Upload
clifton-blake
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Guide to Operating System Security
Chapter 4
Account-based Security
2 Guide to Operating System Security
Objectives
Discuss how to develop account naming and security policies
Explain and configure user accounts Discuss and configure account policies and logon
security techniques Discuss and implement global access privileges Use group policies and security templates in
Windows 2000 Server and Windows Server 2003
3 Guide to Operating System Security
Account Naming
Provides orderly access to server and network resources
Enables administrators to monitor security: Which users are accessing the server What resources they are using
Establish conventions for account names User’s actual name User’s function
4 Guide to Operating System Security
Security Policies
Apply to all accounts or to all accounts in a particular directory service container
Affected elements: Password security
• Expiration period• Minimum length• Password recollection
Account lockout Authentication method
5 Guide to Operating System Security
Creating User Accounts in Windows 2000 Professional
Typically installed with: Administrator account Guest account
To create and manage user accounts: Start – Settings – Control Panel – Users and
Passwords, or Right-click My Computer – Manage – Local Users
and Groups – Users
6 Guide to Operating System Security
Creating User Accounts in Windows XP Professional
Installed with: Account that usually consists of user’s name Administrator account Guest account HelpAssistant account for remote desktop help Support accounts for Microsoft and computer manufacturer
To create and manage user accounts: Start – Control Panel – User Accounts, or Right-click My Computer – Manage – Local Users and
Groups – Users
7 Guide to Operating System Security
Managing User Accounts in Windows XP Professional
8 Guide to Operating System Security
Creating User Accounts in Windows 2000 Server/Server 2003
Installed with: Administrator account Guest account Other accounts, depending on services installed on
server Create new accounts by entering account
information and password controls Local user account on a server that is not part of a
domain Account in the Active Directory
9 Guide to Operating System Security
Managing User Accounts in Windows 2000 Server
10 Guide to Operating System Security
Creating a New User
Complete name, user logon name, password, and password confirmation information User must change password at next logon User cannot change password Password never expires Account is disabled
Further configure associated properties
11 Guide to Operating System Security
Account Properties in Windows Server 2003
General tab Address tab Account tab Profile tab Telephones tab Organization tab Member Of
Dial-in Environment Sessions Remote Control Terminal Services
Profile COM+ tab
12 Guide to Operating System Security
Account Properties in Windows Server 2003
13 Guide to Operating System Security
Account Tab
14 Guide to Operating System Security
Creating User Accounts inRed Hat Linux 9.x
Each user account is associated with a user identification number (UID)
Assign users with common access needs to a group via a group identification number (GID)
15 Guide to Operating System Security
Contents of Linux Password File (/etc/passwd)
Username Encrypted password or reference to shadow
file UID and GID Information about the user Location of user’s home directory Command that is executed as user logs on
16 Guide to Operating System Security
Linux Shadow File (/etc/shadow)
Available only to system administrator Contains password restriction information
Minimum/maximum number of days between password changes
When password was last changed When password will expire Amount of time account can be inactive before
access is prohibited
17 Guide to Operating System Security
Creating User Accounts and Groups in Linux
Use command-line commands Create new user with useradd Modify parameters with usermod Delete accounts with userdel
Use Red Hat User Manger from GNOME desktop
18 Guide to Operating System Security
Creating Accounts with the Command Line
19 Guide to Operating System Security
Creating Accounts with Red Hat User Manager
20 Guide to Operating System Security
Creating User Accounts in NetWare 6.x
Use ConsoleOne tool
21 Guide to Operating System Security
Creating User Accounts inMac OS X (Continued)
Choose Accounts icon in System Preferences window Name of account holder Short name for logging on Password Password hint
22 Guide to Operating System Security
Creating User Accounts inMac OS X (Continued)
Tools that enable server management (Mac OS X Server) Server Admin Macintosh Manager
23 Guide to Operating System Security
Accounts Option in Mac OS X
24 Guide to Operating System Security
Mac OS X Logon Options
Automatically log on to specific account when computer is booted
Log on by viewing a name and password box, or by seeing a list of user accounts
Hide Restart and Shut Down buttons Show password hint after three unsuccessful
logon attempts
25 Guide to Operating System Security
Mac OS X Server
Tools Server Admin MacIntosh Manager
26 Guide to Operating System Security
Setting Account Policies and Configuring Logon Security
Place restrictions on passwords Automatically lock out accounts after a
specified number of unsuccessful logon attempts
27 Guide to Operating System Security
Guidelines for Building Strong Passwords
Do use Do not use 7+ characters Combination of upper- and
lowercase letters, numbers, and characters
Symbol character(s) Coded phrase to help you
remember
Words in the dictionary or proper names
Sports terms or names of sports teams
Your account name Consecutive characters Common slang terms
28 Guide to Operating System Security
Using Account Policies in Windows Server 2000/Server 2003
Set up as part of group policy that applies to all accounts in an Active Directory container
Can also be configured for a local computer Account policy options affect:
Password security Account lockout
29 Guide to Operating System Security
Password Security Options in Windows Server 2000/Server 2003
Enforce password history Maximum password age Minimum password age Minimum password length Password(s) must meet complexity
requirements Store password using reversible encryption
30 Guide to Operating System Security
Account Lockout Options in Windows Server 2000/Server 2003
Account lockout duration Account lockout threshold Reset account lockout container after
31 Guide to Operating System Security
Account Security Options in Red Hat Linux 9.x
No formal account security policies Enables configuration of security options
associated with individual accounts (using Red Hat User Manager)
Stores security information in shadow file (/etc/shadow) as properties associated with accounts
32 Guide to Operating System Security
Account Password Configuration Options in Red Hat Linux
Setting an account to expire on a particular date
Locking a user account Expiration of account passwords so that users
have to reset them
33 Guide to Operating System Security
Red Hat Linux Account Password Configuration
9.x
34 Guide to Operating System Security
Using Account Templates in NetWare 6.x
Configure through user templates before accounts are created
Use ConsoleOne utility to create user templates
35 Guide to Operating System Security
Establishing Account Properties with User Template (NetWare 6.x)
(Continued)
Home directory location and access rights to that directory
Requirement for a password Minimum password length Requirement that password be changed
within specified interval of time Grace period that limits number of times
user can log in after password has expired
36 Guide to Operating System Security
Establishing Account Properties with User Template (NetWare 6.x)
Requirement that a new password be used each time the old one is changed
Time restrictions Intruder detection capabilities Limit on number of simultaneous connections Workstation logon restrictions
37 Guide to Operating System Security
Intruder Detection inNetWare 6.x
38 Guide to Operating System Security
Using Global Access Privileges
Windows 2000 Server/Server 2003 User rights govern user and administrative
functions NetWare 6.x
Uses access rights, applied in a different way, for more fine-tuned access functions
Role-based security establishes administrative roles for managing a server
39 Guide to Operating System Security
Windows Server 2000/Server 2003 User Rights
(Continued) Enable account or group to perform
predefined tasks Basic rights: access a server Advanced: create accounts and manage server
functions Can be assigned to user accounts or to groups
Groups are more efficient (inherited rights)
40 Guide to Operating System Security
Windows Server 2000/Server 2003 User Rights
(Continued) Give server administrative security controls
over who can access server and Active Directory resources
Two categories Privileges
• Manage server or Active Directory functions Logon rights
• Access accounts, computers, and services
41 Guide to Operating System Security
Windows Server 2000/Server 2003 Privileges (Continued)
42 Guide to Operating System Security
Windows Server 2000/Server 2003 Privileges (Continued)
43 Guide to Operating System Security
Windows Server 2000/Server 2003 Privileges (Continued)
44 Guide to Operating System Security
Windows Server 2000/Server 2003 Logon Rights
45 Guide to Operating System Security
Role-based Security inNetWare 6.x
Allocated according to administrative roles (managing tasks or network services) DHCP Management DNS Management eDirectory iPrint Management License Management
46 Guide to Operating System Security
Using Group Policies in Windows Server 2000/Server 2003
Enables standardization by setting policies in Active Directory or on local computer (eg, account policies, user rights, IPSec policies)
Evolved from Windows NT Server 4.0 concept of system policy Use Poledit.exe to configure basic user account
and computer parameters (domain-wide or specific)
47 Guide to Operating System Security
Differences Between System Policy and Group Policy
System policy Group policyLargest range is the domain Can cover multiple domains in one site
Fewer objects to configure More objects to configure
Focus on clients’ desktop environment as controlled by Registry settings
Set for more environments
Less secure More secure
Can live on after no longer needed
Dynamically updated and configured to represent most current needs
48 Guide to Operating System Security
Defining Characteristics of Group Policy
Can be set for a site, domain, OU, or local computer
Stored in group policy objects Local and nonlocal GPOs
49 Guide to Operating System Security
Configuring Client Security Using Policies
Advantages to customizing settings used by clients Improved security Consistent working environment
Customize settings by configuring policies on Windows 2000/2003 servers that clients access When client logs on, policies are applied
50 Guide to Operating System Security
Manually Configuring Policies for Clients
Use either: Group Policy Snap-in (Windows 2000 Server) Group Policy Object Editor Snap-in (Windows
Server 2003) Use Administrative Templates object under
User Configuration in a group policy object to customize desktop settings for client computers
51 Guide to Operating System Security
Manually Configuring Policies for Clients
52 Guide to Operating System Security
Configuring Administrative Templates
53 Guide to Operating System Security
Automated Configuration of Administrative Templates
54 Guide to Operating System Security
Configuring Administrative Templates
55 Guide to Operating System Security
Configuring Additional Security Options
Fine-tune security on a server by configuring security options within local policies in a GPO
Enables you to configure group policy security for special needs
56 Guide to Operating System Security
Configuring Additional Security Options
57 Guide to Operating System Security
Group Policy Security Options
58 Guide to Operating System Security
Configuring Additional Security Options
59 Guide to Operating System Security
Summary
Considerations when creating formal policies about account naming and security
How to set up accounts in different operating systems
How to configure those accounts to implement an organization’s policies
User rights and role-based security How to work with group policies and security
templates