Guide to Operating
System Security
Chapter 4
Account-based Security
Objectives





Discuss how to develop account naming and security
policies
Explain and configure user accounts
Discuss and configure account policies and logon
security techniques
Discuss and implement global access privileges
Use group policies and security templates in
Windows 2000 Server and Windows Server 2003
Guide to Operating System Security
2
Account Naming


Provides orderly access to server and network
resources
Enables administrators to monitor security:



Which users are accessing the server
What resources they are using
Establish conventions for account names


User’s actual name
User’s function
Guide to Operating System Security
3
Security Policies


Apply to all accounts or to all accounts in a
particular directory service container
Affected elements:

Password security
•
•
•


Expiration period
Minimum length
Password recollection
Account lockout
Authentication method
Guide to Operating System Security
4
Creating User Accounts in
Windows 2000 Professional

Typically installed with:



Administrator account
Guest account
To create and manage user accounts:


Start – Settings – Control Panel – Users and
Passwords, or
Right-click My Computer – Manage – Local Users
and Groups – Users
Guide to Operating System Security
5
Creating User Accounts in
Windows XP Professional

Installed with:






Account that usually consists of user’s name
Administrator account
Guest account
HelpAssistant account for remote desktop help
Support accounts for Microsoft and computer manufacturer
To create and manage user accounts:


Start – Control Panel – User Accounts, or
Right-click My Computer – Manage – Local Users and
Groups – Users
Guide to Operating System Security
6
Managing User Accounts in
Windows XP Professional
Guide to Operating System Security
7
Creating User Accounts in
Windows 2000 Server/Server 2003

Installed with:




Administrator account
Guest account
Other accounts, depending on services installed on
server
Create new accounts by entering account
information and password controls


Local user account on a server that is not part of a
domain
Account in the Active Directory
Guide to Operating System Security
8
Managing User Accounts in
Windows 2000 Server
Guide to Operating System Security
9
Creating a New User

Complete name, user logon name, password,
and password confirmation information





User must change password at next logon
User cannot change password
Password never expires
Account is disabled
Further configure associated properties
Guide to Operating System Security
10
Account Properties in Windows
Server 2003







General tab
Address tab
Account tab
Profile tab
Telephones tab
Organization tab
Member Of
Guide to Operating System Security






Dial-in
Environment
Sessions
Remote Control
Terminal Services
Profile
COM+ tab
11
Account Properties in Windows
Server 2003
Guide to Operating System Security
12
Account Tab
Guide to Operating System Security
13
Creating User Accounts in
Red Hat Linux 9.x


Each user account is associated with a user
identification number (UID)
Assign users with common access needs to a
group via a group identification number (GID)
Guide to Operating System Security
14
Contents of Linux Password File
(/etc/passwd)






Username
Encrypted password or reference to shadow
file
UID and GID
Information about the user
Location of user’s home directory
Command that is executed as user logs on
Guide to Operating System Security
15
Linux Shadow File
(/etc/shadow)


Available only to system administrator
Contains password restriction information




Minimum/maximum number of days between
password changes
When password was last changed
When password will expire
Amount of time account can be inactive before
access is prohibited
Guide to Operating System Security
16
Creating User Accounts and
Groups in Linux

Use command-line commands




Create new user with useradd
Modify parameters with usermod
Delete accounts with userdel
Use Red Hat User Manger from GNOME
desktop
Guide to Operating System Security
17
Creating Accounts with the
Command Line
Guide to Operating System Security
18
Creating Accounts with Red Hat
User Manager
Guide to Operating System Security
19
Creating User Accounts in
NetWare 6.x

Use ConsoleOne tool
Guide to Operating System Security
20
Creating User Accounts in
Mac OS X (Continued)

Choose Accounts icon in System Preferences
window




Name of account holder
Short name for logging on
Password
Password hint
Guide to Operating System Security
21
Creating User Accounts in
Mac OS X (Continued)

Tools that enable server management (Mac OS
X Server)


Server Admin
Macintosh Manager
Guide to Operating System Security
22
Accounts Option in Mac OS X
Guide to Operating System Security
23
Mac OS X Logon Options




Automatically log on to specific account when
computer is booted
Log on by viewing a name and password box,
or by seeing a list of user accounts
Hide Restart and Shut Down buttons
Show password hint after three unsuccessful
logon attempts
Guide to Operating System Security
24
Mac OS X Server

Tools


Server Admin
MacIntosh Manager
Guide to Operating System Security
25
Setting Account Policies and
Configuring Logon Security


Place restrictions on passwords
Automatically lock out accounts after a
specified number of unsuccessful logon
attempts
Guide to Operating System Security
26
Guidelines for Building Strong
Passwords
Do use




7+ characters
Combination of upper- and
lowercase letters, numbers,
and characters
Symbol character(s)
Coded phrase to help you
remember
Guide to Operating System Security
Do not use





Words in the dictionary or
proper names
Sports terms or names of
sports teams
Your account name
Consecutive characters
Common slang terms
27
Using Account Policies in Windows
Server 2000/Server 2003



Set up as part of group policy that applies to all
accounts in an Active Directory container
Can also be configured for a local computer
Account policy options affect:


Password security
Account lockout
Guide to Operating System Security
28
Password Security Options in
Windows Server 2000/Server 2003






Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password(s) must meet complexity
requirements
Store password using reversible encryption
Guide to Operating System Security
29
Account Lockout Options in
Windows Server 2000/Server 2003



Account lockout duration
Account lockout threshold
Reset account lockout container after
Guide to Operating System Security
30
Account Security Options in
Red Hat Linux 9.x



No formal account security policies
Enables configuration of security options
associated with individual accounts (using Red
Hat User Manager)
Stores security information in shadow file
(/etc/shadow) as properties associated with
accounts
Guide to Operating System Security
31
Account Password Configuration
Options in Red Hat Linux



Setting an account to expire on a particular
date
Locking a user account
Expiration of account passwords so that users
have to reset them
Guide to Operating System Security
32
Red Hat Linux Account
Password Configuration
9.x
Guide to Operating System Security
33
Using Account Templates in
NetWare 6.x


Configure through user templates before
accounts are created
Use ConsoleOne utility to create user
templates
Guide to Operating System Security
34
Establishing Account Properties
with User Template (NetWare 6.x)
(Continued)





Home directory location and access rights to
that directory
Requirement for a password
Minimum password length
Requirement that password be changed
within specified interval of time
Grace period that limits number of times
user can log in after password has expired
Guide to Operating System Security
35
Establishing Account Properties
with User Template (NetWare 6.x)





Requirement that a new password be used each
time the old one is changed
Time restrictions
Intruder detection capabilities
Limit on number of simultaneous connections
Workstation logon restrictions
Guide to Operating System Security
36
Intruder Detection in
NetWare 6.x
Guide to Operating System Security
37
Using Global Access Privileges

Windows 2000 Server/Server 2003


User rights govern user and administrative
functions
NetWare 6.x


Uses access rights, applied in a different way, for
more fine-tuned access functions
Role-based security establishes administrative
roles for managing a server
Guide to Operating System Security
38
Windows Server 2000/
Server 2003 User Rights
(Continued)

Enable account or group to perform
predefined tasks



Basic rights: access a server
Advanced: create accounts and manage server
functions
Can be assigned to user accounts or to groups

Groups are more efficient (inherited rights)
Guide to Operating System Security
39
Windows Server 2000/
Server 2003 User Rights


(Continued)
Give server administrative security controls
over who can access server and Active
Directory resources
Two categories

Privileges
•

Manage server or Active Directory functions
Logon rights
•
Access accounts, computers, and services
Guide to Operating System Security
40
Windows Server 2000/
Server 2003 Privileges (Continued)
Guide to Operating System Security
41
Windows Server 2000/
Server 2003 Privileges (Continued)
Guide to Operating System Security
42
Windows Server 2000/
Server 2003 Privileges (Continued)
Guide to Operating System Security
43
Windows Server 2000/
Server 2003 Logon Rights
Guide to Operating System Security
44
Role-based Security in
NetWare 6.x

Allocated according to administrative roles
(managing tasks or network services)





DHCP Management
DNS Management
eDirectory
iPrint Management
License Management
Guide to Operating System Security
45
Using Group Policies in Windows
Server 2000/Server 2003


Enables standardization by setting policies in
Active Directory or on local computer (eg,
account policies, user rights, IPSec policies)
Evolved from Windows NT Server 4.0 concept
of system policy

Use Poledit.exe to configure basic user account
and computer parameters (domain-wide or
specific)
Guide to Operating System Security
46
Differences Between System
Policy and Group Policy
System policy
Group policy
Largest range is the domain
Can cover multiple domains in one site
Fewer objects to configure
More objects to configure
Focus on clients’ desktop
environment as controlled by
Registry settings
Set for more environments
Less secure
More secure
Can live on after no longer
needed
Dynamically updated and configured
to represent most current needs
Guide to Operating System Security
47
Defining Characteristics of
Group Policy



Can be set for a site, domain, OU, or local
computer
Stored in group policy objects
Local and nonlocal GPOs
Guide to Operating System Security
48
Configuring Client Security
Using Policies

Advantages to customizing settings used by
clients



Improved security
Consistent working environment
Customize settings by configuring policies on
Windows 2000/2003 servers that clients access

When client logs on, policies are applied
Guide to Operating System Security
49
Manually Configuring Policies
for Clients

Use either:



Group Policy Snap-in (Windows 2000 Server)
Group Policy Object Editor Snap-in (Windows
Server 2003)
Use Administrative Templates object under
User Configuration in a group policy object to
customize desktop settings for client
computers
Guide to Operating System Security
50
Manually Configuring Policies
for Clients
Guide to Operating System Security
51
Configuring Administrative
Templates
Guide to Operating System Security
52
Automated Configuration of
Administrative Templates
Guide to Operating System Security
53
Configuring Administrative
Templates
Guide to Operating System Security
54
Configuring Additional Security
Options


Fine-tune security on a server by configuring
security options within local policies in a GPO
Enables you to configure group policy security
for special needs
Guide to Operating System Security
55
Configuring Additional Security
Options
Guide to Operating System Security
56
Group Policy Security Options
Guide to Operating System Security
57
Configuring Additional Security
Options
Guide to Operating System Security
58
Summary





Considerations when creating formal policies
about account naming and security
How to set up accounts in different operating
systems
How to configure those accounts to implement
an organization’s policies
User rights and role-based security
How to work with group policies and security
templates
Guide to Operating System Security
59