Operating Systems Security - Chapter 2



Operating Systems Security - Chapter 4

Account-Based Security

Chapter Overview

This chapter begins with the considerations that go into creating formal policies about account naming and security. You will learn how to set up accounts in different operating systems, and how to configure those accounts to implement an organization’s policies. You will also learn about user rights and role-based security. Finally, you will learn how to work with group policies and security templates.

Learning Objectives

After reading this chapter and completing the exercises, students will be able to:

□ Discuss how to develop account naming and security policies

□ Explain and configure user accounts

□ Discuss and configure account policies and logon security techniques

□ Discuss and implement global access privileges

□ Use group policies and security templates in Windows Server 2000/2003/2008

Lecture Notes

Account Naming and Security Policies

Before establishing accounts, organizations need to establish policies for naming accounts and for protecting them. The first step in developing an account policy in a company is usually to establish conventions for account names. Typical conventions include basing the user account name on the account user’s actual name, Windows 2000 Server limits user account names to 20 characters that include letters, numbers, and some symbols. Some conventions for account names based on the user’s actual name are as follows:

□ Last name followed by the first name initial (e.g., BrownJ)

□ First name initial followed by the last name (e.g., Jbrown)

□ First name initial, middle initial, and last name (e.g., JRBrown)

The advantage of having accounts based on the user’s name is that, for the sake of security, it is easier to know who is logged on to a server. Account policies are security measures that apply to all accounts, or to all accounts in a particular directory service container, such as a domain in Active Directory or NDS. The account policy options affect elements such as password security, account lockout, and the authentication method Kerberos.

Server operating systems, such as Windows Server 2000/2003/2008, NetWare 6.x, and Linux, have built in capabilities to help users become more conscious of maintaining passwords. One approach is to set a password expiration period, requiring users to change passwords at regular intervals. Some operating systems, such as Windows Server 2003/2008 and NetWare 6.x, are capable of monitoring unsuccessful logon attempts, in case an attacker attempts to break into an account by trying various password combinations or employing a brute force attack. These operating systems use account lockout to lock anyone out of an account after a number of unsuccessful logon tries.

Creating User Accounts

For any system, and particularly for a system connected to a network or to the Internet, you should set up one or more user accounts to protect that system. Some operating systems, such as Windows XP Professional and Mac OS X, may come already configured to automatically boot into an account without an account or password screen enabled.

Windows 2000 Professional and Windows XP Professional

A computer running Windows 2000 Professional or Windows XP Professional may be shared by several people, with people either logging on physically from the computers, logging on over a network, or logging on from a remote connection. An account can be configured for each employee to house private information, and a sixth account might be jointly held for general inventory database access.

Windows 2000 Professional is typically installed with an Administrator account and a Guest account. Windows XP Professional is installed with an account that usually consists of the user’s name, an Administrator account, a Guest account, a Help Assistant account for remote desktop help, and support accounts for Microsoft and the manufacturer of the computer.

Windows Server 2000/2003/2008/2008

Two basic accounts, Administrator and Guest, are set up when you install Windows Server 2000/2003/2008. Other accounts are also set up automatically, depending on what services are installed on the server, such as accounts for DNS or Internet Information Services (IIS) management.

|Quick Reference |Discuss the procedures for creating a local user account on a server that is not part of a domain,|

| |and not an account in the Active Directory as listed on pages 146 and 147 of the text. |

The account properties that you can set up are the following:

□ General tab: Enables you to enter or modify personal information about the account holder.

□ Address tab: Used to provide information about the account holder’s street address, Post Office box, city, state or province, postal code, and country or region.

□ Account tab: Provides information about the logon name, domain name, account and account expiration data.

□ Profile tab: Enables you to associate a particular profile with a user or set of users, such as a common desktop that has built-in security features. A home folder is a default location, such as a specific folder on the server, in which users can store their files. A logon script is a set of commands that automatically run each time the user logs on to the server or domain.

The remainder of this list of properties can be found on pages 150 and 151 of the text.

Red Hat Linux 9.x

Each user account in UNIX and Linux systems, including Red Hat Linux 9.x, is associated with a user identification number (UID). Also, users who have common access needs can be assigned to a group via a group identification number (GID), which allows permissions to access resources to be assigned to the group, instead of to each user. In UNIX/Linux systems, the password file (/etc/passwd) contains the following kinds of information:

□ The username

□ An encrypted password or a reference to the shadow file

□ The UID, which can be a number as large as 60,000

□ A GID with which the username is associated

□ Information about the user, such as a description or the user’s job

□ The location of the user’s home directory

□ The command executed as the user logs on, such as which shell (user interface) to use

The shadow file (/etc/shadow) is normally available only to the system administrator. It contains password restriction information that includes the following:

□ The minimum and the maximum number of days between password changes

□ Information on when the password was last changed

□ Warning information about when a password will expire

□ Amount of time that the account can be inactive before access is prohibited

|Quick Reference |Discuss the different parameters that are available with the useradd command as listed on page 152|

| |of the text. |

NetWare 6.x

Accounts in NetWare 6.x can be created using the ConsoleOne tool. ConsoleOne can be run on the server console as a NetWare Loadable Module (NLM), from a workstation under the Remote Console NLM, or from an administrator’s workstation as a desktop application.

|Quick Reference |Discuss the general steps for creating an account through ConsoleOne as listed on pages 155 and |

| |156 of the text. |

Mac OS X

In the workstation version of Mac OS X, you should create accounts for each user who logs on to the console, and for users who access a Mac OS X system through Telnet, accounts are created by choosing the Accounts icon in the System Preferences window, as shown in Figure 4-8 on page 157 of the text. Mac OS X can be customized for different logon options:

□ To automatically log on to a specific account when the computer is booted

□ To log on by viewing a name and password box, or by seeing a list of user accounts

□ To hide the Restart and Shut Down buttons

□ To show the password hint after three unsuccessful logon attempts

Besides configuring accounts on a Mac OS X workstation, you can also configure accounts in Mac OS X Server, which is built on the Mac OS X foundation, but is designed as a true server for file sharing, printer sharing, managing network users and groups, and providing Web services.

Two important tools that enable server management are included with Mac OS X Server: Server Admin and Macintosh Manager. The Server Admin tool allows you to create and manage accounts and groups. Macintosh Manager is a tool for managing users, groups, and computers that access the server.

Setting Account Policies and Configuring Logon Security

Some operating systems enable you to set up account policies and default logon security. These are policies that place restrictions on passwords or that automatically lock out accounts after a specified number of unsuccessful attempts to log on.

Building Strong Passwords

An effective defense against attackers is the user of strong passwords. Strong passwords are important for users, particularly if their accounts access sensitive data, and for server and network administrators.

|Quick Reference |Discuss some sample strong password guidelines as shown on page 158 of the text. |

Using Account Policies in Windows Server 2000/2003/2008

Account policies are set up as part of a group policy in Windows Server 2000/2003/2008 that applies to all accounts in an Active Directory container, such as a domain or Organizational Unit (OU). Account policies can also be configured for a local computer, whether or not Active Directory is installed on that computer. The account policy options affect two main areas, password security and account lockout.

|Quick Reference |Discuss the specific password security options that you can configure in Windows Server |

| |2000/2003/2008 as illustrated on page 159 of the text. |

The account lockout options available in Windows Server 2000/2003/2008 are:

□ Account lockout duration

□ Account lockout threshold

□ Reset account lockout counter after

Hands-on Project 4-7 on page 186 of the text gives students the opportunity to configure account lockout in Windows Server 2000/2003/2008.

Account Security Options in Red Hat Linux 9.x

Red Hat Linux 9.x does not provide formal account security policies, but it does enable the configuration of password security and other security options associated with individual accounts. After an account is created, employ the Red Hat User Manager to configure specific security settings associated with an account. The security properties that you can configure include:

□ Setting an account to expire on a particular date

□ Locking a user account

□ Expiration of account passwords so that users have to reset them

Figure 4-9 on page 161 of the text illustrates the Password Info tab. Hands-on Project 4-8 on page 186 of the text enables students to configure security for an account, using the Red Hat User Manager.

Using Account Templates in NetWare 6.x

The account properties relating to security that can be established through a user template include:

Home directory location and access rights to that directory

Requirement for a password

Minimum password length

The remainder of this list can be found on page 162 of the text.

A user template is created through the ConsoleOne utility in NetWare 6.x. Hands-on Project 4-9 on page 187 of the text enables students to create a user template.

Using Global Access Privileges

Windows 2000 Server, Windows Server 2003/2008, and NetWare 6.x enable global security measures on servers, but using somewhat different approaches. In Windows Server 2000/2003/2008, there are user rights that govern user and administrative functions. NetWare 6.x uses a similar term, access rights, but applies it in a different way, for more fine-turned access functions, such as the right to read files or modify the contents of directories. However, NetWare 6.x does use the concept of role-based security, which is used to establish administrative roles for managing a server, such as creating user accounts and creating printer objects.

Windows Server 2000/2003/2008 User Rights

User rights enable an account or group to perform predefined tasks. The most basic right is the ability to access a server. More advanced rights include the privileges of creating accounts and managing server functions. Table 4-1 on pages 163 and 164 of the text shows privileges for Windows Server 2000/2003/2008, and Table 4-2 on page 165 shows logon rights. When user rights are assigned to a group, then all user accounts (or groups) that are members of that group inherit the user rights assigned to the group, making these inherited rights. Hands-on Project 4-10 on page 188 of the text enables students to configure user rights.

Role-Based Security in NetWare 6.x

In NetWare 6.x, global security functions, particularly for administrative use, are allocated according to administrative roles. Some roles are for managing tasks. Other roles relate to managing network services. The specific roles are:

□ DHCP Management ( DNS Management

□ EDirectory ( iPrint Management

License Management

Using Group Policies and Security Templates in Windows Server 2000/2003/2008

The security policies are a small subset of the group policy feature in Windows Server 2000/2003/2008. This feature enables you to standardize the working environment of clients and servers by setting policies in Active Directory or on a local computer. Account policies and user rights are two examples of policies that can be configured in a group policy.

Group policy has evolved from the Windows NT Server 4.0 concept of system policy. System policy is a set of basic user account and computer parameters that can be configured using the system policy editor, Poledit.exe. Parameters that are established in the system policy editor can apply domain-wide, or just to specific groups of users.

The defining characteristics of group policy are:

□ Group policy can be set for a site, domain, OU, or local computer.

□ Group policy settings are stored in group policy objects.

□ These are local and nonlocal GPOs.

Configuring Client Security Using Policies

There are several advantages to customizing settings used by clients, including improved security and a consistent working environment for the organization. The settings are customized by configuring policies on the Windows 2000/2003 servers that the clients access.

Manually Configuring Policies for Clients

You always have the option to manually configure policies that apply to clients, in order to accomplish specific purposes. You can manually configure one or more policies that apply to clients by using the Group Policy Snap-in for Windows 2000 Server or the Group Policy Object Editor Snap-in for Windows Server 2003/2008. In either tool, you customize the desktop settings for client computers by using the Administrative Templates object under User Configuration in a group policy object (see Figure 4-11 on page 169 of the text). Table 4-3 on page 169 of the text presents very general descriptions of the Administrative Templates options under User Configuration.

Using Automated Configuration of Administrative Templates

The settings in Table 4-3 can be configured through the use of administrative templates already provided in Windows Server 2000/2003/2008. Table 4-4 on page 170 of the text describes the templates that are preconfigured.

|Quick Reference |Discuss the general steps for configuring administrative templates as listed on page 170 and |

| |examine Figure 4-12 on page 171, which depicts the adding or removing of administrative templates |

| |in Windows Server 2003/2008. |

Configuring Additional Security Options

Windows Server 2000/2003/2008 offer a way to fine-tune the security on a server by configuring the security options within the local policies in a GPO. One of the most common reasons for using the security options is to enable you to configure group policy security for specialized needs. The group policy security options are available in Windows 2000 Server, but are greatly expanded and divided into functional areas in Windows Server 2003/2008. Table 4-5 on page 172 of the text shows the

functional areas used in Windows Server 2003/2008 and how they are used.

|Quick Reference |Discuss the general steps for configuring the security options for a domain from the Group Policy |

| |Snap-in (Windows 2000 Server) or the Group Policy Object Editor Snap-in (Windows Server 2003/2008)|

| |as listed on page 173 of the text. |

Discussion Questions

1) Discuss several strategies for establishing secure user account in any of the available operating systems.

2) Discuss the importance and ease of use of administrative templates.

Additional Activities

1) Utilizing the Internet, have students search for software that would aid them in securing a computer system.

2) Have students create a written security policy and compare it with security policies that were created by professionals.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download