Transcript ppt - people

IOS110
Introduction to Operating Systems using Windows
Session 7
1
Objectives:
•Microsoft Management Console (MMC)
•User Accounts
•Group Accounts
Microsoft Management Console
Microsoft Management Console
MMC
•Tool designed by Microsoft as a unified interface to manage administrative tools and
third-party applications
•Does not contain the tools themselves, just a framework for “snap-ins”
•The snap-ins provide the functionality
•The MMC is designed with the look and feel of Windows Explorer
•You can design your own console and save it as a .msc file – this file can then be
distributed
•Advantages:
• Common interface save time and a learning curve for each new tool
• Can perform administrative tasks from a single computer
• Most snap-ins allow for remote access/administration, saves having to be
physically in front of the machine you are trying to administer
• Can create custom consoles and distribute them to personnel delegated with a
subset of administrative tasks
4
Microsoft Management Console
Console Modes
•The console can run in two modes:
• Author Mode
– Provides total access to all MMC functionality
– This is the default mode for all newly created consoles
• User Mode
– Reduced functionality
– Cannot add or remove snap-in or save changes to the console
Author Mode
Permits creation and modification in User
Mode – Full Access
User mode, full-access
Allows for navigation between snap-ins, open
new windows, access all parts of the console
tree
User mode – limited access, multiple
windows
Allows users to view multiple windows in the
console. Cannot open new windows, or other
portions of the console tree
User mode – limited access, single window
Permits user to view only one window in the
console. User cannot open new windows, or
gain access to other portions of the
5
tree
Microsoft Management Console
Snap-ins
•Program controls that provide the actual management environment
•All have a similar look-and -feel
•Can be :
• Stand-alone snap-ins
• Extension snap-ins
Stand-alone Snap-ins
•Each manages a particular XP function
•Some written by Microsoft, others written by vendors to Microsoft specifications
Extension Snap-ins
•Provide additional functionality to stand-alone snap-ins
•When adding an extension to a stand-alone, only those extensions that are compatible
with the stand-alone are displayed
•certain snap-ins can be configured to act a a stand-alone snap-in or a an extension snap-in
(Event Viewer)
6
User Accounts
User Accounts
User Accounts
•Three categories:
• Local User Accounts
• Domain User Accounts
• Built-in User Accounts
Local User Accounts
•Required to log on to a WinXP computer that is not part of a domain
•If use to log on to a WinXP computer that is part of a domain, you will have access only to
resources on that computer
•Each computer maintains its own security accounts database, and does not share it.
•Computers participating in a Workgroup do not share their accounts database
•Local accounts cannot be control through a domain or its administrators
•Three types:
• Restricted
• Standard
• Computer Administrator
8
User Accounts
Local User Accounts - Restricted
•Change the picture associated with the user's account
•Set, change or remove user's password
Local User Accounts - Standard
•Same as restricted, includes additional privileges
•Make changes to basic computer settings such as display properties and power settings
Local User Accounts – Computer Administrator
•Has system-wide privileges:
• Create, modify or delete user accounts
• Perform computer-wide configuration changes
• Install hardware and software
• Gain access to all files on the computer
9
User Accounts
Domain User Accounts
•Domain user accounts allow access to resources anywhere on a Windows Domain
•User provides user ID and password to log on, however the user ID and password are
stored on a Domain Controller (running Active Directory)
•When authenticated, an Access Token is generated for the user for the duration of their
session
•Access Control Lists (ACLs), made up of Access Control Entries (ACEs) determine the
rights the user has
•A change to the ACL can only be picked up by generating a new Access Token (logoff,
logon)
10
User Accounts
Built-in User Accounts
•During installation WindowsXP creates two accounts automatically:
• Administrator
• Guest
Built-in User Accounts - Administrator
•Scope of control is over the machine it is created on
•Used to:
• create and modify user accounts and user groups
• create printers
• configure hardware and disk volume options
• manage security policies
• assign permissions to users and groups
•Microsoft recommends that a separate account be set up for day-to-day use – similar in
concept to creating a separate Linux account and not use “root” for day-to-day use
•A good idea to change its name, hackers will try “Administrator”
Built-in User Accounts - Guest
•Designed to allow occasional or temporary users to log on to a computer or network and
access a limited set of resources
•If not required – leave it disabled (default setting)
•If required, assign it a password
•Consider renaming or at least logging attempts to use the account (evidence of hackers
11
present)
User Accounts
Naming User Accounts
•The naming convention is a set of rules to create user Ids, so that they are unique and easy
to remember
•The following are considerations:
• Unique names are required for local accounts or for the domain
• System stores first 20 characters of user name
• Cannot use restricted characters – the same as are restricted in files names:
» “\/[]:;|=,+*?<>@
• Not case sensitive
• Have a method to resolve duplicates (John Smith and James Smith might both
be JSMITH, so make one JSMITH, the other JSMITH1
• Some organisations embed the department into the user ID
12
User Accounts
Creating Passwords
•Used in conjunction with a user ID
•Common guidelines:
• Assign a password to the Administrator account
• Implement consistent password changing policy, either:
» assign the password to the user, and do not let them change it
» assign an initial password, and force the user to change it the first time
they log in. Allow them to change the password in the future as well.
This is the recommended policy. There are other controls that will
determine the change frequency and 'strength'
• Select passwords that are difficult to guess – avoid dictionary words, family
names, clichés, profanities, and obvious passwords
• Use a minimum length of eight characters for the password, more is better but
harder to realistically use (WinXP limits passwords to 128 characters)
• Use non-alphabetic characters, as well as mixed case characters
13
User Accounts
User Profiles
•One of the tabs in User Account Properties
•Used to specify:
• Profile Path
• Logon script name
• Home folder path
•User profile (on user profile path) contains registry entries that define a user's working
environment:
• Application settings
• Desktop settings
• Personal information
• Network settings including mapped drives and other network connections
• Start menu options
•Three types of User profiles:
• Local
• Roaming
• Mandatory
14
User Accounts
User Profiles – Local User Profile
•WinXP automatically creates a user profile for each user account when a user logs onto a
particular computer for the first time
•A “My Documents” folder is also created
•It is stored on the local computer
•By default a user can make changes to their profile, by changing their environment
(create short-cuts, map a network drive)
•When user logs off, Windows saves the changes to the profile
•Profiles can be changed, copied or deleted through Control Panel's Advanced tab
User Profiles – Roaming User Profile
•A user's desktop and other settings remain consistent regardless of which PC they log on
to
•Creating a roaming user profile:
• Create and share a folder on a server that is accessible during logon
• Specify the path to the share in the User's properties dialogue box
• Copy the user's profile to this share
User Profiles – Mandatory User Profile
•Copy the ntuser.dat (the user's profile file) to ntuser.man
•The user can still make changes to their environment, however the changes are not saved
when the user logs off
15
User Accounts
Home Folders
•A Home Folder or Directory is the default for 'Save As..' and 'Open File...' dialogue boxes
•Can be located on local computer or on a network share
•-based home folder if:
• Users need access to data from different client PCs
• Users on the network are using older operating systems, such as Win95 or MSDOS
• You have centralized administration and backup
• Users log on to the network using Remote Access Service
• Users are working computers with minimal local disk space
• Your network can handle the extra traffic that server-based home folders will
generate
16
User Accounts
Folder Redirection
•Redirect the path of a folder to a new location
•For example, take the “My Documents” folder and redirect it to a network drive
•Regardless of where the user is, the “My Documents” folder behaves as if was a local
folder to the PC, and contains the files they stored there
•Similar in concept to a Home Folder, however this can be applied on a per-folder basis
•Commonly used in conjunction with Roaming profiles.
17
User Accounts
Resetting Passwords
•WinXP introduced a Password Reset Disk – users can reset their own passwords
•Contains a Private/Public key pair that the backup process creates
•A file on the PC contains the user's password encrypted under the public key – not
associated with the SAM (Security Accounts Manager) database
•Can only be used for local user accounts
•Users must create their own disks – the Administrator cannot create one for them
Deleting a User Account
•Beware of the implications of deleting an account
•When the user is created a unique Security Identifier (SID) is assigned to the account
•The SID is never reused – even if a new account contains the same account information
•There is no way to restore group membership or permission information once the account
has been deleted
18
Group Accounts
Group Accounts
Group Accounts
•A collection of user accounts
•Used to streamline the process of managing and administering accounts
•Permissions can be assigned to a group – all users that are a member of that group inherit
the permissions. Saves having to assign the permission to each individual user
•A user can also inherit the permissions if they are added to a group
•Various levels of group accounts:
• Local group – groups are available only on the local computer
• Universal group – users from all domains. Can be granted permissions to any
resource in the domain forest
• Global group – users from a single domain. Can be granted permissions to any
resources in the domain forest
• Domain local group – contain members from any domain, but can only be
assigned resources in the domain where the account was created.
20
Group Accounts
Local Groups
•Stored one computer in the local security database
•Used to assign permissions on that particular computer, and only that computer
•Also true of standalone servers in a Workgroup
•Note that:
• you cannot create local groups on a domain controller
• local groups created on Workgroup computers or stand-alone servers can only
contain individual user accounts from the local security database
• Local groups have little to no value in a domain environment – defeats the
purpose of a domain
• Local groups cannot contain other local groups
• Local groups have access only to local resources on that computer
21
Group Accounts
Built-in Local Groups
•Built-in groups principally involved in administrative tasks
•You can:
• assign users to built-in groups that most closely match their duties
• assign users to a built-in group, and remove users from a built-in group
• add and remove permissions to built-in groups (Administrator group already
has full permissions)
•You cannot:
• delete or rename a built-in group
Administrators Built-in Group
•Has all rights and permissions as the Administrator Account
•Full rights and privileges over files and other resources on an WinXP computer that is not
a domain controller
•If a computer joins a domain, then the users that are members of the Domain Admin
group are automatically added to the Administrator's group
•Default account type created when you add users through the Control Panel
22
Group Accounts
Power Users Built-in Group
•Less than complete access to the computer
•Tasks include:
• Installing most applications – cannot install applications that modify system files
or contain a service component
• Installing, managing, sharing and deleting printers
• Sharing directories
• Changing the system clock
• Creating users and local groups, and deleting users and local groups that they
created
•Can run legacy applications that are not certified for Win2K or WinXP (Users cannot run
applications that have not been certified)
•Recommended group membership if you are the only user on the computer – prevents
you from accidentally affecting system files. Administrator account still available if you
lock your Power User account
Users Built-in Group
•All accounts, except Guest and Administrator, have membership in this group
automatically
•Tasks include:
• Run programs, manage files use local and network printers
• Create and manage self-created local groups
• Manage their local user profile
•If the computer joins a domain, the Domain Users global group are automatically added
23
as members of he Users local group
Group Accounts
Guest Built-in Group
•Limited access to a computer's resources
•Cannot make permanent changes to their desktop environment
•If the computer joins a domain, the Domain Guests global group are automatically added
as members of he Guests local group
Backup Operators
•Permits users to back and restore all files and folders on a workstation using Microsoft's
Backup program
Replicator
•Support replication of data between computers in a domain – e.g. the directory or other
important files and folders
Network Configuration Operators
•Manage and configure networking features, such as IP address assignment
Remote Desktop Users
•Allowed to connect to your computer using the Remote Desktop feature
Help Services Group
•Use 'helper' applications to diagnose system problems
24
Group Accounts
System Group Functions
•You cannot assign system group membership to a user
•You cannot remove permissions from, or assign permissions to a system group
•You cannot rename or delete a system group
•Common System Groups:
• Everyone – anyone who access a WinXP computer
• Network – Access network resources
• Creator Owner – creates objects (files, folders)
• Authenticated Users – Has a valid account or has joined a domain
• Interactive – Loggon on locally to a WinXP computer
• Anonymous Logon – Any user WinXP is aware of, but has not authenticated
• Dialup – User with a dial-up connection
25