Hack Attacks Testing How to Conduct Your Own Security Audit 8
Managing User and Computer Accounts
Microsoft defines Active Directory user and computer accounts as representing physical
entities such as a computer or a person. Accounts provide security credentials for
users or computers, enabling those users and computers to log on to the network and
access domain resources. An account is used to:
¡¡ Authenticate the identity of the user or computer
¡¡ Authorize access to domain resources
¡¡ Audit actions performed using the user or computer account
An Active Directory user account enables a user to log on to computers and domains
with an identity that can be authenticated and authorized for access to domain
resources. Each user who logs on to the network should have his or her own unique
user account and password. User accounts can also be used as service accounts for
some applications.
By default, Windows 2000 provides predefined user accounts, known as Administrator
and Guest accounts, that you can use for logging on to a computer that is running
Windows 2000. Predefined accounts are designed to let users log on to a local computer
and access resources from that computer. As such, these accounts are designed
primarily for initial logon and configuration of a local computer. Each predefined
account has a different combination of rights and permissions. As you might assume,
the Administrator account has the most extensive rights and permissions; the Guest
account, the least.
Though convenient, predefined accounts pose a significant problem: If their rights
and permissions are not modified or disabled by a network administrator, they could
be used by any user or service to log on to a network by using the Administrator or
Guest identity. To implement the security of user authentication and authorization,
you must create an individual user account for each user who will participate, by
way of the Active Directory Users and Computers utility, on your network. Each user
account (including the Administrator and Guest accounts) can then be added to Windows
2000 groups to control the rights and permissions assigned to the account.
Using accounts and groups that are appropriate for your network ensures that users
logging on to a network can be identified and can access only the permitted
resources.
Each Active Directory user account has a number of security-related options that
determine how someone logging on with that particular user account is authenticated
on the network. Several of these options are specific to passwords:
■■ User must change password at next logon.
■■ User cannot change password.
■■ Password never expires.
■■ Password is saved as encrypted clear text.
These options are self-explanatory except for the last one. If you have users logging on
to your Windows 2000 network from Apple computers, you should select this option
for those user accounts.
User and computer accounts are added, disabled, reset, and deleted with the Active
Directory Users and Computers utility. Note the following in regard to these actions:
■■ If you create a new user account with the same name as that of a previously
deleted user account, the new account will not automatically assume the permissions
and memberships of the deleted account, because the security
descriptor for each account is unique.
■■ To duplicate a deleted user account, all permissions and memberships must be
manually re-created.
To add a user account by using the Active Directory admin utility, follow these steps:
Step 1. In the Console Tree, double-click the domain node. In the details panel,
right-click the organizational unit where you want to add the user, point to
New, and click User (see Figure 1.15).
■■ In First name, type the user’s first name.
■■ In Initials, type the user’s initials.
■■ In Last name, type the user’s last name.
■■ Modify Full name as desired.
■■ In User logon name, type the name with which the user will log on, and
from the drop-down list, click the user principal name (UPN) suffix that
must be appended to the user logon name (following the @ symbol). If the
user will use a different name with which to log on from computers running
Windows NT, Windows XP (which adds fast user switching), Windows Millennium,
Windows 98, or Windows 95, change the user logon name as it
appears in User logon name (pre-Windows 2000) to the different name.
■■ In Password and Confirm password, type the user’s password.
■■ Select the appropriate password options.
Figure 1.15 Adding a user account.
Figure 1.16 Editing a user account.
Figure 1.17 Enabling/disabling a user account.
Microsoft defines Active Directory user and computer accounts as representing physical
entities such as a computer or a person. Accounts provide security credentials for
users or computers, enabling those users and computers to log on to the network and
access domain resources. An account is used to:
¡¡ Authenticate the identity of the user or computer
¡¡ Authorize access to domain resources
¡¡ Audit actions performed using the user or computer account
An Active Directory user account enables a user to log on to computers and domains
with an identity that can be authenticated and authorized for access to domain
resources. Each user who logs on to the network should have his or her own unique
user account and password. User accounts can also be used as service accounts for
some applications.
By default, Windows 2000 provides predefined user accounts, known as Administrator
and Guest accounts, that you can use for logging on to a computer that is running
Windows 2000. Predefined accounts are designed to let users log on to a local computer
and access resources from that computer. As such, these accounts are designed
primarily for initial logon and configuration of a local computer. Each predefined
account has a different combination of rights and permissions. As you might assume,
the Administrator account has the most extensive rights and permissions; the Guest
account, the least.
Though convenient, predefined accounts pose a significant problem: If their rights
and permissions are not modified or disabled by a network administrator, they could
be used by any user or service to log on to a network by using the Administrator or
Guest identity. To implement the security of user authentication and authorization,
you must create an individual user account for each user who will participate, by
way of the Active Directory Users and Computers utility, on your network. Each user
account (including the Administrator and Guest accounts) can then be added to Windows
2000 groups to control the rights and permissions assigned to the account.
Using accounts and groups that are appropriate for your network ensures that users
logging on to a network can be identified and can access only the permitted
resources.
Each Active Directory user account has a number of security-related options that
determine how someone logging on with that particular user account is authenticated
on the network. Several of these options are specific to passwords:
■■ User must change password at next logon.
■■ User cannot change password.
■■ Password never expires.
■■ Password is saved as encrypted clear text.
These options are self-explanatory except for the last one. If you have users logging on
to your Windows 2000 network from Apple computers, you should select this option
for those user accounts.
User and computer accounts are added, disabled, reset, and deleted with the Active
Directory Users and Computers utility. Note the following in regard to these actions:
■■ If you create a new user account with the same name as that of a previously
deleted user account, the new account will not automatically assume the permissions
and memberships of the deleted account, because the security
descriptor for each account is unique.
■■ To duplicate a deleted user account, all permissions and memberships must be
manually re-created.
To add a user account by using the Active Directory admin utility, follow these steps:
Step 1. In the Console Tree, double-click the domain node. In the details panel,
right-click the organizational unit where you want to add the user, point to
New, and click User (see Figure 1.15).
■■ In First name, type the user’s first name.
■■ In Initials, type the user’s initials.
■■ In Last name, type the user’s last name.
■■ Modify Full name as desired.
■■ In User logon name, type the name with which the user will log on, and
from the drop-down list, click the user principal name (UPN) suffix that
must be appended to the user logon name (following the @ symbol). If the
user will use a different name with which to log on from computers running
Windows NT, Windows XP (which adds fast user switching), Windows Millennium,
Windows 98, or Windows 95, change the user logon name as it
appears in User logon name (pre-Windows 2000) to the different name.
■■ In Password and Confirm password, type the user’s password.
■■ Select the appropriate password options.
Figure 1.15 Adding a user account.
Figure 1.16 Editing a user account.
Step 2. After creating the user account, right-click the new user and click Properties
to edit the user account and/or enter additional user account information,
as shown in Figure 1.16. You can edit general user information, group memberships,
dial-in access, terminal server access, and session settings.
Rather than deleting an unused user account, you can disable it as a security measure
to prevent a particular user from logging on. Disabled accounts can also serve a
useful purpose. Disabled user accounts with common group memberships can be used
as account templates to simplify user account creation. Therefore, instead of manually
creating the exact same type of account for, say, 20 new users, an account template can
be copied, renamed, and activated for each. Doing so could save a great deal of administrative
time.
To disable/enable a user account by using the Active Directory admin utility, follow
these steps:
Step 1. In the Console Tree, double-click the domain node to expand the domain
tree.
Step 2. In the Console Tree, click Users or click the folder that contains the
desired user account.
Step 3. In the details panel, right-click on the user and click Disable or Enable
Account (see Figure 1.17).
Figure 1.17 Enabling/disabling a user account.
Comments