Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz

Windows Server 2003 Overview 2 Account Management Process by which administrator configures the network to allow users Access to what they need No access to things they dont need Each user account is represented on the network as an object (their username) that has membership in one or more groups

Windows Server 2003 Overview 3 Planning Plan, plan, plan Dont just start adding users and other objects Set up organizational units and groups before adding other objects

Windows Server 2003 Overview 4 Objects Every element on the network from people to machines represented in the AD by an object Represent one specific element with its own properties and configuration elements Active Directory Users and Computers Administrative Tools tool that allows administrator to manage users, groups, and other elements of the AD

Windows Server 2003 Overview 5 Organizational Units Way to logically organize resources within the domain Identify any groups or resources in organization that need to be kept separate from other areas Container: Any object in the directory into which other objects can be placed. Can delegate separate administrative control Example Departments

Windows Server 2003 Overview 6 Rights & Permissions Rights Allow you to do a task Permissions (Perms) Concern type of access to a particular resource Example User has right to log on to the network and must also have perm to use a particular resource

Windows Server 2003 Overview 7 Groups Plan your groups User accounts are created to identify individuals on the network Groups Objects that enable a number of users to be administered as a single account Groups are created for the purpose of assigning permissions Users can be assigned perms directly buy not recommended Create groups instead, even if group only has 1 member!

Windows Server 2003 Overview 8 Types of Groups NT 4 Global groups Local groups Windows Server 2003 Domain local groups Global groups Universal groups Local groups Windows Server 2003 has a number of built-in groups of each type

Windows Server 2003 Overview 9 Group Types cont. Universal Groups Users from any domain can be members Can be given permissions to resources in any domain Generally used only in large multidomain networks No built-in universal groups Local Groups Used to assign permissions only to resources that are on the machine the groups was created on Available when AD not installed

Windows Server 2003 Overview 10 Domain Local Group Scope Members include: Allows user accounts from any domain to be members Global and universal groups from any domain Domain local groups from same domain Can only access resources within domain they are created in Generally used to identify resources that have a similar function on the network Groups with domain local scope should be used to define and manage resources within a single domain

Windows Server 2003 Overview 11 Global and Universal Group Scope Global Group Members include: User accounts from same domain Global groups from the same domain One user may be a member of several global groups Can access resources in any domain Generally used to organize users with similar roles in the organization Universal Group Members include: User from any domain can be members Global groups from any domain Universal groups from any domain

Windows Server 2003 Overview 12 Domain Local Group Scope Scenario Example: To give 5 users access to a particular printer (resource); create a domain local group and assign it permission to access the printer (resource). Put the 5 user accounts in a global group and add this group to the domain local group. In the future, if you want to give these 5 users access to a new printer (resource), assign the domain local group permission to access the new printer (resource). All members of the global group will automatically receive access to the new printer (resource).

Windows Server 2003 Overview 13 Microsoft Way Group Membership Create user and place into one or more global groups Global groups are then placed into domain local groups Domain local groups are given permissions to the resources

Windows Server 2003 Overview 14 AGLP and UGLR AGLP Accounts into Global groups, into Domain Local groups, which are given permissions to the resources UGLR Users into Global groups, into Domain Local groups, permissions assigned to Resources

Windows Server 2003 Overview 15 Creating a Group Built-in groups Default groups Create your own ADUC tool Select a container for the new group Create the group using the New Object-Group window Add users to the group now or later using right-click Properties, Members tab, and selecting users Can also add groups to other groups

Windows Server 2003 Overview 16 Reasons for Using Groups Easier to organize permissions by groups than on an individual basis AGLP standard known MCSE tests want the right way (the Microsoft way)

Windows Server 2003 Overview 17 Five Default Groups Not based on who the user is, but rather on how they are connected to a resource Cannot configure through AD but can be used when setting permissions Everyone: all users are members!!!!! Authenticated Users Creator Owner: user who created resource Network: users accessing shares Interactive: users logged on locally

Windows Server 2003 Overview 18 Distribution and Security Groups Distribution groups Used only with applications such as Exchange to send to collections of users Security groups Used to assign access to network resources Rights: Tasks users can perform in a domain; some automatic such as Backup Operators Permissions: Determine who can access a resource and the level of access Assign permission to the resource using security groups rather than individual users

Windows Server 2003 Overview 19 User Accounts Matching users with resources they need Users represent a role in the company, not individuals Individual users should not have any permissions to resources Never give explicit user permissions to resources Difficult to manage for administrator Groups have the permissions

Windows Server 2003 Overview 20 Default Account: Administrator Most powerful account on the domain Full control Cannot delete or removed Can be renamed Can be disabled Access to all resources and configuration information Need strong password Automatically a member of Administrators, Domain Admins, etc.

Windows Server 2003 Overview 21 Default Account: Guest Guest For people who dont have a user account in the domain No password required Default is disabled Provide anonymous access to certain resources on the network Low security option Might use for visitor access in a kiosk for read-only access

Windows Server 2003 Overview 22 Creating User Accounts Develop acceptable naming convention Auditors prefer user account names! Create a user account for every individual on the network Use ADUC Select container you wish to create the user in Default is the Users Folder or can place user in an organizational unit Right-click, New, User, enter information

Windows Server 2003 Overview 23 User Configuration DataDescription First NameUsers first name Last NameUsers last name NameFull name User Logon NameUnique name within AD Downlevel Logon NameUsername to log on to non-Windows PasswordAuthentication to log on Confirm PasswordRetype to ensure correct User Must Change Password at Next Logon User create own password User Cannot Change Password Prevent user from changing password Password Never ExpiresOverrides password expiration options

Windows Server 2003 Overview 24 Configuring User Accounts Additional options to add or restrict account on network ADUC, right-click, Properties Informational: address, telephone Organizational: manager, department Security Account tab: logon name, logon hours, workstation restrictions, account options, account expiration Profile tab: profile, logon script, home folder Member Of tab: group memberships Dial-in tab: remote access, callback, IP address information

Windows Server 2003 Overview 25 User Account Security Logon Script: Map drives for a user Attach printers Set system or user variables Profile: standardize desktop, restrict programs and options user can use Local Roaming Mandatory Home folders: users have own workspace on server to store files Logon Hours and Workstation Restrictions: specify times and machines Account options: set password options

Windows Server 2003 Overview 26 User Authentication and Authorization Create individual user account for each user Strong passwords Reduce risk of intelligent guessing and dictionary attacks Account lockout policy How many failed logon attempts before account disabled Decreases possibility of attacker compromising system through repeated logon attempts

Windows Server 2003 Overview 27 Windows 2003 Policies Account policy Password restrictions and unsuccessful login attempts User Rights policy Determines what users and groups can perform specific actions on the system Audit policy Determines the amount and type of security logging System policy Can be used to provide uniform environment in a domain Group policy Applies to all members of the group they are set for unless member has an individual policy If user in multiple groups, highest priority groups policy applies

Windows Server 2003 Overview 28 Windows 2003 Account Policy Account Policy Determines how passwords are validated and enforced Determines how unsuccessful login attempts are handled Can be set for OUs, domains, domain controllers, and local computers Password policy Account lockout policy Kerberos policy

Windows Server 2003 Overview 29 Account Policy Options User must change password at next logon Ensures user only person to know their password User cannot change password Use to maintain control over an account Password never expires Need a strong password! Store passwords using reversible encryption Allows user to log onto Windows network from Apple computers Account is disabled Prevents user from logging on Smart Card is required for interactive logon Requires user to possess a smart card to logon; requires smart card reader attached to computer and valid PIN 4 others not discussed in this class

Windows Server 2003 Overview 30 Password Policy Enforce password history Number of passwords that must be used before an old password can be reused Maximum password age If 0, passwords never need to be changed Minimum password age If 0, passwords can be changed anytime Used to prevent recycling back to previous Minimum password length 0-14 characters, if 0 passwords are not required Passwords must meet complexity requirements Uppercase, lowercase, numeric, and special characters Store passwords using reversible encryptions for all users

Windows Server 2003 Overview 31 Account Lockout Policy Account Lockout Threshold Number of consecutive unsuccessful logon attempts before account is locked If 0 account is not locked Account Lockout Duration How long accounts remain locked Not defined user is never locked out 0 to 99,999 minutes, if 0 account lockout until administrator re- enables the account Reset Account Lockout After How long between bad logon attempts before account lockout threshold counter is reset Not defined user is never locked out 1-99,999 minutes

Windows Server 2003 Overview 32 Kerberos Policy Used for authentication from domain controllers Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization

Windows Server 2003 Overview 33 Setting Account Policies Effective when user logs off and back on again In Administrative Tools, If domain, select Domain Security Policy If domain controller, select Domain Controller Security Policy If OU, select Active Directory Users and Computers If local computer, use Control Panel Administrative Tools applet and select Local Security Policy

Windows Server 2003 Overview 34 User Rights Policies Shutdown computer from remote location Access the computer via the network User the computer locally Backup or restore directories and files Change time Delete or add device drivers Change the security logging policy Shut down the system Take file ownership

Windows Server 2003 Overview 35 Audit Policies Event Viewer allows viewing of events specified by audit policy Auditing must be enabled in the Audit Policy window System Logs system errors, driver errors, etc Security Bad logon attempts Application Each message has an event ID number Logs have maximum size before overwrite Be selective in auditing, creates overhead