Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 4
Account-Based Security
Operating Systems Security - Chapter 4
Account-Based Security
Chapter Overview
This chapter begins with the considerations that go into creating formal policies about
account naming and security. You will learn how to set up accounts in different operating
systems, and how to configure those accounts to implement an organization’s policies. You
will also learn about user rights and role-based security. Finally, you will learn how to work
with group policies and security templates.
Learning Objectives
After reading this chapter and completing the exercises, students will be able to:





Discuss how to develop account naming and security policies
Explain and configure user accounts
Discuss and configure account policies and logon security techniques
Discuss and implement global access privileges
Use group policies and security templates in Windows Server 2000/2003/2008
Lecture Notes
Account Naming and Security Policies
Before establishing accounts, organizations need to establish policies for naming accounts and
for protecting them. The first step in developing an account policy in a company is usually to
establish conventions for account names. Typical conventions include basing the user
account name on the account user’s actual name, Windows 2000 Server limits user account
names to 20 characters that include letters, numbers, and some symbols. Some conventions
for account names based on the user’s actual name are as follows:
 Last name followed by the first name initial (e.g., BrownJ)
 First name initial followed by the last name (e.g., Jbrown)
 First name initial, middle initial, and last name (e.g., JRBrown)
The advantage of having accounts based on the user’s name is that, for the sake of security,
it is easier to know who is logged on to a server. Account policies are security measures that
apply to all accounts, or to all accounts in a particular directory service container, such as a
domain in Active Directory or NDS. The account policy options affect elements such as
password security, account lockout, and the authentication method Kerberos.
Server operating systems, such as Windows Server 2000/2003/2008, NetWare 6.x, and Linux,
have built in capabilities to help users become more conscious of maintaining passwords.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 1 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 4
Account-Based Security
One approach is to set a password expiration period, requiring users to change passwords at
regular intervals. Some operating systems, such as Windows Server 2003/2008 and NetWare
6.x, are capable of monitoring unsuccessful logon attempts, in case an attacker attempts to
break into an account by trying various password combinations or employing a brute force
attack. These operating systems use account lockout to lock anyone out of an account after
a number of unsuccessful logon tries.
Creating User Accounts
For any system, and particularly for a system connected to a network or to the Internet, you
should set up one or more user accounts to protect that system. Some operating systems,
such as Windows XP Professional and Mac OS X, may come already configured to
automatically boot into an account without an account or password screen enabled.
Windows 2000 Professional and Windows XP Professional
A computer running Windows 2000 Professional or Windows XP Professional may be shared by
several people, with people either logging on physically from the computers, logging on over
a network, or logging on from a remote connection. An account can be configured for each
employee to house private information, and a sixth account might be jointly held for general
inventory database access.
Windows 2000 Professional is typically installed with an Administrator account and a Guest
account. Windows XP Professional is installed with an account that usually consists of the
user’s name, an Administrator account, a Guest account, a Help Assistant account for
remote desktop help, and support accounts for Microsoft and the manufacturer of the
computer.
Windows Server 2000/2003/2008/2008
Two basic accounts, Administrator and Guest, are set up when you install Windows Server
2000/2003/2008. Other accounts are also set up automatically, depending on what services
are installed on the server, such as accounts for DNS or Internet Information Services (IIS)
management.
Quick Reference
Discuss the procedures for creating a local user account on a server that is not
part of a domain, and not an account in the Active Directory as listed on pages
146 and 147 of the text.
The account properties that you can set up are the following:
 General tab: Enables you to enter or modify personal information about the account
holder.
 Address tab: Used to provide information about the account holder’s street address,
Post Office box, city, state or province, postal code, and country or region.
 Account tab: Provides information about the logon name, domain name, account and
account expiration data.
 Profile tab: Enables you to associate a particular profile with a user or set of users,
such as a common desktop that has built-in security features. A home folder is a
default location, such as a specific folder on the server, in which users can store their
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 2 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 4
Account-Based Security
files. A logon script is a set of commands that automatically run each time the user
logs on to the server or domain.
The remainder of this list of properties can be found on pages 150 and 151 of the text.
Red Hat Linux 9.x
Each user account in UNIX and Linux systems, including Red Hat Linux 9.x, is associated with
a user identification number (UID). Also, users who have common access needs can be
assigned to a group via a group identification number (GID), which allows permissions to
access resources to be assigned to the group, instead of to each user. In UNIX/Linux systems,
the password file (/etc/passwd) contains the following kinds of information:







The username
An encrypted password or a reference to the shadow file
The UID, which can be a number as large as 60,000
A GID with which the username is associated
Information about the user, such as a description or the user’s job
The location of the user’s home directory
The command executed as the user logs on, such as which shell (user interface) to use
The shadow file (/etc/shadow) is normally available only to the system administrator. It
contains password restriction information that includes the following:




The minimum and the maximum number of days between password changes
Information on when the password was last changed
Warning information about when a password will expire
Amount of time that the account can be inactive before access is prohibited
Quick Reference
Discuss the different parameters that are available with the useradd
command as listed on page 152 of the text.
NetWare 6.x
Accounts in NetWare 6.x can be created using the ConsoleOne tool. ConsoleOne can be run
on the server console as a NetWare Loadable Module (NLM), from a workstation under the
Remote Console NLM, or from an administrator’s workstation as a desktop application.
Quick Reference
Discuss the general steps for creating an account through ConsoleOne as listed
on pages 155 and 156 of the text.
Mac OS X
In the workstation version of Mac OS X, you should create accounts for each user who logs on
to the console, and for users who access a Mac OS X system through Telnet, accounts are
created by choosing the Accounts icon in the System Preferences window, as shown in
Figure 4-8 on page 157 of the text. Mac OS X can be customized for different logon options:
 To automatically log on to a specific account when the computer is booted
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 3 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 4
Account-Based Security
 To log on by viewing a name and password box, or by seeing a list of user accounts
 To hide the Restart and Shut Down buttons
 To show the password hint after three unsuccessful logon attempts
Besides configuring accounts on a Mac OS X workstation, you can also configure accounts in
Mac OS X Server, which is built on the Mac OS X foundation, but is designed as a true server
for file sharing, printer sharing, managing network users and groups, and providing Web
services.
Two important tools that enable server management are included with Mac OS X Server:
Server Admin and Macintosh Manager. The Server Admin tool allows you to create and
manage accounts and groups. Macintosh Manager is a tool for managing users, groups, and
computers that access the server.
Setting Account Policies and Configuring Logon Security
Some operating systems enable you to set up account policies and default logon security.
These are policies that place restrictions on passwords or that automatically lock out
accounts after a specified number of unsuccessful attempts to log on.
Building Strong Passwords
An effective defense against attackers is the user of strong passwords. Strong passwords
are important for users, particularly if their accounts access sensitive data, and for server and
network administrators.
Quick Reference
Discuss some sample strong password guidelines as shown on page 158 of the
text.
Using Account Policies in Windows Server 2000/2003/2008
Account policies are set up as part of a group policy in Windows Server 2000/2003/2008 that
applies to all accounts in an Active Directory container, such as a domain or Organizational
Unit (OU). Account policies can also be configured for a local computer, whether or not
Active Directory is installed on that computer. The account policy options affect two main
areas, password security and account lockout.
Quick Reference
Discuss the specific password security options that you can configure in
Windows Server 2000/2003/2008 as illustrated on page 159 of the text.
The account lockout options available in Windows Server 2000/2003/2008 are:
 Account lockout duration
 Account lockout threshold
 Reset account lockout counter after
Hands-on Project 4-7 on page 186 of the text gives students the opportunity to configure
account lockout in Windows Server 2000/2003/2008.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 4 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 4
Account-Based Security
Account Security Options in Red Hat Linux 9.x
Red Hat Linux 9.x does not provide formal account security policies, but it does enable the
configuration of password security and other security options associated with individual
accounts. After an account is created, employ the Red Hat User Manager to configure
specific security settings associated with an account. The security properties that you can
configure include:
 Setting an account to expire on a particular date
 Locking a user account
 Expiration of account passwords so that users have to reset them
Figure 4-9 on page 161 of the text illustrates the Password Info tab. Hands-on Project 4-8 on
page 186 of the text enables students to configure security for an account, using the Red Hat
User Manager.
Using Account Templates in NetWare 6.x
The account properties relating to security that can be established through a user template
include:
Home directory location and access rights to that directory
Requirement for a password
Minimum password length
The remainder of this list can be found on page 162 of the text.
A user template is created through the ConsoleOne utility in NetWare 6.x. Hands-on Project
4-9 on page 187 of the text enables students to create a user template.
Using Global Access Privileges
Windows 2000 Server, Windows Server 2003/2008, and NetWare 6.x enable global security
measures on servers, but using somewhat different approaches. In Windows Server
2000/2003/2008, there are user rights that govern user and administrative functions.
NetWare 6.x uses a similar term, access rights, but applies it in a different way, for more
fine-turned access functions, such as the right to read files or modify the contents of
directories. However, NetWare 6.x does use the concept of role-based security, which is
used to establish administrative roles for managing a server, such as creating user accounts
and creating printer objects.
Windows Server 2000/2003/2008 User Rights
User rights enable an account or group to perform predefined tasks. The most basic right is
the ability to access a server. More advanced rights include the privileges of creating
accounts and managing server functions. Table 4-1 on pages 163 and 164 of the text shows
privileges for Windows Server 2000/2003/2008, and Table 4-2 on page 165 shows logon rights.
When user rights are assigned to a group, then all user accounts (or groups) that are members
of that group inherit the user rights assigned to the group, making these inherited rights.
Hands-on Project 4-10 on page 188 of the text enables students to configure user rights.
Role-Based Security in NetWare 6.x
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 5 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
Chapter 4
Account-Based Security
ITSY 2400 – Operating Systems Security
In NetWare 6.x, global security functions, particularly for administrative use, are allocated
according to administrative roles. Some roles are for managing tasks. Other roles relate to
managing network services. The specific roles are:
 DHCP Management
 EDirectory


DNS Management
iPrint Management
License Management
Using Group Policies and Security Templates in Windows Server 2000/2003/2008
The security policies are a small subset of the group policy feature in Windows Server
2000/2003/2008. This feature enables you to standardize the working environment of clients
and servers by setting policies in Active Directory or on a local computer. Account policies
and user rights are two examples of policies that can be configured in a group policy.
Group policy has evolved from the Windows NT Server 4.0 concept of system policy. System
policy is a set of basic user account and computer parameters that can be configured using
the system policy editor, Poledit.exe. Parameters that are established in the system policy
editor can apply domain-wide, or just to specific groups of users.
The defining characteristics of group policy are:
 Group policy can be set for a site, domain, OU, or local computer.
 Group policy settings are stored in group policy objects.
 These are local and nonlocal GPOs.
Configuring Client Security Using Policies
There are several advantages to customizing settings used by clients, including improved
security and a consistent working environment for the organization. The settings are
customized by configuring policies on the Windows 2000/2003 servers that the clients access.
Manually Configuring Policies for Clients
You always have the option to manually configure policies that apply to clients, in order to
accomplish specific purposes. You can manually configure one or more policies that apply to
clients by using the Group Policy Snap-in for Windows 2000 Server or the Group Policy Object
Editor Snap-in for Windows Server 2003/2008. In either tool, you customize the desktop
settings for client computers by using the Administrative Templates object under User
Configuration in a group policy object (see Figure 4-11 on page 169 of the text). Table 4-3 on
page 169 of the text presents very general descriptions of the Administrative Templates
options under User Configuration.
Using Automated Configuration of Administrative Templates
The settings in Table 4-3 can be configured through the use of administrative templates
already provided in Windows Server 2000/2003/2008. Table 4-4 on page 170 of the text
describes the templates that are preconfigured.
Quick Reference
Discuss the general steps for configuring administrative templates as listed on
page 170 and examine Figure 4-12 on page 171, which depicts the adding or
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 6 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 4
Account-Based Security
removing of administrative templates in Windows Server 2003/2008.
Configuring Additional Security Options
Windows Server 2000/2003/2008 offer a way to fine-tune the security on a server by
configuring the security options within the local policies in a GPO. One of the most common
reasons for using the security options is to enable you to configure group policy security for
specialized needs. The group policy security options are available in Windows 2000 Server,
but are greatly expanded and divided into functional areas in Windows Server 2003/2008.
Table 4-5 on page 172 of the text shows the
functional areas used in Windows Server 2003/2008 and how they are used.
Quick Reference
Discuss the general steps for configuring the security options for a domain
from the Group Policy Snap-in (Windows 2000 Server) or the Group Policy
Object Editor Snap-in (Windows Server 2003/2008) as listed on page 173 of the
text.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 7 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 4
Account-Based Security
Discussion Questions
1) Discuss several strategies for establishing secure user account in any of the available
operating systems.
2) Discuss the importance and ease of use of administrative templates.
Additional Activities
1) Utilizing the Internet, have students search for software that would aid them in
securing a computer system.
2) Have students create a written security policy and compare it with security policies
that were created by professionals.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 8 of 8
ISBN: 0-619-16040-3