Working with User Accounts
A user can't log on to a network without a valid username and password. Therefore, user accounts are really the network administrator's first line of defense as far as network security is concerned . When a user logs on to the network from a client computer, her username and password are used to generate an access token. This access token validates the user to the network (allowing the logon) and also is used to determine the access level that the user will have to resources on the network.
The access token, which is a concept that you run into no matter what NOS you are using, is kind of an electronic identification card, not that different from an ATM card, really. An ATM card validates you to your bank's ATM network and allows you to access certain resources, such as your checking or savings account. The access token generated in relation to your username is also used to determine the resources that you can negotiate on the network and the degree of access you can have.
The network administrator is responsible for creating user accounts. Every network operating system provides a built-in administrator's account that is used to create and modify network user accounts and manage the resources on the network. This administrator's account is given different names in different operating systems, such as root, Admin, and Administrator (Linux, NetWare, and Windows, respectively).
Each network operating system also offers some sort of utility that is used to create new user accounts. Figure 20.1 shows the New Object - User dialog box used in the Windows Active Directory to add a new user account.
Figure 20.1. Network operating systems such as Microsoft Windows Server 2003 provide administrative utilities to add and edit user accounts.
Every network operating system shares some common rules for governing usernames. These rules are as follows :
Although each network operating system will supply you with conventions that control the creation of usernames, it also makes sense for you (as the administrator) to create a plan related to the creation of usernames. This plan should include the naming conventions you will use when you create the usernames for your various users. For example, if your basic naming convention for usernames is to use employees ' first initial and last name, you need to be consistent and use this convention for all usernames you create. Your plan should also include how you will differentiate two users when they have the same first initial and last name .
This user account plan should also include your strategy for how you will assign passwords to your users. Network operating systems allow you to stipulate a password that cannot be changed or assign an initial password that must be immediately changed by the user. Let's take a closer look at passwords and why they are important to network security.
Because user authentication requires a valid username and a valid password, your strategy for assigning passwords to your users will have a lot to do with how secure your network is. A lot of network administrators in the networking industry use first initial and then last name as their basic format for usernames. This means that if someone knows my name is Joe Habraken, it wouldn't be that hard for him to guess that my username on the network is probably jhabraken.
Therefore, it is really the password component of the user account that builds some security into the logon process. This means that you need to make an effort to keep user passwords secret (meaning users must be taught to keep their passwords to themselves ).
Most network operating systems now counsel you to use strong passwords for your network user accounts. Strong passwords are defined somewhat differently by each network operating system but the bottom line is that you want to have passwords that cannot be easily guessed by someone who has malicious intent toward your network.
Microsoft defines strong passwords as passwords that contain at least seven characters; do not contain user, real; or company names; do not contain complete dictionary words; and contain a combination of numeric, alphanumeric , and nonalphanumeric characters. In fact when you create the administrator account on a server that is running Windows Server 2003, a message box appears urging you to use a strong password, if you have chosen to leave the administrator password blank or have entered what is considered a "weak" password.
As with creating user accounts, each network operating system puts a slightly different spin on how you assign a password to a user account. It is typically configured in the same dialog box where you configure the user account. NetWare 6.5 allows you to view a user's properties in the ConsoleOne management tool. In the properties dialog box you can set the password for the user (see Figure 20.2).
Figure 20.2. Network operating systems such as Windows Server 2003 provide you with different options for assigning passwords to your users.
As you saw in Figure 20.1, Windows Server 2003 provides several options when you assign the initial password to the user, such as User Must Change Password at Next Logon and User Cannot Change Password. NetWare also gives you the option of allowing the user the ability to change their password if they wish. Using these various options as food for thought, let's discuss some different possibilities for ensuring that password protection remains a security asset on your network. Here are some general thoughts:
In essence, you need to come up with some sort of plan for password assignment that is easy for you (the administrator) and your users to deal with and also provides some security for the network. Certainly how you assign passwords to your network users will be colored by the number of users and the importance of the resources on the network.
Other options related to user accounts can also help you build some security into the overall login process. Let's take a look at some of these options, such as logon hours and the user's ability to create more than one concurrent connection to the network.
Other User Account Options
As far as security is concerned, there are some additional measures you can take to keep unauthorized folks from accessing your network using your users' accounts. Although each NOS will provide different tools for configuring these options, nearly all the network operating systems provide you with the following options:
Figure 20.3. You can limit the logon hours for users in a Windows 2000 network in the hopes of making the network more secure during non-working hours.
Figure 20.4. You can limit the number of concurrent connections to the NetWare network to minimize the possibility of unauthorized access.
Other options related to user accounts can be used to help secure your network. For example, you can specify the client computers that users can actually use to log on to the network. You might want to only allow users to log on to the network using their own PCs (which means local files stored on the computer are not at risk) or, if a user works throughout your corporate building, you might want to make it easy for him to check email by being able to log on to several different computers throughout the building.
You can also specify whether particular users can log on to the network through remote connections, such as a dial-up connection using a modem. We discussed remote access and dial-up connections in Chapter 17, "Networking on the Run."
How you use these various options to help secure your network should be part of the plan you create when you sit down to figure out how you will assign usernames and passwords. Having some sort of defined plan to work with allows you to be consistent as you build the accounts for your users.