Networking For Dummies

User accounts are the backbone of network security administration. Through the use of user accounts, you can determine who can access your network as well as what network resources each user can and can't access. You can restrict access to the network to just specific computers or to certain hours of the day. In addition, you can lock out users who no longer need to access your network. The following sections describe the basics of setting up user security for your network.

User accounts

Every user who accesses a network must have a user account. User accounts allow the network administrator to determine who can access the network and what network resources each user can access. In addition, the user account can be customized to provide many convenience features for users, such as a personalized Start menu or a display of recently used documents.

Every user account is associated with a username (sometimes called a user ID), which the user must enter when logging on to the network. Each account also has other information associated with it. In particular:

• The user's password: This also includes the password policy, such as how often the user has to change his or her password, how complicated the password must be, and so on.

• The user's contact information: This includes full name, phone number, e-mail address, mailing address, and other related information.

• Account restrictions: This includes restrictions that allow the user to log on only during certain times of the day. This feature can restrict your users to normal working hours so that they can't sneak in at 2 a.m. to do unauthorized work. This feature also discourages your users from working overtime because they can't access the network after hours, so use it judiciously. You can also specify that the user can log on only at certain computers.

• Account status: You can temporarily disable a user account so the user can't log on.

• Home directory: This specifies a shared network folder where the user can store documents.

• Dial-in permissions: These authorize the user to access the network remotely via a dialup connection.

• Group memberships: These grant the user certain rights based on groups to which they belong.

  Tip

  For more information, see the section, "Group therapy," later in this chapter.

Built-in accounts

Most network operating systems come preconfigured with two built-in accounts, named Administrator and Guest. In addition, some server services, such as Web or database servers, create their own user accounts under which to run. The following sections describe the characteristics of these accounts.

• The Administrator account: The Administrator account is the King of the Network. This user account isn't subject to any of the account restrictions to which mere mortal accounts must succumb. If you log on as the administrator, you can do anything. For this reason, avoid using the Administrator account for routine tasks. Log in as the Administrator only when you really need to.

  Tip

  Because the Administrator account has unlimited access to your network, it's imperative that you secure it immediately after you install the server. When the NOS Setup program asks for a password for the Administrator account, start with a good random mix of uppercase and lowercase letters, numbers, and symbols. Don't pick some easy-to-remember password to get started, thinking you'll change it to something more cryptic later. You'll forget, and in the meantime, someone will break in and reformat the server's C: drive or steal your customer's credit card numbers.

• The Guest account: Another commonly created default account is the Guest account. This account is set up with a blank password and-if any-access rights. The Guest account is designed to allow anyone to step up to a computer and log on, but after they do, it then prevents them from doing anything. Sounds like a waste of time to me. I suggest you disable the Guest account.

• Service accounts: Some network users aren't actual people. I don't mean that some of your users are subhuman. Rather, some users are actually software processes that require access to secure resources, and therefore, require user accounts. These user accounts are usually created automatically for you when you install or configure server software.

  For example, when you install Microsoft's Web server (IIS), an Internet user account called IUSR is created. The complete name for this account is IUSR_ <servername>. So if the server is named WEB1, the account is named IUSR_WEB1. IIS uses this account to allow anonymous Internet users to access the files of your Web site.

  Tip

  Don't mess with these accounts unless you know what you're doing. For example, if you delete or rename the IUSR account, you must reconfigure IIS to use the changed account. If you don't, IIS will deny access to anyone trying to reach your site. (Assuming that you do know what you're doing, renaming these accounts can increase your network's security. However, don't start playing with these accounts until you've researched the ramifications.)

User rights

User accounts and passwords are the front line of defense in the game of network security. After a user accesses the network by typing a valid user ID and password, the second line of security defense-rights-comes into play.

In the harsh realities of network life, all users are created equal, but some users are more equal than others. The Preamble to the Declaration of Network Independence contains the statement "We hold these truths to be self-evident, that some users are endowed by the network administrator with certain inalienable rights…."

The rights that you can assign to network users depend on which network operating system you use. These are some of the possible user rights for Windows servers:

• Log on locally: The user can log on to the server computer directly from the server's keyboard.

• Change system time: The user can change the time and date registered by the server.

• Shut down the system: The user can perform an orderly shutdown of the server.

• Back up files and directories: The user can perform a backup of files and directories on the server.

• Restore files and directories: The user can restore backed-up files.

• Take ownership of files and other objects: The user can take over files and other network resources that belong to other users.

NetWare has a similar set of user rights.

Permissions (who gets what)

User rights control what a user can do on a network-wide basis. Permissions enable you to fine-tune your network security by controlling access to specific network resources, such as files or printers, for individual users or groups. For example, you can set up permissions to allow users into the accounting department to access files in the server's \ACCTG directory. Permissions can also enable some users to read certain files but not modify or delete them.

Each network operating system manages permissions in a different way. Whatever the details, the effect is that you can give permission to each user to access certain files, folders, or drives in certain ways. For example, you might grant a user full access to some files but grant read-only access to other files.

The network rights allowed by most network operating systems are pretty boring. Here are a few rights I wish would be allowed:

• Cheat: Provides a special option that enables you to see what cards the other players are holding when you're playing Hearts.

• Spy: Eavesdrops on other users' Internet sessions so you can find out what Web sites they're viewing.

• Complain: Automatically sends e-mail messages to other users that explain how busy, tired, or upset you are.

• Set pay: Grants you special access to the payroll system so that you can give yourself a pay raise.

• Sue: In America, everyone has the right to sue. So this right should be granted automatically to all users.

• Fire: Wouldn't it be great if the network could grant you the right to play Donald Trump and fire your annoying co-workers?

Group therapy

A group account is an account that doesn't represent an individual user. Instead, it represents a group of users who use the network in a similar way. Instead of granting access rights to each of these users individually, you can grant the rights to the group and then assign individual users to the group. When you assign a user to a group, that user inherits the rights specified for the group.

For example, suppose that you create a group named Accounting for the accounting staff and then allow members of the Accounting group access to the network's accounting files and applications. Then, instead of granting each accounting user access to those files and applications, you simply make each accounting user a member of the Accounting group.

Here are a few additional details about groups:

• Groups are one of the keys to network management nirvana. As much as possible, avoid managing network users individually. Instead, clump them into groups and manage the groups. When all 50 users in the accounting department need access to a new file share, would you rather update 50 user accounts or just 1 group account?

• A user can belong to more than one group. Then, the user inherits the rights of each group. For example, you can have groups set up for Accounting, Sales, Marketing, and Finance. A user who needs to access both Accounting and Finance information can be made a member of both groups. Likewise, a user who needs access to both Sales and Marketing information can be made a member of both the Sales and Marketing groups.

• You can grant or revoke specific rights to individual users to override the group settings. For example, you may grant a few extra permissions for the manager of the accounting department. You may also impose a few extra restrictions on certain users.

User profiles

User profiles are a Windows feature that keeps track of an individual user's preferences for his or her Windows configuration. For a non-networked computer, profiles enable two or more users to use the same computer, each with his or her own desktop settings, such as wallpaper, colors, Start menu options, and so on.

The real benefit of user profiles becomes apparent when profiles are used on a network. A user's profile can be stored on a server computer and accessed whenever that user logs on to the network from any Windows computer on the network.

The following are some of the elements of Windows that are governed by settings in the user profile:

• Desktop settings from the Display Properties dialog box, including wallpaper, screen savers, and color schemes.

• Start menu programs and Windows toolbar options.

• Favorites, which provide easy access to the files and folders that the user accesses often.

• Network settings, including drive mappings, network printers, and recently visited network locations.

• Application settings, such as option settings for Microsoft Word.

• The My Documents folder.

Logon scripts

A logon script is a batch file that runs automatically whenever a user logs on. Logon scripts can perform several important logon tasks for you, such as mapping network drives, starting applications, synchronizing the client computer's time-of-day clock, and so on. Logon scripts reside on the server. Each user account can specify whether to use a logon script and which script to use.

This sample logon script maps a few network drives and synchronizes the time:

net use m: \\MYSERVER\Acct net use n: \\MYSERVER\Admin net use o: \\MYSERVER\Dev net time \\MYSERVER /set /yes

Logon scripts are a little out of vogue because most of what a logon script does can be done via user profiles. Still, many administrators prefer the simplicity of logon scripts, so they're still used even on Windows Server 2003 systems.