Administering a server must be predicated on maintaining appropriate security for your network.. For example, Windows Server 2008 enables you to set various security policies that apply
Trang 1This page intentionally left blank
Trang 2Chapter 17
Administering Windows Server 2008: The Basics
Trang 3254 Networking: A Beginner’s Guide
Installing and setting up Windows Server 2008 is only the tip of the iceberg Far
more important and time-consuming is the process of administering the server This process includes regular and common duties such as adding new users, deleting old users, assigning permissions to users, performing backups, and so forth These topics are covered in this chapter Good administration habits will ensure that the network and the server remain productive and secure
Thinking About Network Security
Before delving into the administrative activities discussed in this chapter, you should spend some time thinking about network security and how it relates to your specific company Administering a server must be predicated on maintaining appropriate security for your network
The key here is to remember that every network has an appropriate level of security The security requirements for a Department of Defense (DoD) contractor that designs military equipment will be different from the security requirements for a company that operates restaurants
Many beginning network administrators think they need to set up their networks
to follow the strongest security measures available The problem with this approach
is that these measures almost always reduce the productivity of people using the network You need to strike a balance between productivity and security in accordance with the needs of your company
For example, Windows Server 2008 enables you to set various security policies that apply to users These include forcing password changes at specified intervals, requiring that passwords be a certain minimum length, disallowing reuse of old passwords, and
so on For example, you could set up policies to require passwords that are at least
20 characters long and that must be changed weekly In theory, these settings should be more secure than shorter, less-frequently changed passwords A 20-character password
is virtually impossible to crack using standard methods, and weekly password changes reduce the chance that someone else will discover a user’s password and be free to use
it for an extended period of time
One problem with such strict policies is that users may resort to writing down their passwords so they can remember them from week to week A written password
is far less secure than one that is remembered, because someone else can find the written password and bypass security easily after doing so Another problem is that users might frequently forget their passwords, which will lead to them being locked out of the system for periods of time This means they will require a lot of help from the network administrator (you!) to clear up these problems each time they occur For
a DoD contractor, these trade-offs might be worthwhile For the restaurant operator, however, they would be inappropriate and would end up hurting the company more than they help
Trang 4The primary reason you should pay attention to this subject before learning about
administration is that you should determine the appropriate network security early,
so that you can allow for it as you administer the network on a daily basis Network
security doesn’t need to take up much of your time, provided you set up your
administrative procedures so they presuppose the level of security you require For
example, if you know what your password policies will be on the network, it takes
only a few seconds to ensure that new users have those policies set for their account
If you know that you maintain a paper-based log of changes to security groups in the
network, then it takes only a second to follow this procedure as you change group
membership occasionally Failing to determine these security practices and policies
early on will result in needing to undertake much larger projects as part of a security
review or audit Security is an area where you’re much better off doing things right the
first time!
Working with User Accounts
For anyone—including the administrator—to gain access to a server running Windows
Server 2008, the user must have an account established on the server or in the domain
(A domain is essentially a collection of security information shared among Windows
servers.) The account defines the user name (the name by which the user is known to
the system) and the user’s password, along with a host of other information specific
to each user Creating, maintaining, and deleting user accounts is easy with Windows
Server 2008
NOTE Every account created for a Windows Server 2008 domain is assigned a special number,
called a security ID (SID) The server actually recognizes the user by this number SIDs are said
to be “unique across space and time.” This means that no two users will ever have the same SID,
even if they have the same user name and even the same password This is because the SID is
made up of a unique number assigned to the domain and then a sequential number assigned to
each created account (with billions of unique user-specific numbers available) If you have a user
called Frank, delete that account, and then create another account called Frank, the accounts
will have different SIDs This ensures that no user account will accidentally receive permissions
originally assigned to another user of the same name
To maintain user accounts, you use the Active Directory Users and Computers
console You can open this console by clicking the Start menu, choosing Programs, and
then selecting Administrative Tools To accomplish activities in the console, you first
select either a container in the left pane or an object in the right pane, and then either
right-click the container or object or open the Action pull-down menu and choose
from the available options Because the available options change based on the selected
container or object, first selecting an object with which to work is important
Trang 5256 Networking: A Beginner’s Guide
Adding a User
To add a user with the Active Directory Users and Computers console, start by selecting the Users container in the left pane (with the tree open to the domain you are administering), as shown in Figure 17-1 Then right-click the Users container, choose New from the pop-up menu, and choose User from the submenu You see the New Object – User dialog box, as shown in Figure 17-2 Fill in the First Name, Last Name, and User Logon Name fields Then click the Next button to move to the next dialog box
TIP You should establish standards by which you assign logon names on your network Small networks (those with fewer than 50 users) often just use people’s first names, followed by the first initial of their last names when conflicts arise A more commonly used convention is to use the user’s last name followed by the first initial of their first name This latter standard allows far more combinations before conflicts arise, and you can then resolve any conflicts that arise by adding the person’s middle initial, a number, or some other change so that all user names at any given time on the system are unique
Figure 17-1. The Active Directory Users and Computers console allows you to manage user accounts