guide to operating system security chapter 4 account-based security

Guide to Operating System Security

Chapter 4

Account-based Security

2 Guide to Operating System Security

Objectives

Discuss how to develop account naming and security policies

Explain and configure user accounts Discuss and configure account policies and logon

security techniques Discuss and implement global access privileges Use group policies and security templates in

Windows 2000 Server and Windows Server 2003


Account Naming

Provides orderly access to server and network resources

Enables administrators to monitor security: Which users are accessing the server What resources they are using

Establish conventions for account names User’s actual name User’s function


Security Policies

Apply to all accounts or to all accounts in a particular directory service container

Affected elements: Password security

• Expiration period• Minimum length• Password recollection

Account lockout Authentication method


Creating User Accounts in Windows 2000 Professional

Typically installed with: Administrator account Guest account

To create and manage user accounts: Start – Settings – Control Panel – Users and

Passwords, or Right-click My Computer – Manage – Local Users

and Groups – Users


Creating User Accounts in Windows XP Professional

Installed with: Account that usually consists of user’s name Administrator account Guest account HelpAssistant account for remote desktop help Support accounts for Microsoft and computer manufacturer

To create and manage user accounts: Start – Control Panel – User Accounts, or Right-click My Computer – Manage – Local Users and

Groups – Users


Managing User Accounts in Windows XP Professional


Creating User Accounts in Windows 2000 Server/Server 2003

Installed with: Administrator account Guest account Other accounts, depending on services installed on

server Create new accounts by entering account

information and password controls Local user account on a server that is not part of a

domain Account in the Active Directory


Managing User Accounts in Windows 2000 Server


Creating a New User

Complete name, user logon name, password, and password confirmation information User must change password at next logon User cannot change password Password never expires Account is disabled

Further configure associated properties


Account Properties in Windows Server 2003

General tab Address tab Account tab Profile tab Telephones tab Organization tab Member Of

Dial-in Environment Sessions Remote Control Terminal Services

Profile COM+ tab


Account Properties in Windows Server 2003


Account Tab


Creating User Accounts inRed Hat Linux 9.x

Each user account is associated with a user identification number (UID)

Assign users with common access needs to a group via a group identification number (GID)


Contents of Linux Password File (/etc/passwd)

Username Encrypted password or reference to shadow

file UID and GID Information about the user Location of user’s home directory Command that is executed as user logs on


Linux Shadow File (/etc/shadow)

Available only to system administrator Contains password restriction information

Minimum/maximum number of days between password changes

When password was last changed When password will expire Amount of time account can be inactive before

access is prohibited


Creating User Accounts and Groups in Linux

Use command-line commands Create new user with useradd Modify parameters with usermod Delete accounts with userdel

Use Red Hat User Manger from GNOME desktop


Creating Accounts with the Command Line


Creating Accounts with Red Hat User Manager


Creating User Accounts in NetWare 6.x

Use ConsoleOne tool


Creating User Accounts inMac OS X (Continued)

Choose Accounts icon in System Preferences window Name of account holder Short name for logging on Password Password hint


Creating User Accounts inMac OS X (Continued)

Tools that enable server management (Mac OS X Server) Server Admin Macintosh Manager


Accounts Option in Mac OS X


Mac OS X Logon Options

Automatically log on to specific account when computer is booted

Log on by viewing a name and password box, or by seeing a list of user accounts

Hide Restart and Shut Down buttons Show password hint after three unsuccessful

logon attempts


Mac OS X Server

Tools Server Admin MacIntosh Manager


Setting Account Policies and Configuring Logon Security

Place restrictions on passwords Automatically lock out accounts after a

specified number of unsuccessful logon attempts


Guidelines for Building Strong Passwords

Do use Do not use 7+ characters Combination of upper- and

lowercase letters, numbers, and characters

Symbol character(s) Coded phrase to help you

remember

Words in the dictionary or proper names

Sports terms or names of sports teams

Your account name Consecutive characters Common slang terms


Using Account Policies in Windows Server 2000/Server 2003

Set up as part of group policy that applies to all accounts in an Active Directory container

Can also be configured for a local computer Account policy options affect:

Password security Account lockout


Password Security Options in Windows Server 2000/Server 2003

Enforce password history Maximum password age Minimum password age Minimum password length Password(s) must meet complexity

requirements Store password using reversible encryption


Account Lockout Options in Windows Server 2000/Server 2003

Account lockout duration Account lockout threshold Reset account lockout container after


Account Security Options in Red Hat Linux 9.x

No formal account security policies Enables configuration of security options

associated with individual accounts (using Red Hat User Manager)

Stores security information in shadow file (/etc/shadow) as properties associated with accounts


Account Password Configuration Options in Red Hat Linux

Setting an account to expire on a particular date

Locking a user account Expiration of account passwords so that users

have to reset them


Red Hat Linux Account Password Configuration

9.x


Using Account Templates in NetWare 6.x

Configure through user templates before accounts are created

Use ConsoleOne utility to create user templates


Establishing Account Properties with User Template (NetWare 6.x)

(Continued)

Home directory location and access rights to that directory

Requirement for a password Minimum password length Requirement that password be changed

within specified interval of time Grace period that limits number of times

user can log in after password has expired


Establishing Account Properties with User Template (NetWare 6.x)

Requirement that a new password be used each time the old one is changed

Time restrictions Intruder detection capabilities Limit on number of simultaneous connections Workstation logon restrictions


Intruder Detection inNetWare 6.x


Using Global Access Privileges

Windows 2000 Server/Server 2003 User rights govern user and administrative

functions NetWare 6.x

Uses access rights, applied in a different way, for more fine-tuned access functions

Role-based security establishes administrative roles for managing a server


Windows Server 2000/Server 2003 User Rights

(Continued) Enable account or group to perform

predefined tasks Basic rights: access a server Advanced: create accounts and manage server

functions Can be assigned to user accounts or to groups

Groups are more efficient (inherited rights)


Windows Server 2000/Server 2003 User Rights

(Continued) Give server administrative security controls

over who can access server and Active Directory resources

Two categories Privileges

• Manage server or Active Directory functions Logon rights

• Access accounts, computers, and services


Windows Server 2000/Server 2003 Privileges (Continued)


Windows Server 2000/Server 2003 Logon Rights


Role-based Security inNetWare 6.x

Allocated according to administrative roles (managing tasks or network services) DHCP Management DNS Management eDirectory iPrint Management License Management


Using Group Policies in Windows Server 2000/Server 2003

Enables standardization by setting policies in Active Directory or on local computer (eg, account policies, user rights, IPSec policies)

Evolved from Windows NT Server 4.0 concept of system policy Use Poledit.exe to configure basic user account

and computer parameters (domain-wide or specific)


Differences Between System Policy and Group Policy

System policy Group policyLargest range is the domain Can cover multiple domains in one site

Fewer objects to configure More objects to configure

Focus on clients’ desktop environment as controlled by Registry settings

Set for more environments

Less secure More secure

Can live on after no longer needed

Dynamically updated and configured to represent most current needs


Defining Characteristics of Group Policy

Can be set for a site, domain, OU, or local computer

Stored in group policy objects Local and nonlocal GPOs


Configuring Client Security Using Policies

Advantages to customizing settings used by clients Improved security Consistent working environment

Customize settings by configuring policies on Windows 2000/2003 servers that clients access When client logs on, policies are applied


Manually Configuring Policies for Clients

Use either: Group Policy Snap-in (Windows 2000 Server) Group Policy Object Editor Snap-in (Windows

Server 2003) Use Administrative Templates object under

User Configuration in a group policy object to customize desktop settings for client computers


Manually Configuring Policies for Clients


Configuring Administrative Templates


Automated Configuration of Administrative Templates


Configuring Administrative Templates


Configuring Additional Security Options

Fine-tune security on a server by configuring security options within local policies in a GPO

Enables you to configure group policy security for special needs


Group Policy Security Options


Summary

Considerations when creating formal policies about account naming and security

How to set up accounts in different operating systems

How to configure those accounts to implement an organization’s policies

User rights and role-based security How to work with group policies and security

templates

guide to operating system security chapter 4 account-based security

Documents

user logon

xeach user account

user accountsdiscuss

control panel user accounts

usermoddelete accounts

password changeswhen

windows server

servercreate new accounts