IT103Microsoft Windows XP/OS Chap13

492 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
492
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • In this chapter, students learn how to put together users and groups. They are introduced to user accounts, groups, user rights assignment, account policy, and cached credentials. These slides illustrate some of the topics in more detail than in the text, showing students the dialog boxes and answering any questions they might have.
  • User accounts are the basic unit of identity for a user. All processes in Windows XP run under the guise of a user account. System processes and service processes even run as users. You can grant users access to resources by associating their security identifier (SID), a part of their identity, with discretionary access control lists (DACLs) belonging to objects. This association, embodied in an access control entry (ACE), forms the foundation for security in Windows XP. In Active Directory, user accounts are even more important—they are the repository for data about the user. They can contain a user’s address, phone/fax numbers, and even personnel data.
  • Users can be collected into groups to simplify assignment of permissions. By collecting users into a group, you can make a single assignment to grant permissions to all those users at once. In Active Directory, groups can be designated for security or distribution. Distribution groups are used to simplify messaging.
  • Built-in accounts are created during setup of the operating system. The Administrator account is intended for system administration tasks and has the appropriate rights and permissions to perform any maintenance and configuration task on the system. The Guest account is for granting temporary access to guests. It is disabled by default. This account does not have any administrative function or permissions. Discuss the security implications of these two accounts. The Administrator account can be renamed, but it retains its distinctive SID and is a favorite target for hackers because it cannot be locked out. The Guest account is usually left disabled, and guests are instead added to the Guests local group. Mention the System account as well. It does not have interactive logon ability, but it is the account most system processes are executed under. It is equal in power and permissions to the Administrator account.
  • Built-in groups are designed to allow users to be given specific rights and permissions based on their role. Placing users in certain built-in groups gives them specific administrative abilities on the system. Discuss the built-in groups listed in the textbook. Describe how some of these groups are used to define administrative roles in Windows XP. Give an example of when each group might be used.
  • Implicit groups are an important tool that administrators can use to control access to resources based on how those resources are accessed. The list in the textbook describes how some of these groups are used. Be prepared to offer an anecdote about how you have used an implicit group to simplify a security issue.
  • Service accounts allow system services and services required by installed applications to access resources. Permissions can be granted to the accounts as if they were real users. Discuss the built-in service accounts: Service, Local Service, and Network Service. Also discuss some of the user rights (such as Log On As A Service) required for a service to use a service account properly. Also mention that service accounts should be configured to not allow passwords to expire. Mention some of the service accounts (such as IUSR_ <system name> , used by Windows XP to support IIS and other applications). Open the Services console and show students how service accounts are assigned to services.
  • When you discuss domain user accounts and groups, point out how users and groups from the domain can be placed into local groups to give them rights and permissions on the local system.
  • This slide shows the Local Users and Groups snap-in, both in the Computer Management console and in a standalone console. If time permits, demonstrate how to create a custom user management console by adding the standalone Local Users and Groups snap-in to an empty Microsoft Management Console.
  • This slide depicts the User Accounts tool in Control Panel. Point out that this tool creates only basic user accounts, placing them in the Users or Administrators built-in group. Managing user profile settings or assigning membership in other groups requires use of the Local Users and Groups snap-in or the Net User tool. However, the User Accounts tool is the only tool that allows you to designate the user’s logon icon.
  • This slide depicts the Active Directory Users and Computers console, the principal user management tool for Active Directory domains. Mention other tasks you can perform with it, such as Group Policy management and management of domain computer accounts.
  • The NET USER command can be called from batch files to automate repetitive management tasks. It is useful for scripted user account additions and changes. You can also create a batch file that uses command-line parameters to quickly add or remove specific user accounts. Point out the available command options in the textbook and, if time permits, demonstrate adding and removing a user using Net.exe.
  • This slide shows the planning stages for users and groups. It begins with users and files. Users are collected into groups, and the files are collected into folders. Permissions are given to the group, and in the last frame, a new user gains access to the folder simply by being placed into the group. As you explain this approach, try to offer real-world examples.
  • Use this slide to discuss how to provide the listed users with unique usernames. Discuss ways to ensure uniqueness, such as adding numbers to the end of the name or including the middle initial. Present a few real-world scenarios as well.
  • Passwords are a weakness in many organizations. Discuss ways to create strong but memorable passwords. Discuss the use of nonalphanumeric characters in passwords. Describe the two main hacker attacks against passwords and how a long, complex password makes those attacks less likely to succeed. Dictionary attack, where the attacker uses word combinations to guess the password Brute force attack, where the attacker uses every combination of letter, number, and special characters until he guesses the password
  • This slide depicts the selection of the Welcome screen and Classic logon dialog box in the User Accounts tool in Control Panel. Discuss when each logon method might be useful. Demonstrate the configuration of this option if time permits.
  • This slide shows the Local Users and Groups snap-in being used to manage a user account from creation to deletion. As you step through the frames, discuss each dialog box and its options.
  • This slide shows the Local Security Settings console displaying the User Rights Assignment section of Local Security Policy. Discuss the user rights listed in the textbook and describe how or where each might be used. Describe a real-world scenario such as a system that requires shutdown restrictions or a user who is responsible for backing up and restoring files.
  • This slide depicts the management of a group using Local Users and Groups. If possible, walk through this process in class. Point out the warning at the end, and be sure to note its content—that a group created later with the same name will have a new SID and will not gain access to resources granted to this group.
  • This slide depicts the management of the local group Finance using the Net command with the Localgroup option. If possible, discuss the management of users and groups using the Net command, and demonstrate the creation of a group. Also, mention the Group option of the Net command for domain global group management.
  • This slide shows a user being created, managed, and deleted with the User Accounts tool in Control Panel. Discuss the limitations of this method—namely, the inability to work with any groups other than the built-in Users and Administrators groups.
  • This list mirrors the best practices list in the textbook. Discuss the reasoning behind each point, and ask students for examples of when each item would apply.
  • This slide depicts the addition of the user John to the list of users allowed to shut down the system. If possible, demonstrate this using a system in the classroom.
  • Discuss the settings available in Local Security Policy to manage password strength. Demonstrate the configuration of these settings, if possible.
  • Discuss the settings available in Local Security Policy to manage account lockouts. Demonstrate the configuration of these settings, if possible. Describe real-world scenarios where use of account lockouts can thwart an attacker.
  • Cached credentials are used for mobile systems that are not always connected to a domain and to speed startup and logon by letting users log on before network services are fully started. Discuss the use of cached credentials and the following guidelines: Users must log on to the domain once to cache credentials for future logons. Users whose passwords were changed might be able to log on with their previous password. Disabled or deleted users can log on if their credentials have not been deleted.
  • This slide depicts the Group Policy setting used to manage cached credentials in Windows XP. Describe the effects on a system if this value is set to 0 (cached credentials disabled).
  • This slide lists three potential issues with cached credentials. Discuss the symptoms of each and see if students can offer the correct solution to each scenario. Be sure to discuss the necessity of logging on to a domain at least once to cache credentials for offline use.
  • This slide follows the summary in the textbook. Discuss each item, emphasizing important points. Answer any final questions.
  • IT103Microsoft Windows XP/OS Chap13

    1. 1. MANAGING USERS AND GROUPS Chapter 13
    2. 2. OVERVIEW <ul><li>Configure and manage user accounts </li></ul><ul><li>Manage user account properties </li></ul><ul><li>Manage user and group rights </li></ul><ul><li>Configure user account policy </li></ul><ul><li>Manage and troubleshoot cached credentials </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    3. 3. USER ACCOUNTS <ul><li>Identify users to the system and to each other </li></ul><ul><li>Used to grant access to resources </li></ul><ul><li>Collect information about users </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    4. 4. Extra <ul><li>You can grant users access to resources by associating their: </li></ul><ul><ul><li>security identifier (SID), a part of their identity </li></ul></ul><ul><ul><li>with discretionary access control lists (DACLs) belonging to objects. </li></ul></ul><ul><ul><li>This association, embodied in an access control entry (ACE), forms the foundation for security in Windows XP. </li></ul></ul>Chapter 13: MANAGING USERS AND GROUPS
    5. 5. GROUPS <ul><li>Collections of user accounts </li></ul><ul><li>Simplify access to resources </li></ul><ul><li>Can be used for security and messaging (Active Directory) </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    6. 6. Active Directory? <ul><li>In Active Directory, groups can be designated for security or distribution. Distribution groups are used to simplify messaging. </li></ul><ul><li>In Active Directory, user accounts are even more important—they are the repository for data about the user. They can contain a user’s address, phone/fax numbers, and even personnel data. </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    7. 7. BUILT-IN USER ACCOUNTS <ul><li>Configured during setup </li></ul><ul><li>Used for administration or guest access </li></ul><ul><li>Can be renamed but not deleted </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    8. 8. More detail… <ul><li>Built-in accounts are created during setup of the operating system: </li></ul><ul><li>The Administrator account is intended for system administration tasks and has the appropriate rights and permissions to perform any maintenance and configuration task on the system. </li></ul><ul><li>The Administrator account can be renamed, but it retains its distinctive SID and is a favorite target for hackers because it cannot be locked out </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    9. 9. More detail… <ul><li>Built-in accounts are created during setup of the operating system: </li></ul><ul><li>The Guest account is for granting temporary access to guests. It is disabled by default. This account does not have any administrative function or permissions. </li></ul><ul><li>The Guest account is usually left disabled, and guests are instead added to the Guests local group. </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    10. 10. More detail… <ul><li>Built-in accounts are created during setup of the operating system: </li></ul><ul><li>The System account - it does not have interactive logon ability, but it is the account most system processes are executed under. </li></ul><ul><li>It is equal in power and permissions to the Administrator account. </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    11. 11. BUILT-IN GROUPS <ul><li>Created during setup </li></ul><ul><li>Designed for specific use or administrative roles </li></ul><ul><li>User accounts can be added as members </li></ul><ul><li>Built-in user accounts cannot be removed </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    12. 12. IMPLICIT GROUPS <ul><li>Membership can change dynamically </li></ul><ul><li>Do not appear in user administration tools </li></ul><ul><li>Used to grant permissions based on circumstances </li></ul><ul><li>Used to control access to resources based on how those resources are accessed </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    13. 13. SERVICE ACCOUNTS <ul><li>Grant services access to system resources </li></ul><ul><li>Include built-in and user-defined accounts </li></ul><ul><li>Require special accommodations </li></ul><ul><li>Service accounts allow system services and services required by installed applications to access resources. Permissions can be granted to the accounts as if they were real users. </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    14. 14. Built-In Service Accounts <ul><li>Built-in service accounts : Service, Local Service, and Network Service. Some of the user rights (such as Log On As A Service) required for a service to use a service account properly. Service accounts should be configured to not allow passwords to expire. </li></ul><ul><li>Some of the service accounts (such as IUSR_ <system name> , are used by Windows XP to support IIS and other applications). </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    15. 15. DOMAIN ACCOUNTS AND GROUPS <ul><li>Include built-in and user-defined accounts and groups </li></ul><ul><li>Provide logon and resource access to local system </li></ul><ul><li>Can be placed into local groups </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    16. 16. LOCAL USERS AND GROUPS Chapter 13: MANAGING USERS AND GROUPS
    17. 17. CONTROL PANEL USER ACCOUNTS Chapter 13: MANAGING USERS AND GROUPS
    18. 18. ACTIVE DIRECTORY USERS AND COMPUTERS Chapter 13: MANAGING USERS AND GROUPS
    19. 19. MANAGING USERS WITH NET.EXE Chapter 13: MANAGING USERS AND GROUPS The NET USER command can be called from batch files to automate repetitive management tasks. It is useful for scripted user account additions and changes.
    20. 20. PLANNING USERS AND GROUPS Chapter 13: MANAGING USERS AND GROUPS
    21. 21. USER ACCOUNT NAMING CONVENTIONS Chapter 13: MANAGING USERS AND GROUPS
    22. 22. PASSWORD COMPLEXITY <ul><li>Create passphrases </li></ul><ul><li>Use uppercase, lowercase, and nonalphanumeric characters </li></ul><ul><li>Consider enforcing complexity with Group Policy </li></ul><ul><li>Two main hacker attacks against passwords: </li></ul><ul><ul><li>Dictionary attack, where the attacker uses word combinations to guess the password </li></ul></ul><ul><ul><li>Brute force attack, where the attacker uses every combination of letter, number, and special characters until he guesses the password </li></ul></ul>Chapter 13: MANAGING USERS AND GROUPS
    23. 23. CHANGING HOW USERS LOG ON OR LOG OFF Chapter 13: MANAGING USERS AND GROUPS
    24. 24. MANAGING USERS WITH LOCAL USERS AND GROUPS Chapter 13: MANAGING USERS AND GROUPS
    25. 25. USER RIGHTS ASSIGNMENT Chapter 13: MANAGING USERS AND GROUPS
    26. 26. MANAGING GROUPS WITH LOCAL USERS AND GROUPS Chapter 13: MANAGING USERS AND GROUPS
    27. 27. MANAGING GROUPS WITH NET.EXE Chapter 13: MANAGING USERS AND GROUPS
    28. 28. MANAGING USERS WITH USER ACCOUNTS Chapter 13: MANAGING USERS AND GROUPS
    29. 29. USER MANAGEMENT BEST PRACTICES <ul><li>Give administrators a limited account for nonadministrative use </li></ul><ul><li>Limit the number of users in the Administrators group </li></ul><ul><li>Rename or disable the Administrator account </li></ul><ul><li>Rename and leave the Guest account disabled </li></ul><ul><li>Observe the principle of least privilege </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    30. 30. MANAGING USER RIGHTS ASSIGNMENTS Chapter 13: MANAGING USERS AND GROUPS
    31. 31. MANAGING PASSWORD POLICY Chapter 13: MANAGING USERS AND GROUPS
    32. 32. MANAGING ACCOUNT LOCKOUT POLICY Chapter 13: MANAGING USERS AND GROUPS
    33. 33. CACHED CREDENTIALS <ul><li>Cached credentials are used for mobile systems that are not always connected to a domain and to speed startup and logon by letting users log on before network services are fully started. Cached credentials use the following guidelines: </li></ul><ul><ul><li>Users must log on to the domain once to cache credentials for future logons. </li></ul></ul><ul><ul><li>Users whose passwords were changed might be able to log on with their previous password. </li></ul></ul><ul><ul><li>Disabled or deleted users can log on if their credentials have not been deleted. </li></ul></ul>Chapter 13: MANAGING USERS AND GROUPS
    34. 34. MANAGING CACHED CREDENTIALS Chapter 13: MANAGING USERS AND GROUPS
    35. 35. TROUBLESHOOTING CACHED CREDENTIALS <ul><li>Cached credentials are out of date </li></ul><ul><li>User does not have credentials cached </li></ul><ul><li>Cached credentials are disabled on a notebook computer </li></ul>Chapter 13: MANAGING USERS AND GROUPS
    36. 36. SUMMARY <ul><li>User accounts help manage resource access. </li></ul><ul><li>User groups simplify administration. </li></ul><ul><li>Naming conventions uniquely identify users. </li></ul><ul><li>Complex passwords strengthen security. </li></ul><ul><li>Cached credentials allow access when the domain is unavailable. </li></ul>Chapter 13: MANAGING USERS AND GROUPS

    ×