windows server 2003 overview 1 windows 2003 server overview ayaz 23-01-12

Windows Server 2003 Overview 1

Windows 2003 ServerOverview

Ayaz

23-01-12


Account Management

Process by which administrator configures the network to allow usersAccess to what they needNo access to things they don’t need

Each user account is represented on the network as an object (their username) that has membership in one or more groups


Planning

Plan, plan, planDon’t just start adding users and other

objectsSet up organizational units and groups

before adding other objects


Objects

Every element on the network from people to machines represented in the AD by an object

Represent one specific element with its own properties and configuration elements

Active Directory Users and Computers Administrative Tools tool that allows administrator

to manage users, groups, and other elements of the AD


Organizational Units

Way to logically organize resources within the domain Identify any groups or resources in organization

that need to be kept separate from other areas “Container”: Any object in the directory into which

other objects can be placed. Can delegate separate administrative control

Example Departments


Rights & Permissions

Rights Allow you to do a task

Permissions (Perms) Concern type of access to a particular resource

Example User has right to log on to the network and must

also have perm to use a particular resource


Groups

Plan your groups User accounts are created to identify individuals on

the network Groups

Objects that enable a number of users to be administered as a “single account”

Groups are created for the purpose of assigning permissions Users can be assigned perms directly buy not recommended Create groups instead, even if group only has 1 member!


Types of Groups

NT 4 Global groups Local groups

Windows Server 2003 Domain local groups Global groups Universal groups Local groups

Windows Server 2003 has a number of built-in groups of each type


Group Types con’t.

Universal GroupsUsers from any domain can be membersCan be given permissions to resources in any

domainGenerally used only in large multidomain networksNo built-in universal groups

Local GroupsUsed to assign permissions only to resources that

are on the machine the groups was created onAvailable when AD not installed


Domain Local Group Scope

Members include: Allows user accounts from any domain to be

members Global and universal groups from any domain Domain local groups from same domain Can only access resources within domain they are

created in Generally used to identify resources that have a

similar function on the network Groups with domain local scope should be used

to define and manage resources within a single domain


Global and Universal Group Scope

Global Group Members include: User accounts from same domain Global groups from the same domain One user may be a member of several global groups Can access resources in any domain Generally used to organize users with similar roles in

the organization

Universal Group Members include: User from any domain can be members Global groups from any domain Universal groups from any domain


Domain Local Group Scope Scenario

Example: To give 5 users access to a particular printer

(resource); create a domain local group and assign it permission to access the printer (resource). Put the 5 user accounts in a global group and add this group to the domain local group. In the future, if you want to give these 5 users access to a new printer (resource), assign the domain local group permission to access the new printer (resource). All members of the global group will automatically receive access to the new printer (resource).


Microsoft “Way” Group Membership

Create user and place into one or more global groups

Global groups are then placed into domain local groups

Domain local groups are given permissions to the resources


AGLP and UGLR

AGLPAccounts into Global groups, into Domain

Local groups, which are given permissions to the resources

UGLRUsers into Global groups, into Domain Local

groups, permissions assigned to Resources


Creating a Group

Built-in groups Default groups Create your own

ADUC tool Select a container for the new group Create the group using the New Object-Group

window Add users to the group now or later using right-click

Properties, Members tab, and selecting users Can also add groups to other groups


Reasons for Using Groups

Easier to organize permissions by groups than on an individual basis

AGLP “standard” knownMCSE tests want the “right” way (the

Microsoft way)


Five Default Groups

Not based on who the user is, but rather on how they are connected to a resource

Cannot configure through AD but can be used when setting permissions

Everyone: all users are members!!!!!Authenticated UsersCreator Owner: user who created resourceNetwork: users accessing shares Interactive: users logged on locally


Distribution and Security Groups

Distribution groups Used only with e-mail applications such as

Exchange to send email to collections of users Security groups

Used to assign access to network resources Rights: Tasks users can perform in a domain; some

automatic such as Backup Operators Permissions:

Determine who can access a resource and the level of access

Assign permission to the resource using security groups rather than individual users


User Accounts

Matching users with resources they need Users represent a “role” in the company, not

“individuals” Individual users “should not” have any

permissions to resources Never give explicit user permissions to resources Difficult to manage for administrator

Groups have the permissions


Default Account: Administrator

Most powerful account on the domain Full control Cannot delete or removed Can be renamed Can be disabled

Access to all resources and configuration information

Need strong password Automatically a member of Administrators, Domain

Admins, etc.


Default Account: Guest

Guest For people who don’t have a user account in the

domain No password required Default is disabled Provide anonymous access to certain resources on

the network Low security option Might use for visitor access in a kiosk for read-only

access


Creating User Accounts

Develop acceptable naming conventionAuditors prefer user account names!Create a user account for every individual

on the networkUse ADUCSelect container you wish to create the user inDefault is the Users Folder or can place user

in an organizational unitRight-click, New, User, enter information


User Configuration

Data Description

First Name User’s first name

Last Name User’s last name

Name Full name

User Logon Name Unique name within AD

Downlevel Logon Name Username to log on to non-Windows

Password Authentication to log on

Confirm Password Retype to ensure correct

User Must Change Password at Next Logon

User create own password

User Cannot Change Password

Prevent user from changing password

Password Never Expires Overrides password expiration options


Configuring User Accounts

Additional options to add or restrict account on network

ADUC, right-click, Properties Informational: address, telephone Organizational: manager, department Security

Account tab: logon name, logon hours, workstation restrictions, account options, account expiration

Profile tab: profile, logon script, home folder Member Of tab: group memberships Dial-in tab: remote access, callback, IP address information


User Account Security Logon Script:

Map drives for a user Attach printers Set system or user variables

Profile: standardize desktop, restrict programs and options user can use Local Roaming Mandatory

Home folders: users have own workspace on server to store files

Logon Hours and Workstation Restrictions: specify times and machines

Account options: set password options


User Authentication and Authorization

Create individual user account for each user Strong passwords

Reduce risk of “intelligent” guessing and dictionary attacks

Account lockout policy How many failed logon attempts before account

disabled Decreases possibility of attacker compromising

system through repeated logon attempts


Windows 2003 Policies

Account policy Password restrictions and unsuccessful login attempts

User Rights policy Determines what users and groups can perform specific actions

on the system Audit policy

Determines the amount and type of security logging System policy

Can be used to provide uniform environment in a domain Group policy

Applies to all members of the group they are set for unless member has an individual policy

If user in multiple groups, highest priority group’s policy applies


Windows 2003 Account Policy

Account PolicyDetermines how passwords are validated and

enforcedDetermines how unsuccessful login attempts

are handledCan be set for OUs, domains, domain

controllers, and local computersPassword policyAccount lockout policyKerberos policy


Account Policy Options

User must change password at next logon Ensures user only person to know their password

User cannot change password Use to maintain control over an account

Password never expires Need a strong password!

Store passwords using reversible encryption Allows user to log onto Windows network from Apple computers

Account is disabled Prevents user from logging on

Smart Card is required for interactive logon Requires user to possess a smart card to logon; requires smart card

reader attached to computer and valid PIN 4 others not discussed in this class


Password Policy Enforce password history

Number of passwords that must be used before an old password can be reused

Maximum password age If 0, passwords never need to be changed

Minimum password age If 0, passwords can be changed anytime Used to prevent “recycling” back to previous

Minimum password length 0-14 characters, if 0 passwords are not required

Passwords must meet complexity requirements Uppercase, lowercase, numeric, and special characters

Store passwords using reversible encryptions for all users


Account Lockout Policy Account Lockout Threshold

Number of consecutive unsuccessful logon attempts before account is locked

If 0 account is not locked Account Lockout Duration

How long accounts remain locked “Not defined” user is never locked out 0 to 99,999 minutes, if 0 account lockout until administrator re-

enables the account Reset Account Lockout After

How long between bad logon attempts before account lockout threshold counter is reset

“Not defined” user is never locked out 1-99,999 minutes


Kerberos Policy

Used for authentication from domain controllersEnforce user logon restrictionsMaximum lifetime for service ticketMaximum lifetime for user ticketMaximum lifetime for user ticket renewalMaximum tolerance for computer clock

synchronization


Setting Account Policies

Effective when user logs off and back on again In Administrative Tools,

If domain, select Domain Security Policy If domain controller, select Domain Controller Security

Policy If OU, select Active Directory Users and Computers If local computer, use Control Panel Administrative

Tools applet and select Local Security Policy


User Rights Policies

Shutdown computer from remote location Access the computer via the network User the computer locally Backup or restore directories and files Change time Delete or add device drivers Change the security logging policy Shut down the system Take file ownership


Audit Policies

Event Viewer allows viewing of events specified by audit policy

Auditing must be enabled in the Audit Policy window System

Logs system errors, driver errors, etc Security

Bad logon attempts Application Each message has an event ID number Logs have “maximum” size before overwrite Be selective in auditing, creates “overhead”

windows server 2003 overview 1 windows 2003 server overview ayaz 23-01-12

Documents

overviewwindows server

typewindows server

installedwindows server

objectswindows server

adwindows server

single domainwindows

access resources

recommendedcreate groups