Working with User Accounts

Working with User Accounts

A user can't log on to a network without a valid username and password. Therefore, user accounts are really the network administrator's first line of defense as far as network security is concerned . When a user logs on to the network from a client computer, her username and password are used to generate an access token. This access token validates the user to the network (allowing the logon) and also is used to determine the access level that the user will have to resources on the network.

The access token, which is a concept that you run into no matter what NOS you are using, is kind of an electronic identification card, not that different from an ATM card, really. An ATM card validates you to your bank's ATM network and allows you to access certain resources, such as your checking or savings account. The access token generated in relation to your username is also used to determine the resources that you can negotiate on the network and the degree of access you can have.

The network administrator is responsible for creating user accounts. Every network operating system provides a built-in administrator's account that is used to create and modify network user accounts and manage the resources on the network. This administrator's account is given different names in different operating systems, such as root, Admin, and Administrator (Linux, NetWare, and Windows, respectively).

Each network operating system also offers some sort of utility that is used to create new user accounts. Figure 20.1 shows the New Object - User dialog box used in the Windows Active Directory to add a new user account.

Figure 20.1. Network operating systems such as Microsoft Windows Server 2003 provide administrative utilities to add and edit user accounts.

graphics/20fig01.gif

Every network operating system shares some common rules for governing usernames. These rules are as follows :

  • Each and every username must be unique . Although this rule is a no-brainer, it is important to keep in mind.

  • Usernames are limited to a specific number of characters . Although the number of characters that can be used to create a username will vary from NOS to NOS, every operating system has naming conventions that you should be aware of before you create your user accounts. For example, Windows provides you with 20 characters for a username. NetWare NDS usernames can be up to 64 characters.

  • Certain characters cannot be used in usernames . Typically, characters such as the slash ( / ), backslash ( \ ), and other special characters cannot be used in usernames. Some operating systems allow spaces to be used in the usernames, and others do not. Again, you need to know your network operating system's naming conventions before you create usernames.

Although each network operating system will supply you with conventions that control the creation of usernames, it also makes sense for you (as the administrator) to create a plan related to the creation of usernames. This plan should include the naming conventions you will use when you create the usernames for your various users. For example, if your basic naming convention for usernames is to use employees ' first initial and last name, you need to be consistent and use this convention for all usernames you create. Your plan should also include how you will differentiate two users when they have the same first initial and last name .

This user account plan should also include your strategy for how you will assign passwords to your users. Network operating systems allow you to stipulate a password that cannot be changed or assign an initial password that must be immediately changed by the user. Let's take a closer look at passwords and why they are important to network security.

User Passwords

Because user authentication requires a valid username and a valid password, your strategy for assigning passwords to your users will have a lot to do with how secure your network is. A lot of network administrators in the networking industry use first initial and then last name as their basic format for usernames. This means that if someone knows my name is Joe Habraken, it wouldn't be that hard for him to guess that my username on the network is probably jhabraken.

Therefore, it is really the password component of the user account that builds some security into the logon process. This means that you need to make an effort to keep user passwords secret (meaning users must be taught to keep their passwords to themselves ).

Most network operating systems now counsel you to use strong passwords for your network user accounts. Strong passwords are defined somewhat differently by each network operating system but the bottom line is that you want to have passwords that cannot be easily guessed by someone who has malicious intent toward your network.

Microsoft defines strong passwords as passwords that contain at least seven characters; do not contain user, real; or company names; do not contain complete dictionary words; and contain a combination of numeric, alphanumeric , and nonalphanumeric characters. In fact when you create the administrator account on a server that is running Windows Server 2003, a message box appears urging you to use a strong password, if you have chosen to leave the administrator password blank or have entered what is considered a "weak" password.

As with creating user accounts, each network operating system puts a slightly different spin on how you assign a password to a user account. It is typically configured in the same dialog box where you configure the user account. NetWare 6.5 allows you to view a user's properties in the ConsoleOne management tool. In the properties dialog box you can set the password for the user (see Figure 20.2).

Figure 20.2. Network operating systems such as Windows Server 2003 provide you with different options for assigning passwords to your users.

graphics/20fig02.jpg

As you saw in Figure 20.1, Windows Server 2003 provides several options when you assign the initial password to the user, such as User Must Change Password at Next Logon and User Cannot Change Password. NetWare also gives you the option of allowing the user the ability to change their password if they wish. Using these various options as food for thought, let's discuss some different possibilities for ensuring that password protection remains a security asset on your network. Here are some general thoughts:

  • You can allow users to control their own passwords . Allowing users to create their own passwords can be particularly useful in situations where you have set an expiration time limit on passwords and require all users to change theirs. However, if you are going to put users in charge of their passwords, you need to educate them that using their first name or just the word password as their password probably isn't going to provide the level of security you are after.

  • You can completely take control of user passwords . You can assign passwords for your users that they can't change. If you have a lot of users, however, this is going to require a lot of work. This is especially true if you plan to have the passwords expire every so often. What's more, thinking that you can supply a devilishly complex password that no one will ever guess never seems to work, because users often will write down difficult-to-remember passwords on sticky notes and attach them on their computer monitors .

  • You can require that passwords be changed at a defined interval . It is definitely a good idea to have some sort of password-cycling strategy. Having passwords that never expire only gives people intent on breaking into your network plenty of time to guess the password that goes with a particular user account. Periodically changing passwords makes your network more of a moving target.

Caution

graphics/cman.gif

People who are intent on breaking into your network certainly aren't limited to imprecise techniques such as guessing usernames and passwords. In Chapter 19, "Network Troubleshooting," we discussed protocol sniffers that can be used by hackers to actually view network traffic. Being able to capture data packets means that information such as usernames and passwords can be also be learned because they are transmitted as text. Strategies involving encryption are used to make it more difficult to take captured information and use it to break into a network. We will discuss encryption later in the chapter.


In essence, you need to come up with some sort of plan for password assignment that is easy for you (the administrator) and your users to deal with and also provides some security for the network. Certainly how you assign passwords to your network users will be colored by the number of users and the importance of the resources on the network.

Other options related to user accounts can also help you build some security into the overall login process. Let's take a look at some of these options, such as logon hours and the user's ability to create more than one concurrent connection to the network.

Other User Account Options

As far as security is concerned, there are some additional measures you can take to keep unauthorized folks from accessing your network using your users' accounts. Although each NOS will provide different tools for configuring these options, nearly all the network operating systems provide you with the following options:

  • Logon hours . You can control when a user can log on to the network. For example, you may choose to allow the user access to the network from 9 to 5 on workdays (meaning during those times when you know the person is at work and needs to access the network). Weekend access or late-night access both could be denied . This would keep someone nasty from using the account to break into the network during non-business hours. Figure 20.3 shows the Windows 2000 Server Logon Hours dialog box, which is used to set the logon hours for a particular user.

Figure 20.3. You can limit the logon hours for users in a Windows 2000 network in the hopes of making the network more secure during non-working hours.

graphics/20fig03.jpg

  • Concurrent connections . A single username and password can often be used to make concurrent (or simultaneous) connections to the network from different client computers. Limiting the number of concurrent connections can help negate the unauthorized use of a user account. If the user is already logged on to the network and you are only allowing one concurrent connection for that user, no unauthorized attempt can then be made to use that same user account to access the network. Figure 20.4 shows the Login Restrictions settings in the NetWare Administrator. Note that concurrent connections have been limited to one concurrent connection.

Figure 20.4. You can limit the number of concurrent connections to the NetWare network to minimize the possibility of unauthorized access.

graphics/20fig04.jpg

  • Disabling user accounts . Another option available to the network administrator is the ability to disable a user account. Not only is this useful in cases where you think an account is being used to illegally access the network, but it is also useful in cases where a user has left the company and you know that the position will soon by filled by a new employee. Rather than creating an entirely new account for the new employee, you can change the name on the existing account so that the new employee will have the same access to network resources that were available to the employee who has left. This is because certain permissions have been made available to the account (permissions are discussed in the next section). If you look back at Figure 20.1, you will see that Windows supplies you with a check box that can be used to quickly disable a user account.

Tip

graphics/tman.gif

Microsoft Windows uses the term permission to define the different access levels given to a user for a particular network resource. In the Novell NetWare environment, permissions are known as rights (just different terms for the same resource security strategy).


Other options related to user accounts can be used to help secure your network. For example, you can specify the client computers that users can actually use to log on to the network. You might want to only allow users to log on to the network using their own PCs (which means local files stored on the computer are not at risk) or, if a user works throughout your corporate building, you might want to make it easy for him to check email by being able to log on to several different computers throughout the building.

You can also specify whether particular users can log on to the network through remote connections, such as a dial-up connection using a modem. We discussed remote access and dial-up connections in Chapter 17, "Networking on the Run."

How you use these various options to help secure your network should be part of the plan you create when you sit down to figure out how you will assign usernames and passwords. Having some sort of defined plan to work with allows you to be consistent as you build the accounts for your users.



Absolute Beginner's Guide to Networking
Absolute Beginners Guide to Networking (4th Edition)
ISBN: 0789729113
EAN: 2147483647
Year: 2002
Pages: 188
Authors: Joe Habraken

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net