Securing The Network47240c03.fm Page 137 Tuesday, July 11, 2006 6:48 AM
Task 3. 1: Creating Local User Accounts
To be able to manage access to resources, you must create user accounts. A user account is a security object in an operating system that uses authentication to verify the identity of the user attempting to gain access to resources. If the user does not authenticate properly, whether by password, smart card, biometrics, or other means, the user account cannot be used to gain access to network resources.
Granting or denying access to resources sometimes involves great strategy. Perhaps you wish to list all the groups and individuals you want to have access to all of your network’s resources. Perhaps, instead, you would rather do so for some resources, but because the list of those you want to deny access to some resources is shorter than the list of those you want to grant access, the best strategy might be to deny the short list instead of allowing the longer one. Another strategy worth mentioning is how to come up with the user account names. One of the best-known and simplest methods is to use a person’s first initial and last name concat- enated to make a single string of letters, such as jjones for Jonathan Jones. The method you use is entirely up to you, but the best methods create a meaningful username that is not easy to guess, such as a user’s three initials and the last four digits of their Social Security number. For example, jdj6789 might be the username for Jonathan D. Jones, whose Social Security
Task 3.1: Creating Local User Accounts 139
number is 123-45-6789. This method is at once elegant in its security, with a middle initial no one really knows and the last four numbers of the Social Security, which even fewer know, and sensible in its use of personal information, not spelling out the name or using the entire Social Security number.
This task walks you through the steps necessary to create a local user account—one that exists only for the resources local to a particular computer, not across a domain—without delving any deeper than the foregoing discussion into the process of developing a naming con- vention. Later tasks test the access rights of such an account. If your network is made up of one or more domains, you may or may not have the necessary rights to manage users and groups. It is much more likely, however, that you have access to these objects on your own computer. Furthermore, local user accounts are all you need to master this concept on a small cadre of machines, porting what you learn to a larger, domain-based environment later in your studies or practice.
Scenario
You have a computer on the network that you want to use to house collaborative folders for three company associates. At this point, you need to create user accounts for these individuals so that later you can exercise granular control over their access to the various resources you intend to create.
Scope of Task
Duration
This task should take about 20 minutes.
Setup
For this task, you need to have room to set up two computers with a network connection to one another.
Caveat
Local user accounts do not follow the user to other computers. For that type of central account repository, you must have a user domain as opposed to the simpler workgroup model, as well as some type of directory service, such as Microsoft’s Active Directory. Additionally, you need some form of domain controller system to hold the user account objects and handle requests for authentication from domain member devices as users attempt to access their resources. Such a model is much more complex and beyond the scope of this book. This task and the related tasks in this phase seek only to convey the concept of secure accounts and resources, not to turn you into a domain administrator.
Procedure
140 Phase 3 Maintaining and Securing The Network
Equipment Used
For this task, you’ll use only one of the two computers to create three local user accounts. In a later task, to test these accounts, you will use the other one. These computers require net- work access to each other.
Details
You will need only one of the networked computers, the one that is to house the shared folders and the user accounts. The following steps guide you through the process of creating three user accounts, one for Ann Kaminski, one for Bob Underhill, and one for Cathy Sullivan.
1. On the computer’s Desktop, right-click My Computer and choose Manage.
2. In the left pane of Computer Management, click the plus sign beside Local Users And
Task 3.1: Creating Local User Accounts 141
3. Under Local Users And Groups, click the Users folder to produce the current list of user
accounts that have been created on this computer.
4. Right-click in an unaffiliated (blank) portion of the right pane of the Computer Manage-
ment window and then click New User on the shortcut menu.
5. In the New User dialog, the two most important and functional pieces of information
are the User Name and Password fields (and, of course, the Confirm Password field, which must be the same as the Password field). Enter the username for Ann Kaminski
142 Phase 3 Maintaining and Securing The Network
in accordance with your company’s naming convention, as well as her initial password, which should be difficult to guess.
Optionally, include the full name of the user and a meaningful description of the account or the user.
6. Because local accounts will not be used to log onto this computer’s graphical interface but instead to simply control access to its resources, it is not advisable to make the user change their password at next logon. Conceivably, the user might never log on to the computer locally, but any access to the computer’s resources will be restricted until the password is changed. Instead, remove the check mark from the top check box, which makes the second and third check boxes selectable. Place a check mark in the Password Never Expires box. 7. Click the Create button to finalize the establishment of the account. The New User dialog
clears and is ready for the second account. Enter similar information for Bob and Cathy, click- ing the Create button after each one, and then click the Close button when you are finished. 8. Note that in the following screen, all three new accounts are listed, along with their full