The UNC for a Windows system is as follows:
\\server_name\share_name
• server_name – is the name of the server where the network share is located
• share_name – is the name of the shared network folder

Revision Questions.

Question 1
The main purpose of an organisation's security policy is to ensure the integrity, confidentiality and availability of key information assets and resources.
What is meant by the following?
• Integrity - ensuring that all procedures are followed to the letter.
• Confidentiality - Securing the user's personal information.
• Availability - Ensuring the user can properly login to the network.

Question 3 (True or False)
Policies are a formal and high-level statement of the organisation’s goals and objectives for a specified subject area? True
Question 4 (True or False)
Policies need not be reviewed periodically. False
Question 5
List two policy procedures you may come across in an organisation.
Download restrictions
Software installation restrictions.
Internet access restrictions.


That's all for this week chaps......toodlepip for now.