it103microsoft windows xp/os chap13

11

MANAGING USERS AND GROUPS

Chapter 13

Chapter 13: MANAGING USERS AND GROUPS 2

OVERVIEW

Configure and manage user accounts

Manage user account properties

Manage user and group rights

Configure user account policy

Manage and troubleshoot cached credentials


USER ACCOUNTS

Identify users to the system and to each other

Used to grant access to resources

Collect information about users


Extra

You can grant users access to resources by associating their: security identifier (SID), a part of their

identity

with discretionary access control lists (DACLs) belonging to objects.

This association, embodied in an access control entry (ACE), forms the foundation for security in Windows XP.


GROUPS

Collections of user accounts

Simplify access to resources

Can be used for security and messaging (Active Directory)


Active Directory?

In Active Directory, groups can be designated for security or distribution. Distribution groups are used to simplify messaging.

In Active Directory, user accounts are even more important—they are the repository for data about the user. They can contain a user’s address, phone/fax numbers, and even personnel data.


BUILT-IN USER ACCOUNTS

Configured during setup

Used for administration or guest access

Can be renamed but not deleted


More detail…

Built-in accounts are created during setup of the operating system:

The Administrator account is intended for system administration tasks and has the appropriate rights and permissions to perform any maintenance and configuration task on the system.

The Administrator account can be renamed, but it retains its distinctive SID and is a favorite target for hackers because it cannot be locked out


More detail…


The Guest account is for granting temporary access to guests. It is disabled by default. This account does not have any administrative function or permissions.

The Guest account is usually left disabled, and guests are instead added to the Guests local group.


More detail…


The System account - it does not have interactive logon ability, but it is the account most system processes are executed under.

It is equal in power and permissions to the Administrator account.


BUILT-IN GROUPS

Created during setup

Designed for specific use or administrative roles

User accounts can be added as members

Built-in user accounts cannot be removed


IMPLICIT GROUPS

Membership can change dynamically

Do not appear in user administration tools

Used to grant permissions based on circumstances

Used to control access to resources based on how those resources are accessed


SERVICE ACCOUNTS

Grant services access to system resources

Include built-in and user-defined accounts

Require special accommodations

Service accounts allow system services and services required by installed applications to access resources. Permissions can be granted to the accounts as if they were real users.


Built-In Service Accounts

Built-in service accounts: Service, Local Service, and Network Service. Some of the user rights (such as Log On As A Service) required for a service to use a service account properly. Service accounts should be configured to not allow passwords to expire.

Some of the service accounts (such as IUSR_<system name>, are used by Windows XP to support IIS and other applications).


DOMAIN ACCOUNTS AND GROUPS

Include built-in and user-defined accounts and groups

Provide logon and resource access to local system

Can be placed into local groups


LOCAL USERS AND GROUPS


CONTROL PANEL USER ACCOUNTS


ACTIVE DIRECTORY USERS AND COMPUTERS


MANAGING USERS WITH NET.EXE

The NET USER command can be called from batch files to automate repetitive management tasks. It is useful for scripted user account additions and changes.


PLANNING USERS AND GROUPS


USER ACCOUNT NAMING CONVENTIONS


PASSWORD COMPLEXITY

Create passphrases

Use uppercase, lowercase, and nonalphanumeric characters

Consider enforcing complexity with Group Policy

Two main hacker attacks against passwords: Dictionary attack, where the attacker uses word

combinations to guess the password

Brute force attack, where the attacker uses every combination of letter, number, and special characters until he guesses the password


CHANGING HOW USERS LOG ON OR LOG OFF


MANAGING USERS WITH LOCAL USERS AND GROUPS


USER RIGHTS ASSIGNMENT


MANAGING GROUPS WITH LOCAL USERS AND GROUPS


MANAGING GROUPS WITH NET.EXE


MANAGING USERS WITH USER ACCOUNTS


USER MANAGEMENT BEST PRACTICES

Give administrators a limited account for nonadministrative use

Limit the number of users in the Administrators group

Rename or disable the Administrator account

Rename and leave the Guest account disabled

Observe the principle of least privilege


MANAGING USER RIGHTS ASSIGNMENTS


MANAGING PASSWORD POLICY


MANAGING ACCOUNT LOCKOUT POLICY


CACHED CREDENTIALS

Cached credentials are used for mobile systems that are not always connected to a domain and to speed startup and logon by letting users log on before network services are fully started. Cached credentials use the following guidelines: Users must log on to the domain once to cache

credentials for future logons.

Users whose passwords were changed might be able to log on with their previous password.

Disabled or deleted users can log on if their credentials have not been deleted.


MANAGING CACHED CREDENTIALS


TROUBLESHOOTING CACHED CREDENTIALS

Cached credentials are out of date

User does not have credentials cached

Cached credentials are disabled on a notebook computer


SUMMARY

User accounts help manage resource access.

User groups simplify administration.

Naming conventions uniquely identify users.

Complex passwords strengthen security.

Cached credentials allow access when the domain is unavailable.

it103microsoft windows xp/os chap13

Documents

users chapter

managing users

users access

builtin groups

local groups chapter

local users

distribution groups

planning users