Windows 2000 Server PHẦN 4 pps

2 0 The Organization tab of the Active Directory user Properties dialog box Managing Active Directory User Group Membership The Member Of tab displays the groups that the user belongs to

Adding Active Directory Organization Information

The Organization tab, shown in Figure 4.20, allows you to provide tion about the user’s role in your organization You can enter the user’s title, department, company, and manager You can also specify to whom the user directly reports

informa-F I G U R E 4 2 0 The Organization tab of the Active Directory user Properties dialog box

Managing Active Directory User Group Membership

The Member Of tab displays the groups that the user belongs to, as shown

in Figure 4.21 You can add the user to an existing group by clicking the Add button To remove the user from a group listed on this tab, highlight the group and click the Remove button

F I G U R E 4 2 1 The Member Of tab of the Active Directory user Properties dialog box

Configuring Dial-in Properties

Through the Dial-in tab, shown in Figure 4.22, you configure the user’s remote-access permissions for dial-in or VPN connections Remote-access permissions are covered in Chapter 13

F I G U R E 4 2 2 The Dial-in tab of the Active Directory user Properties dialog box

Configuring Terminal Services Properties

Four of the tabs in the Active Directory user Properties dialog box contain properties that relate to Terminal Services: Environment, Sessions, Remote Control, and Terminal Services Profile Terminal Services is covered in Chapter 12, “Administering Terminal Services.”

Working with Local and Active Directory

Group Accounts

Groups are an important part of network management Efficient administrators are able to accomplish the majority of their management tasks through the use of groups; they rarely assign permissions to individual users

As explained earlier in the chapter, a Windows 2000 member server can have local groups A Windows 2000 domain controller in the Active Directory can have security groups and distribution groups, and the groups can be assigned a scope of domain local, global, or universal

Managing Local Groups

To set up and manage local groups, you use the Local Users and Groups utility With Local Users and Groups, you can create, assign members to, rename, and delete groups

Creating New Local Groups

If possible, you should add users to the built-in local groups rather than creating new groups from scratch This makes your job easier, because the built-in groups already have the appropriate permissions All you need to do is add the users you want to be members of the group.

When you create a local group, you should use the following guidelines:

 The group name should be descriptive (for example, Accounting Data Users)

 The group name must be unique to the computer, different from all of the other group names and usernames that exist on that computer

 Group names can be up to 256 characters It is best to use numeric characters for ease of administration The backslash (\) character is not allowed

alpha-As when you choose usernames, you should consider your naming conventions when assigning names to groups

Creating groups is similar to creating users, and it is a fairly easy process After you’ve added the Local Users and Groups snap-in to the MMC, you expand it to see the Users and Groups folders Right-click the Groups folder and select New Group from the pop-up menu This brings up the New Group dialog box, as shown in Figure 4.23

F I G U R E 4 2 3 The New Group dialog box

The only required entry in the New Group dialog box is the group name Optionally, you can enter a description for the group and add (or remove) group members When you’re ready to create the new group, click the Create button.

In Exercise 4.11, you will create two new local groups This exercise assumes that you have completed all of the exercises in the chapter This exercise should be completed from your member server

Managing Local Group Properties

After you’ve created a group, you can add members to it A user can belong

to multiple groups

You can easily add and remove users through the group Properties dialog box, shown in Figure 4.24 To access this dialog box, from the Groups folder in the Local Users and Groups utility, double-click the group you want to manage

F I G U R E 4 2 4 The local group Properties dialog box

E X E R C I S E 4 1 1

Creating Local Groups

1. Open the MMC and expand the Local Users and Groups snap-in

2. Right-click the Groups folder and select New Group.

3 In the New Group dialog box, type Data Users in the Group Name

text box Click the Create button.

4 In the New Group dialog box, type Application Users in the Group

Name text box Click the Create button Click the Close button.

From the group Properties dialog box, you can change the group’s description and add or remove group members When you click the Add button to add mem-bers, the Select Users or Groups dialog box appears, as shown in Figure 4.25 In this dialog box, you select the user accounts you wish to add and click the Add button Click the OK button to add the users to the group.

F I G U R E 4 2 5 The Select Users or Groups dialog box

To remove a member from the group, select the member in the group Properties dialog box Members list and click the Remove button

You can select multiple contiguous users to add to or remove from a group by Shift+clicking the first and last ones to add To select multiple noncontiguous users to a group, Ctrl+click each one.

In Exercise 4.12, you will create new user accounts and then add these users to one of the groups you created in Exercise 4.11 This exercise should

be completed from your member server

Renaming Groups

Windows 2000 provides an easy-to-use mechanism for changing a group’s name (a capability that was never offered in any versions of Windows NT) For example, you might want to rename a group because its current name does not conform to existing naming conventions

As when you rename a user account, a renamed group keeps of all its erties, including its members and permissions.

prop-To rename a group, right-click the group and choose the Rename option

E X E R C I S E 4 1 2

Adding Users to Local Groups

1. Open the MMC and expand the Local Users and Groups snap-in.

2 Create four new users: Bent, Claire, Patrick, and Trina Deselect the

User Must Change Password at Next Logon option for each user.

3. Expand the Groups folder.

4. Double-click the Data Users group (created in Exercise 4.11).

5. In the group Properties dialog box, click the Add button.

6. In the Select Users or Groups dialog box, select Bent, Claire, Patrick, and Trina (hold down the Ctrl key as you click each member).

7. Click the Add button Then click the OK button.

8. In the group Properties dialog box, you will see that the users have all been added to the group Click OK to close the group Properties dialog box.

In Exercise 4.13, you will rename one of the groups you created in Exercise 4.11 This exercise should be completed from your member server.

Deleting Groups

If you are sure that you will never want to use a group again, you can delete

it Once a group is deleted, you lose all permissions assignments that have been specified for the group

To delete a group, right-click the group and choose Delete from the

pop-up menu You will see the dialog box shown in Figure 4.26, which warns you that once a group is deleted, it cannot be restored Click the Yes button to delete the group

If you delete a group and give another group the same name, it won’t be created with the same properties as the deleted group.

F I G U R E 4 2 6 Confirming group deletion

E X E R C I S E 4 1 3

Renaming a Local Group

1. Open the MMC and expand the Local Users and Groups snap-in.

2. Expand the Groups folder.

3. Right-click the Application Users group (created in Exercise 4.11) and select Rename

4 Rename the group to App Users and press Enter.

In Exercise 4.14, you will delete one of the groups that you created in Exercise 4.11 and renamed in Exercise 4.13 This exercise should be com-pleted from your member server.

Managing Active Directory Groups

You create and manage Active Directory groups through the Active Directory Users and Computers utility When you create a new Active Directory group, you specify its scope and type, which were discussed in the “An Overview of Groups” section earlier in this chapter

Creating New Active Directory Groups

To create a group on a domain controller, take the following steps:

1. Select Start  Programs  Administrative Tools  Active Directory Users and Computers to open the Active Directory Users and Computers utility

2. Right-click the Users folder, select New from the pop-up menu, and then select Group

3. The New Object - Group dialog box appears, as shown in Figure 4.27 Type in the group name for Windows 2000 The pre-Windows 2000 group name will be filled in automatically, but you can change it if desired

E X E R C I S E 4 1 4

Deleting a Local Group

1. Open the MMC and expand the Local Users and Groups snap-in.

2. Expand the Groups folder.

3. Right-click the App Users group and choose Delete.

4. In the dialog box that appears, click Yes to confirm that you want to delete the group.

F I G U R E 4 2 7 The New Object - Group dialog box

4. In the Group Scope section, select the scope for the group:

 Choose the Domain Local option if you want to use the group to assign permissions to resources

 Choose the Global option if you want to use this group for users who require similar network access

 Choose the Universal option if you want to assign permissions related to resources in multiple domains

5. In the Group Type section, select the type of group that you want to create:

 Choose the Security option if this group is for users who need access to specific resources

 Choose the Distribution option if this group is for users who have common characteristics (for example, users who you may need to receive the same e-mail messages)

6. Click OK to close the dialog box and create the new group

Managing Active Directory Group Properties

You can manage an Active Directory group through the group Properties dialog box, shown in Figure 4.28 To access this dialog box, right-click the group in the Active Directory Users and Computers utility and select Properties from the pop-up menu

F I G U R E 4 2 8 The Active Directory group Properties dialog box

This dialog box has four tabs with options for managing the group:

 The General tab (see Figure 4.28) allows you to view and change the pre–Windows 2000 group name, description, and e-mail address You can view the group scope and type but you can’t change these entries You can also add notes for the group

 The Members tab, shown in Figure 4.29, allows you view and change group membership

F I G U R E 4 2 9 The Members tab of the Active Directory group Properties dialog box

 The Member Of tab, shown in Figure 4.30, allows you to view, add groups to, or remove groups from other groups, if the group type allows group nesting (one group contained within another group)

F I G U R E 4 3 0 The Members Of tab of the Active Directory group Properties dialog box

 The Managed By tab, shown in Figure 4.31, allows you to view and change the user who manages the group

F I G U R E 4 3 1 The Managed By tab of the Active Directory group Properties dialog box

In Exercise 4.15, you will create and manage an Active Directory group This exercise assumes that you have completed the other exercises in this chapter This exercise should be completed from your domain controller

E X E R C I S E 4 1 5

Creating and Managing an Active Directory Group

1. Select Start  Programs  Administrative Tools  Active Directory Users and Computers.

2. In the Active Directory Users and Computers utility, right-click the Users folder, select New, and then select Group.

In this chapter, you learned about user and group management features

in Windows 2000 Server We covered the following topics:

 An overview of local and Active Directory user and group accounts, including the built-in user and group accounts

 How to use the Local Users and Groups utility to create and manage local user accounts

 How to use the Active Directory Users and Computers utility to create and manage Active Directory user accounts

 How to create and manage local group accounts with the Local Users and Group utility and Active Directory group accounts with the Active Directory Users and Computers utility

5. In the Test Group Properties dialog box, click the Members tab and then click the Add button Select user Ginnie B Donald and click the Add button Click the OK button In the Test Group Properties dia- log box, click the OK button.

6. Close the Active Directory Users and Computers utility.

E X E R C I S E 4 1 5 ( c o n t i n u e d )

IUSR_computername IWAM_computername

Krbtgtlocal grouplocal userLocal Users and Groupslogon script

security groupTSInternetUseruniversal groupuser profile

C. Windows 2000 member servers

D. Windows 2000 domain controllers

2. Which utility is used to create user accounts that are stored on Window 2000 domain controllers?

A. Domain Users and Groups

B. Active Directory Users and Groups

C. Domain Users and Computers

D. Active Directory Users and Computers

3. Which of the following statements regarding local user accounts is not true?

A. User account names are case-sensitive

B. User passwords are case-sensitive

C. A user account name can be up to 20 characters in length

D. A username cannot contain a = or : character

4. You have just created a local user on a Windows 2000 member server You want to specify that the user account can only log on during spec-ified hours Which user Properties dialog box tab should you use to configure logon hours?

A. The General tab

B. The Account tab

C. The Profile tab

D. You cannot restrict logon hours for a local user account

5. You have just created an Active Directory user on a Windows 2000 domain controller You want to specify that the user account can only log on during specified hours Which user Properties dialog box tab should you use to configure logon hours?

A. The General tab

B. The Account tab

C. The Profile tab

D. You cannot restrict logon hours for an Active Directory user account

6. Which folder is used to store user profiles by default?

A. Boot partition:\WINNT\User Profiles

B. Boot partition:\User Profiles

C. Boot partition:\WINNT\Documents and Settings

D. Boot partition:\Documents and Settings

7. Which one of the following options is not a valid group scope for Windows 2000 domain controllers?

9. Which Windows 2000 built-in account is used by Terminal Services?

D. Whom the group is managed by

11. Which default user account is used by the ILS service?

13. Which of the following options would be stored within a user profile? Choose all that apply.

A. The mouse driver that the user will use

B. The mouse pointer that the user will use

C. The keyboard layout that the user will use

D. The screen saver that the user will use

14. You want to allow Scott to back up and restore the file system, but you

do not want him to be able to access the file system To which of the following groups should you assign Scott?

A. Server Operators

B. Backup Operators

C. Administrators

D. Replicator

15. Which of the following rights are not granted to members of the

Power Users group on Windows 2000 member servers?

A. Create any users and groups

B. Delete any users and groups

C. Create network shares

D. Create network printers

16. Which of the following groups has the highest level of permissions within the Active Directory?

17. Which of the following utilities can an administrator use on a Windows 2000 member server to change a user’s password?

A. Password Manager

B. Password Administrator

C. The Setpass utility

D. Local Users and Groups

18. When you initially create a user with Local Users and Groups on a Windows 2000 member server, what is the maximum password length that can be assigned?

A. General

B. Account

C. Logon Hours

D. Profile

20. Which default group is created on Windows 2000 domain controllers

to allow members to administer domain controllers, but does not allow members to administer user and group accounts?

A. Domain Operators

B. Server Operators

C. Account Operators

D. Administrators

Answers to Review Questions

1. B, C Windows 2000 Professional computers and Windows 2000 member servers are able to store local user accounts

2. D On Windows 2000 domain controllers, you use the Active Directory Users and Computers utility to create Active Directory users and groups

3. A User account names are not case-sensitive Passwords are case-sensitive

4. D There is no option to restrict logon hours for local user accounts

5. B If you create an Active Directory account, you can limit logon hours

by clicking the Logon Hours button in the Account tab of the user Properties dialog box

6. D When a user logs on for the first time, a user profile folder is cally created in the boot partition:\Documents and Settings folder

automati-7. C Group scope can be domain local, global, or universal Group types can be security or distribution

8. D The Krbtgt user is created by default on Windows 2000 domain controllers to be used by the Key Distribution Center service

9. A The TSInternetUser user is created by default on Windows 2000 domain controllers to be used by Terminal Services

10. D Logon hours, logon computers, and logon scripts can be managed only on a per-user basis You can configure who a group is managed

by for an Active Directory group

11. A The ILS_Anonymous_User account is used to support the ILS service ILS supports telephony applications that use features such as caller ID, video conferencing, conference calling, and faxing In order to use ILS, Internet Information Services (IIS) and Site Server must be installed

13. B, C, D User profiles generally contain user preference items, which include mouse pointers, keyboard layout, and screen saver settings User profiles do not contain computer configuration settings such as mouse drivers.

14. B The members of the Backup Operators group have rights to back

up and restore the file system, even if the file system is NTFS and they have not been assigned permissions to the file system However, the members of Backup Operators can only access the file system through the Backup utility To be able to directly access the file system, they must have explicit permissions assigned By default, there are no mem-bers of the Backup Operators local group

15. B Members of the Power Users group can create users and groups; however, they can only manage or delete the users and groups that they have created

16. C The Enterprise Admins group has complete administrative rights over the enterprise This group has the highest level of permissions of all groups

17. D To set up and manage local users, you use the Local Users and Groups utility With Local Users and Groups, you can create, delete, and rename user accounts, as well as change passwords

18. B Windows 2000 passwords can be a maximum of 14 characters and are case-sensitive

19. B The Account tab of the user Properties dialog box in Active tory Users and Computers allows you to configure options such as logon hours, logon computers, and other account options

Direc-20. B Members of the Server Operators group have special permissions to administer domain controllers

Implement, configure, manage, and troubleshoot auditing

Implement, configure, manage, and troubleshoot Account Policy

Implement, configure, manage, and troubleshoot security by using the Security Configuration Tool Set

With Windows 2000 Server, you can manage security at the local level or at the domain level At the domain level, you manage domain security policies At the local level, you manage local security policies.Security settings are configured through Group Policy Account policies are used to control the logon process, such as password and account lockout configurations Local policies are used to define security policies for the com-puter, such as auditing, user rights, and security options.

In Windows NT 4, you were able to control users’ Desktops through system policies This functionality is included in Windows 2000 for backward compati-bility, but it is recommended that you use group policies instead of system policies

to manage these options

The Security and Analysis Configuration tool is a new Window 2000 Server utility that you can use to analyze your security configuration Using

a security template, this utility compares your actual security configuration

to your desired configuration

In this chapter, you will learn how to manage security in a Windows 2000 Server environment You will first install an MMC console to manage security set-tings, and then learn how to configure account policies, local policies, and security policies The final section of this chapter describes how to use the Security Analysis and Configuration utility to analyze your security configuration

Managing Security Settings

Windows 2000 Server allows you to manage security settings at the local level, for a particular computer, or on a domain-wide level Any domain security policies you define override the local policies of a computer.You manage policies with Group Policy and the appropriate object:

Managing Security Settings 223

 To manage domain policies, you use Group Policy with the Domain Controllers Group Policy object

To facilitate your policy management tasks, you can add the Local puter Policy and Domain Controller Security Policy snap-ins to the Microsoft Management Console (MMC) You can also access the account policies and local policies by selecting Start  Programs  Administrative Tools  Domain Security Policy or Local Security Policy

Com-Exercise 5.1, you will add the Group Policy and Event Viewer snap-ins on your member server

All of the exercises in this chapter, except Exercise 5.7, should be completed from the member server.

E X E R C I S E 5 1

Creating a Management Console for Security Settings

1. Select Start  Run, type MMC in the Run dialog box, and click the OK button to open the MMC.

2. From the main menu, select Console  Add/Remove Snap-in.

3. In the Add/Remove Snap-in dialog box, click the Add button.

4. Highlight the Group Policy option and click the Add button

5. The Group Policy object specifies Local Computer by default Click the Finish button.

6. In the Add/Remove Snap-in dialog box, click the OK button.

7. From the main menu, select Console  Add/Remove Snap-in.

8. In the Add/Remove Snap-in dialog box, click the Add button.

9. Highlight the Event Viewer option and click the Add button.

10. The Select Computer dialog box appears with Local Computer selected

by default Click the Finish button Then click the Close button.

224 Chapter 5  Managing Security

Using Account Policies

Account policies are used to specify the user account properties that relate to the logon process They allow you to configure computer security settings for passwords, account lockout specifications, and Kerberos authen-tication within a domain

After you have loaded the MMC snap-in for Group Policy, you will see an option for Local Computer Policy To access the Account Policies folders, expand Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and Account Policies Figure 5.1 shows the Account Policies folders

12. Select Console  Save As Save the console as Security in the Administrative Tools folder (which is the default location) and click the Save button.

You can now access this console by selecting Start  Programs  Administrative Tools  Security.

Using Account Policies 225

F I G U R E 5 1 Accessing the Account Policies folders

If you are on a Windows 2000 member server, you will see two folders: Password Policy and Account Lockout Policy If you are on a Windows 2000 Server computer that is configured as a domain controller, you will see three folders: Password Policy, Account Lockout Policy, and Kerberos Policy The account policies available for member servers and domain controllers are described in the following sections

Setting Password Policies

Password policies ensure that security requirements are enforced on the computer

It is important to note that the password policy is set on a per-computer basis; it cannot be configured for specific users

Figure 5.2 shows the password policies that are defined on Windows 2000 member servers, which are described in Table 5.1 On Windows 2000 domain controllers, all of these policies are configured as “not defined.”

226 Chapter 5  Managing Security

F I G U R E 5 2 The password policies

T A B L E 5 1 Password Policy Options

Enforce Password History

Keeps track

of user’s password history

Remember 0 passwords

Same as default

Remember

24 passwords

Maximum Password Age

Determines maximum number of days user can keep valid password

Keep password for 42 days

Keep password for

1 day

Keep word for up to

pass-999 days

Using Account Policies 227

The password policies are used as follows:

 The Enforce Password History option is used so that users cannot use

Minimum Password Age

Specifies how long password must be kept before it can

be changed

0 days (password can

be changed immediately)

Same as default

999 days

Minimum Password Length

Specifies minimum number of characters password must contain

0 characters (no password required)

Same as default

14 characters

words Must Meet Complex- ity Require- ments

Pass-Allows you to install pass- word filter

default

Enabled

Store word Using Reversible Encryp- tion for All Users in the Domain

Pass-Specifies higher level

of encryption for stored user passwords

default

Enabled

T A B L E 5 1 Password Policy Options (continued)

228 Chapter 5  Managing Security

 The Minimum Password Age option is used to prevent users from changing their password several times in rapid succession in order to defeat the purpose of the Enforce Password History policy

 The Minimum Password Length option is used to ensure that users create

a password, as well as to specify that it meets the length requirement If this option isn’t set, users are not required to create a password

 The Passwords Must Meet Complexity option is used to prevent users from using as passwords items found in a dictionary of common names

 The Store Password Using Reversible Encryption for All Users in the Domain option is used to provide a higher level of security for user passwords

In Exercise 5.2, you will configure password policies for your computer This and the remaining exercises in this chapter assume that you have completed Exercise 5.1 to create the Security management console All of the exercises should be performed on the member server

Setting Account Lockout Policies

The account lockout policies are used to specify how many invalid logon

attempts should be tolerated You configure the account lockout policies so that

after x number of unsuccessful logon attempts within y number of minutes, the

E X E R C I S E 5 2

Setting Password Policies

1. Select Start  Programs  Administrative Tools  Security and expand the Local Computer Policy snap-in

2. Expand the folders as follows: Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy.

3. Open the Enforce Password History policy In the Effective Policy

Setting field, specify 5 passwords remembered Click the OK button

4. Open the Maximum Password Age policy In the Local Policy Setting

field, specify that the password expires in 60 days Click the OK button.

account will be locked for a specified amount of time or until the Administrator unlocks the account.

The account lockout policies are similar to how banks handle ATM access code security You have a certain amount of chances to enter the correct access code That way, if someone stole your card, they would not be able to keep guessing your access code until they got it right Typically, after three unsuccessful attempts at your access code, the ATM machine takes the card Then you need to request a new card from the bank.

Figure 5.3 shows the account lockout policies, which are described in Table 5.2

F I G U R E 5 3 The account lockout policies