• Choose a category
• All
• Classic-Fiction

By Root 1408 0

Tight control of user accounts is critical to preventing unauthorized access. Disabling unused accounts is an important part of this strategy, but good user account control goes far deeper than that. One of your best tools for user account control is groups. Instead of giving permissions/rights to individual user accounts, give them to groups; this makes keeping track of the permissions assigned to individual user accounts much easier. Figure 26-5 shows me giving permissions to a group for a folder in Windows Vista. Once a group is created and its permissions set, you can then add user accounts to that group as needed. Any user account that becomes a member of a group automatically gets the permissions assigned to that group. Figure 26-6 shows me adding a user to a newly created group in the same Windows Vista system.

Groups are a great way to achieve increased complexity without increasing the administrative burden on network administrators, because all network operating systems combine permissions. When a user is a member of more than one group, which permissions does that user have with respect to any particular resource? In all network operating systems, the permissions of the groups are combined, and the result is what you call the effective permissions the user has to access the resource. As an example, if Rita is a member of the Sales group, which has List Folder Contents permission to a folder, and she is also a member of the Managers group, which has Read and Execute permissions to the same folder, Rita will have both List Folder Contents and Read and Execute permissions to that folder.

Figure 26-5 Giving a group permissions for a folder in Windows Vista

Figure 26-6 Adding a user to a newly created group in Windows Vista

Watch out for default user accounts and groups—they can become secret backdoors to your network! All network operating systems have a default Everyone group that can be used to sneak into shared resources easily. This Everyone group, as its name implies, literally includes anyone who connects to that resource. Windows gives full control to the Everyone group by default, for example, so make sure you know to lock this down!

All of the default groups—Everyone, Guest, Users—define broad groups of users. Never use them unless you intend to permit all of those folks to access a resource. If you use one of the default groups, remember to configure them with the proper permissions to prevent users from doing things you don’t want them to do with a shared resource!

All of these groups and organizational units only do one thing for you: They let you keep track of your user accounts, so you know they are only available for those who need them, and they can only access the resources you want them to use.

Security Policies

Although permissions control how users access shared resources, there are other functions you should control that are outside the scope of resources. For example, do you want users to be able to access a command prompt on their Windows system? Do you want users to be able to install software? Would you like to control what systems a user can log into or at what time of day a user can log in? All network operating systems provide you with some capability to control these and literally hundreds of other security parameters, under what Windows calls policies. I like to think of policies as permissions for activities as opposed to true permissions, which control access to resources.

A policy is usually applied to a user account, a computer, or a group. Let’s use the example of a network composed of Windows XP Professional systems with a Windows 2003 Server system. Every Windows XP system has its own local policies program, which enables policies to be placed on that system only. Figure 26-7 shows the tool you use to set local policies on an individual system, called Local Security Settings, being used to deny the user account Danar the capability to log on locally.

Figure 26-7 Local Security Settings

Local policies work great for individual systems, but they can be a