7-2 Security Part 2

> Implement, configure, manage, and troubleshoot account policy.

These policies apply to user accounts.

This security area contains attributes for:

• Password policy: for domain or local user accounts, determines settings for passwords such as enforcement, and lifetimes.
• Account lockout policy: for domain or local user accounts, determines when and for whom an account will be locked out of the system.
• Kerberos policy: for domain user accounts, determines Kerberos-related settings, such as ticket lifetimes and enforcement.

Create and manage local users and groups.

A local user or group is an account that can be granted permissions and rights from your computer, where as Domain or global users and groups are managed by the network administrator. You can add local users, global users, and global groups to local groups, but you cannot add local users and groups to global groups.

By adding local users and groups you can limit thier ability to perform certain actions by assigning them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders. A permission is a rule associated with an object usually a file, folder and it regulates which users can have access to the object.

Local Users and Groups is not available on domain controllers. Use Active Directory Users and Computers to manage global users and groups.

To create a new user account

Open Computer Management.

In the console tree, in Local Users and Groups, click Users.

• Click Action, and then click New User.
• Type the appropriate information in the dialog box.
• Select or clear the check boxes for:
  • User must change password at next logon
  • User cannot change password
  • Password never expires
  • Account is disabled
• To finish, click Create, and then click Close.

A user name cannot be identical to any other user or group name, It can contain up to 20 uppercase or lowercase characters except for the following: " / \ [ ] : ; | = , + * ? < >

You can type a password containing up to 127 characters. However, if you're using Windows 2000 on a network that also has computers using Windows 95 or Windows 98, consider using passwords not longer than 14 characters. Windows 95 and Windows 98 support passwords of up to 14 characters.

To create a new local group

1. Open Computer Management.
2. In the console tree, in Local Users and Groups, click Groups.
3. Click Action, and then click New Group.
4. In Group name, type a name for the new group.
5. In Description, type a description of the new group.
6. To finish, click Create, and then click Close.

A local group name cannot be identical to any other group or user name on the computer being administered. It can contain up to 256 uppercase or lowercase characters except for the following: " / \ [ ] : ; | = , + * ? < >

Implement, configure, manage, and troubleshoot user rights.

Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions because user rights apply to user accounts, and permissions are attached to objects.

User rights define capabilities at the local level. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. This ensures that a user logging on as a member of a group automatically inherits the rights associated with that group. By assigning user rights to groups rather than individual users, you simplify the task of user account administration. When users in a group all require the same user rights, you can assign the set of user rights once to the group, rather than repeatedly assigning the same set of user rights to each individual user account.

User rights that are assigned to a group are applied to all members of the group while they remain members. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights. In general, however, user rights assigned to one group do not conflict with the rights assigned to another group. To remove rights from a user, the administrator simply removes the user from the group. In this case, the user no longer has the rights assigned to that group. There are two types of user rights: privileges and logon rights.

Privilege. An example of a privilege is the right to back up files and directories. (Some privileges can override permissions set on an object.)

Logon right. An example of a logon right is the right to log on to a system locally.

The special user account LocalSystem has almost all privileges and logon rights assigned to it, because all processes that are running as part of the operating system are associated with this account, and these processes require a complete set of user rights.

> Implement, configure, and manage, local user authentication.

Authentication

Successful user authentication in a Windows 2000 computing environment consists of two separate processes: interactive logon, which confirms the user's identification to either a domain account or a local computer, and network authentication, which confirms the user's identification to any network service that the user attempts to access.

Some types of authentication that Windows 2000 supports are:

• Kerberos V5 is used with either a password or a smart card for interactive logon. It is also the default method of network authentication for services.The Kerberos V5 protocol verifies both the identity of the user and network services.
• Secure Socket Layer/Transport Layer Security (SSL/TLS) authentication, is used when a user attempts to access a secure Web server.

> Implement, configure, and manage, a security configuration.

Security settings include Security Policies (account and local policies), access control (services, files, registry), event log, group membership (restricted groups), Internet Protocol security Security policies, and Public Key policies.

Security templates are a physical representation of a security configuration: a file where a group of security settings may be stored. Windows 2000 includes a set of security templates, each based on the role of a computer: from security settings for low security domain clients to highly secure domain controllers. These templates can be used as provided, modified, or serve as a basis for creating custom security templates.

Security configuration tools To define and use security templates, administrators use the Security Templates snap-in. To configure and analyze security locally, administrators use the Security Configuration and Analysis snap-in. To configure security centrally in Active Directory, administrators use the Group Policy snap-in.