windows 2003 server overview
Post on 02-Jan-2016
25 Views
Preview:
DESCRIPTION
TRANSCRIPT
Windows Server 2003 Overview 1
Windows 2003 ServerOverview
Ayaz
23-01-12
Windows Server 2003 Overview 2
Account Management
Process by which administrator configures the network to allow usersAccess to what they needNo access to things they don’t need
Each user account is represented on the network as an object (their username) that has membership in one or more groups
Windows Server 2003 Overview 3
Planning
Plan, plan, planDon’t just start adding users and other
objectsSet up organizational units and groups
before adding other objects
Windows Server 2003 Overview 4
Objects
Every element on the network from people to machines represented in the AD by an object
Represent one specific element with its own properties and configuration elements
Active Directory Users and Computers Administrative Tools tool that allows administrator
to manage users, groups, and other elements of the AD
Windows Server 2003 Overview 5
Organizational Units
Way to logically organize resources within the domain Identify any groups or resources in organization
that need to be kept separate from other areas “Container”: Any object in the directory into which
other objects can be placed. Can delegate separate administrative control
Example Departments
Windows Server 2003 Overview 6
Rights & Permissions
Rights Allow you to do a task
Permissions (Perms) Concern type of access to a particular resource
Example User has right to log on to the network and must
also have perm to use a particular resource
Windows Server 2003 Overview 7
Groups
Plan your groups User accounts are created to identify individuals on
the network Groups
Objects that enable a number of users to be administered as a “single account”
Groups are created for the purpose of assigning permissions Users can be assigned perms directly buy not recommended Create groups instead, even if group only has 1 member!
Windows Server 2003 Overview 8
Types of Groups
NT 4 Global groups Local groups
Windows Server 2003 Domain local groups Global groups Universal groups Local groups
Windows Server 2003 has a number of built-in groups of each type
Windows Server 2003 Overview 9
Group Types con’t.
Universal GroupsUsers from any domain can be membersCan be given permissions to resources in any
domainGenerally used only in large multidomain networksNo built-in universal groups
Local GroupsUsed to assign permissions only to resources that
are on the machine the groups was created onAvailable when AD not installed
Windows Server 2003 Overview 10
Domain Local Group Scope
Members include: Allows user accounts from any domain to be
members Global and universal groups from any domain Domain local groups from same domain Can only access resources within domain they are
created in Generally used to identify resources that have a
similar function on the network Groups with domain local scope should be used
to define and manage resources within a single domain
Windows Server 2003 Overview 11
Global and Universal Group Scope
Global Group Members include: User accounts from same domain Global groups from the same domain One user may be a member of several global groups Can access resources in any domain Generally used to organize users with similar roles in
the organization
Universal Group Members include: User from any domain can be members Global groups from any domain Universal groups from any domain
Windows Server 2003 Overview 12
Domain Local Group Scope Scenario
Example: To give 5 users access to a particular printer
(resource); create a domain local group and assign it permission to access the printer (resource). Put the 5 user accounts in a global group and add this group to the domain local group. In the future, if you want to give these 5 users access to a new printer (resource), assign the domain local group permission to access the new printer (resource). All members of the global group will automatically receive access to the new printer (resource).
Windows Server 2003 Overview 13
Microsoft “Way” Group Membership
Create user and place into one or more global groups
Global groups are then placed into domain local groups
Domain local groups are given permissions to the resources
Windows Server 2003 Overview 14
AGLP and UGLR
AGLPAccounts into Global groups, into Domain
Local groups, which are given permissions to the resources
UGLRUsers into Global groups, into Domain Local
groups, permissions assigned to Resources
Windows Server 2003 Overview 15
Creating a Group
Built-in groups Default groups Create your own
ADUC tool Select a container for the new group Create the group using the New Object-Group
window Add users to the group now or later using right-click
Properties, Members tab, and selecting users Can also add groups to other groups
Windows Server 2003 Overview 16
Reasons for Using Groups
Easier to organize permissions by groups than on an individual basis
AGLP “standard” knownMCSE tests want the “right” way (the
Microsoft way)
Windows Server 2003 Overview 17
Five Default Groups
Not based on who the user is, but rather on how they are connected to a resource
Cannot configure through AD but can be used when setting permissions
Everyone: all users are members!!!!!Authenticated UsersCreator Owner: user who created resourceNetwork: users accessing shares Interactive: users logged on locally
Windows Server 2003 Overview 18
Distribution and Security Groups
Distribution groups Used only with e-mail applications such as
Exchange to send email to collections of users Security groups
Used to assign access to network resources Rights: Tasks users can perform in a domain; some
automatic such as Backup Operators Permissions:
Determine who can access a resource and the level of access
Assign permission to the resource using security groups rather than individual users
Windows Server 2003 Overview 19
User Accounts
Matching users with resources they need Users represent a “role” in the company, not
“individuals” Individual users “should not” have any
permissions to resources Never give explicit user permissions to resources Difficult to manage for administrator
Groups have the permissions
Windows Server 2003 Overview 20
Default Account: Administrator
Most powerful account on the domain Full control Cannot delete or removed Can be renamed Can be disabled
Access to all resources and configuration information
Need strong password Automatically a member of Administrators, Domain
Admins, etc.
Windows Server 2003 Overview 21
Default Account: Guest
Guest For people who don’t have a user account in the
domain No password required Default is disabled Provide anonymous access to certain resources on
the network Low security option Might use for visitor access in a kiosk for read-only
access
Windows Server 2003 Overview 22
Creating User Accounts
Develop acceptable naming conventionAuditors prefer user account names!Create a user account for every individual
on the networkUse ADUCSelect container you wish to create the user inDefault is the Users Folder or can place user
in an organizational unitRight-click, New, User, enter information
Windows Server 2003 Overview 23
User Configuration
Data Description
First Name User’s first name
Last Name User’s last name
Name Full name
User Logon Name Unique name within AD
Downlevel Logon Name Username to log on to non-Windows
Password Authentication to log on
Confirm Password Retype to ensure correct
User Must Change Password at Next Logon
User create own password
User Cannot Change Password
Prevent user from changing password
Password Never Expires Overrides password expiration options
Windows Server 2003 Overview 24
Configuring User Accounts
Additional options to add or restrict account on network
ADUC, right-click, Properties Informational: address, telephone Organizational: manager, department Security
Account tab: logon name, logon hours, workstation restrictions, account options, account expiration
Profile tab: profile, logon script, home folder Member Of tab: group memberships Dial-in tab: remote access, callback, IP address information
Windows Server 2003 Overview 25
User Account Security Logon Script:
Map drives for a user Attach printers Set system or user variables
Profile: standardize desktop, restrict programs and options user can use Local Roaming Mandatory
Home folders: users have own workspace on server to store files
Logon Hours and Workstation Restrictions: specify times and machines
Account options: set password options
Windows Server 2003 Overview 26
User Authentication and Authorization
Create individual user account for each user Strong passwords
Reduce risk of “intelligent” guessing and dictionary attacks
Account lockout policy How many failed logon attempts before account
disabled Decreases possibility of attacker compromising
system through repeated logon attempts
Windows Server 2003 Overview 27
Windows 2003 Policies
Account policy Password restrictions and unsuccessful login attempts
User Rights policy Determines what users and groups can perform specific actions
on the system Audit policy
Determines the amount and type of security logging System policy
Can be used to provide uniform environment in a domain Group policy
Applies to all members of the group they are set for unless member has an individual policy
If user in multiple groups, highest priority group’s policy applies
Windows Server 2003 Overview 28
Windows 2003 Account Policy
Account PolicyDetermines how passwords are validated and
enforcedDetermines how unsuccessful login attempts
are handledCan be set for OUs, domains, domain
controllers, and local computersPassword policyAccount lockout policyKerberos policy
Windows Server 2003 Overview 29
Account Policy Options
User must change password at next logon Ensures user only person to know their password
User cannot change password Use to maintain control over an account
Password never expires Need a strong password!
Store passwords using reversible encryption Allows user to log onto Windows network from Apple computers
Account is disabled Prevents user from logging on
Smart Card is required for interactive logon Requires user to possess a smart card to logon; requires smart card
reader attached to computer and valid PIN 4 others not discussed in this class
Windows Server 2003 Overview 30
Password Policy Enforce password history
Number of passwords that must be used before an old password can be reused
Maximum password age If 0, passwords never need to be changed
Minimum password age If 0, passwords can be changed anytime Used to prevent “recycling” back to previous
Minimum password length 0-14 characters, if 0 passwords are not required
Passwords must meet complexity requirements Uppercase, lowercase, numeric, and special characters
Store passwords using reversible encryptions for all users
Windows Server 2003 Overview 31
Account Lockout Policy Account Lockout Threshold
Number of consecutive unsuccessful logon attempts before account is locked
If 0 account is not locked Account Lockout Duration
How long accounts remain locked “Not defined” user is never locked out 0 to 99,999 minutes, if 0 account lockout until administrator re-
enables the account Reset Account Lockout After
How long between bad logon attempts before account lockout threshold counter is reset
“Not defined” user is never locked out 1-99,999 minutes
Windows Server 2003 Overview 32
Kerberos Policy
Used for authentication from domain controllersEnforce user logon restrictionsMaximum lifetime for service ticketMaximum lifetime for user ticketMaximum lifetime for user ticket renewalMaximum tolerance for computer clock
synchronization
Windows Server 2003 Overview 33
Setting Account Policies
Effective when user logs off and back on again In Administrative Tools,
If domain, select Domain Security Policy If domain controller, select Domain Controller Security
Policy If OU, select Active Directory Users and Computers If local computer, use Control Panel Administrative
Tools applet and select Local Security Policy
Windows Server 2003 Overview 34
User Rights Policies
Shutdown computer from remote location Access the computer via the network User the computer locally Backup or restore directories and files Change time Delete or add device drivers Change the security logging policy Shut down the system Take file ownership
Windows Server 2003 Overview 35
Audit Policies
Event Viewer allows viewing of events specified by audit policy
Auditing must be enabled in the Audit Policy window System
Logs system errors, driver errors, etc Security
Bad logon attempts Application Each message has an event ID number Logs have “maximum” size before overwrite Be selective in auditing, creates “overhead”
top related