User Accounts

[Previous] [Next]

The backbone of Windows 2000 security is the ability to uniquely identify each user. Windows 2000 assigns each user a user account. The user account is identified by a user name and password, which the user enters when logging on to the system. Windows then controls, monitors, and restricts access to system resources based on the permissions and rights associated with each user account by the resource owners and the system administrator. For information about managing user accounts, see "Working with Local User Accounts and Groups."

In addition to such "normal" user accounts, Windows 2000 provides two special accounts that have predefined sets of permissions and rights associated with them: the Administrator account, and the Guest account.

Administrator Account

Every computer running Windows 2000 has a special account named Administrator. This account has full rights over the entire computer. It can create other user accounts and is generally responsible for managing the computer. Many system features and rights are off limits to accounts other than Administrator (or another account that belongs to the Administrators group). For example, most features in Computer Management, the tool used to manage user accounts and other items, are disabled when the user is not Administrator or a member of the Administrators group. For more information about groups, see "User Groups" and "Working with Local User Accounts and Groups."

TIP
To make it more difficult for intruders to use the Administrator account, you should rename it so they'll be forced to guess its user name as well as its password. For information about renaming user accounts, see "Renaming, Deleting, and Disabling Accounts."

Guest Account

Most Windows 2000 systems also include an account named Guest. This account resides at the other end of the privilege spectrum. It is designed to allow an infrequent or temporary user such as a visitor to log on to the system without providing a password and use the system in a restricted manner. Choices made by the system administrator determine the level of access afforded to the Guest account. (By default, the Guest account is disabled on a clean install of Windows 2000; no one can use an account that's disabled.)

WARNING
Enabling the Guest account not only allows anyone to log on to your computer using the user name Guest (with no password), but it allows anyone on your network to see your shared folders if you share them using default settings. (The other users could even be running an unsecure system such as Windows 98, which doesn't require a logon name and password.) Shared folders on a FAT32 volume are then completely open to access, and anonymous users can view, modify, create, or delete files. If your shared folders are on an NTFS volume and you use the default NTFS access permissions, they won't be able to access the share—but they will be able to see the shared folder name. If you must enable the Guest account, be sure you deny Guest access to shares, folders, and files that you don't want guests and other unauthenticated users to see. (A user on another computer or another domain might be authenticated on their system, but not on yours.)



Running Microsoft Windows 2000 Professional
Running Microsoft Windows 2000 Professional
ISBN: 1572318384
EAN: 2147483647
Year: 2000
Pages: 317

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net