Before you have your network up and running, you need to decide how to
manage access. You want to establish a consistent approach to managing the
users' network access. Access includes not only logging on to a particular
workstation but also accessing resources. Before making this decision, you must
define the method you're going to use to assign usernames and your password
requirements. The two main types of network accounts that allow you to manage
your users are user accounts and group accounts.
Several global elements may be used to manage user accounts and make
administrative tasks easier, such as how you name your users and groups. These
names should enable you to easily identify the location or job function of the
user as well as the purpose of each group. An additional tactic that makes your
job easier involves the rules you apply to passwords. One of these rules sets
forth whether you want accounts to be locked out after unsuccessful log on
attempts and, if so, how long they should remain disabled.
If you
suspect your network has become the object of break-in attempt, you can verify
this by requiring manual reactivation of accounts that are disabled after three
unsuccessful log on attempts. In this way, a user must notify you if he is
unable to log on. If the user is not the one responsible for the lockout, you
know that an unauthorised individual has been trying to gain access to your
network.
One of the most important aspects of network security is passwords. If
the passwords are unique and hard to guess, your system is more secure. When
planning how to manage passwords, you might want to consider doing some or all
of the following:
Users often look to the system administrator for assistance in choosing
an adequate password. One easy method is for the user to pick two short words,
such as dog and walk, and separate them by a non-alphanumeric character such as
a percent sign (%). This results in the password "dog%walk", one that
cannot be cracked by a dictionary-based password-cracking program but is still
easy to remember.
In a peer-to-peer network, anyone who sits down at a computer can
access that machine and all its resources. Access to shared resources from
other computers might not require that you know a password. This model works
well in the small network (usually fewer than 10 users), where security is not
an issue.
In a larger
server-based network, access is given to each user through an individual
account. It's through the creation of user accounts and the attributes applied
to these accounts that you manage access to resources.
Before you
create the first user account (and even before you install the network
operating system), a naming convention must be established.
The most
workable system for creating usernames is one that enables easy identification
of users yet is flexible enough to allow unique naming. A naming system that
consists of either the first initial and last name or the first name and last
initial are two that are workable and limit user confusion.
After a
naming convention has been determined, you can begin creating the necessary
user accounts. This is usually done through a utility provided by the network
operating system. In Windows NT or Windows 2000, User Manager or User Manager
for Domains is used. The equivalent utility for NetWare is Syscon for NetWare,
version 3.x, or NWAdmin for versions 4.x and 5.x. Although some UNIX operating
systems also provide such a utility, the user accounts are usually created at
the user prompt.
Most
network operating systems create both an administrator account and a guest
account during installation. However, the administrator must then create
accounts for all the network's users. Adding a large number of users at one
sitting can be a time-consuming process. Not only does each user account need
to be created, but each user's group memberships and access rights need to be
assigned.
One way around this is to use a template for the creation of users. First, create a dummy user account with the necessary access rights and group memberships, making sure that the account is disabled. When a new user's account needs to be created, simply copy the template and make necessary changes, such as username and password. This method significantly speeds up the process of adding several users at a time.
In Windows
NT, you may add users from the command line by using the cacls. exe utility.
This can be used along with a text file containing all the users' information
if you must add a large number of users at one time.
As users
come and go, as well as change jobs internally, more work is created for the
system administrator. It's important that users who have left the company do
not continue to have access to confidential information. It's your
responsibility to ensure that a system is in place to notify you as soon as a
user not longer needs an account or when a user's access needs have changed.
Tip: When
an employee leaves you company, disable her account rather than delete it. Not
only does this make your life easier if she returns, but when a new employee is
hired to do the same job, you can just rename the account and change the
password for the new employee. This way, all the necessary permissions and
group memberships are already assigned for that individual to accomplish her
job. Just be sure to create a reminder to delete that account after an
appropriate amount of time has passed.
Groups are
used to organise users into logical collections based on how users need to
access your network. Users are granted the necessary resource permissions based
on their group rather than on an individual basis. Each user who is a member of
a group has the same access permissions as the group. Not only does this make
your job easier to manage when permissions need to be altered later, but this
practice also decreases the possibility of forgetting to give the boss his
needed access.
Local versus
Global
In Netware,
all groups are global in scope. That is, they exist throughout the network.
Windows NT and Windows 2000 complicate this a bit. In these systems, a group is
part of either the individual machine' s security database of the security
database for the entire network. As such, groups are referred to as either
local or global. Local groups are stored on the individual workstation or
server and are used to access resources on that computer. Global groups are
stored on the PDC (Primary Domain Controller) and are available throughout the
domain.
A resource
is controlled by a particular computer, which is either a server or a
workstation. The resource may be a file, a folder, a printer, or any other
object that might be shared. The local security database controls access to
that resource. To grant access to your users, use a group that belongs to the
same security database. Therefore, when you're providing access to a printer,
that access should be granted to a local group on the print server.
Tip: One
easy way to remember how to user local versus global groups is to thinks of
resources as "living" on a particular computer rather than belonging
to the entire network. Therefore, it becomes logical to use a local group to
control access to the resource living on that computer.
Global
groups are used to organise users at the network level, whereas local groups
are used on individual computers. Each user may be a member of several
different groups. Groups may be organised by function, administrative division,
geographic location, or any other logical sorting you might imagine.
Another use
for global is to provide access to resources across trusts. A trust is a
special relationship created to allow users from one domain to access resources
in another domain (again, this is only in Windows NT/Windows 2000 systems).
Trusts are used to provide for wider access to resources. Local groups cannot
cross from one domain to another. By placing users from the trusted domain in a
global group, that global group may then be added to a local group on the
trusting domain. This enables users from the trusted domain to access needed
resources located in the trusting domain.
Tip: When
creating a new group using the user Manager in Windows NT, select the users you
want to add as members of that group while holding down the CTRL key. After
selecting all the users you want to include, create the group. The users you've
selected are then made members of that group.
Network
operating systems provide built-in groups with the predefined fights and
privileges that are necessary for accomplishing certain routine tasks. These
groups are capable of performing certain administrative tasks, such as creating
accounts and performing backups. This provides a relatively easy format that
enables the administrator to delegate certain tasks without granting
administrative privileges' to others.
The tables
below show the groups that are built-in as global and local groups on Windows
NT. NetWare only has one built-in group called ‘Everyone’. All users are members
of this group.
Built-in
Global Groups
|
Group |
Managed by |
Contains |
|
Domain Admins |
Administrators |
Administrator |
|
Domain Users |
Administrators
and Account |
Administrator
and New Users |
|
Domain Guests |
Administrators
and Account |
Guest |
Group
|
Managed by |
Auto Contents |
Permissions |
|
Administrators |
Administrators |
Domain Admins |
Can do anything |
|
Backup Operators |
Administrators |
None |
Backup and |
|
Server Operators |
Administrators |
None |
Share/unshare |
|
Account
Operators |
Administrators |
None |
Manager user and |
|
Print Operators |
Administrators |
None |
Manage printers, |
|
Power users |
Administrators |
Power users |
Set up users,
create |
|
Users |
Administrators |
Domain Users |
Cannot log on |
|
Guests |
Administrators
and |
Domain Guests |
Utilise domain |
|
Replicator |
Administrator |
None |
Manage
replication |
MULTIPLE
LOGINS
It may be
important for security reasons that users log in at only one computer at a
time. If a user logs on to one machine and then walks off, the network can be
accessed by anyone who walks up to that machine. If you prevent multiple
simultaneous logons, a user who tries to logon to another machine is reminded
that he is already logged on at another station. This feature may be implemented
throughout the operating system or via a third-party product.