• No results found

Securing The Network47240c03.fm Page 137 Tuesday, July 11, 2006 6:48 AM

Task 3. 4: Disabling Local User Accounts

Inevitably, all companies experience churn; employees come, employees go. Overall, however, barring a major reorganization, the corporate structure tends to remain constant. In other words, in larger organizations, there is always a CEO, always a head of HR, always one or more IT folks running around like the proverbial headless chicken. If any of these employees move on to other pursuits, it is highly likely that someone will come along to take their place. A user account is named for the individual that uses its credentials, but the value is not in the name. The true identity associated with a user account is in the rarely seen, fairly unat- tractive alphanumeric code associated with it. Microsoft, for example, calls this code a secu- rity identifier (SID). Every object in the directory has one. By virtue of the SID, you can change

the account’s name and password, and hence the logon characteristics of the account, without altering the SID. Because the access privileges are associated with the SID and not with the name of the account, when a secretary leaves the company and you know a replacement will be hired, you can simply deactivate the account and wait for the replacement to start work. At that time, changing the name and password for the account personalizes it for the new employee but keeps the job-related access the way it was so you don’t have to figure it out again.

This is a very simple task to walk you through the process of disabling an existing user account, testing the result, and then re-enabling the account with new user information, again testing the result.

Scenario

Ann Kaminski, VP of sales, has left the company. You need to rescind her access to network resources immediately but realize her position will be filled in the coming weeks. You want

Ann’s replacement to have access to the Sales and Marketing and the Sales and Finance

shares. You decide to deactivate Ann’s user account, leaving it in the Sales Planning and Receivables groups, so that the new VP of sales can be given immediate access when the time comes.

Scope of Task

Duration

This task should take about 20 minutes.

Setup

For this task, you need to have room to set up two computers with a network connection to one another.

Caveat

Disabling an account is only one step toward preventing access by a former associate. You also, to the extent of your abilities and influence, must make sure no administrative console remains open (that is, someone has logged onto it) at the same time it is left unattended. In such a case, the console becomes a potential security risk. Anyone wishing to re-enable the account or to create a new account with even greater privileges needs only to know how to do so—no hacking required.

Deactivation of accounts for departing personnel and then reactivating them when replace- ments are hired is a shortcut not all organizations condone. While the majority of enterprises might well allow such a practice, you might be in violation of a strict policy that states that all new personnel must begin with a security template that is to be added to for additional access rights, regardless of the position they hold.

Procedure

In this task, you first disable the user account of Ann Kaminski. After testing the effects of dis- abling her account, you change the name on the account to David Elliot and subsequently prove that David is capable of accessing the same resources that Ann once could.

Equipment Used

For this task, you need the computer with the user accounts and groups and the Sales and

Marketing share. To test remote access, you will need at least one more computer. These com-

puters require network access to each other.

Details

The following steps guide you through the process of disabling the user account of Ann Kaminski and converting it to that of David Elliot.

1. On the computer’s Desktop, right-click My Computer and choose Manage. This produces

the Computer Management plug-in for the Microsoft Management Console (MMC).

2. In the left pane of the Computer Management window, click the plus sign beside Local

Users And Groups under System Tools to expand this category.

3. Under Local Users And Groups, click the Users folder to produce the current list of user accounts that have been created on this computer.

4. In the right pane, double-click the akaminski account name to bring up the akaminski

5. It might be necessary to manually sever all of Ann Kaminski’s ties to the server. To do so,

in Computer Management, expand the Shared Folders entry in the left pane. Then click

the Sessions entry and right-click in the right pane on the entry AKAMINSKI, if it exists.

Select Close Session from the shortcut menu, as displayed in the next image.

Also, you might need to sever the network connection on the computer you have been using to test Ann Kaminski’s access to her resources. This can be done by simply logging off of the computer and then back on.

6. Using Ann’s credentials, attempt to map a network drive to the Sales and Marketing

share, as before. You are met with the following denial of access message.

7. In Computer Management, under Local Users And Groups, click the Users folder to

bring back up the current list of user accounts that have been created on this computer. In the right pane, right-click the akaminski user account name and select Rename from the shortcut menu, making the user name editable. Change the name to delliot, for David Elliot, and press Enter.

8. (Optional) Right-click on the new name and click Set Password in the shortcut menu if

you would like to change Ann’s old password to something new for David.

9. Double-click the delliot account name to open the delliot Properties dialog. Remove

information followed David. Note also, by clicking the Member Of tab, that David retained Ann’s membership in the Sales Planning group, as shown in the next screen shot.

10. Map a network drive to the Sales and Marketing share, using David Elliot’s new

credentials.

11. Note that in the following screen shot, DELLIOT shows up in the Sessions display of

Criteria for Completion

You have completed this task when you have disabled Ann Kaminski’s account, confirmed lack of authorization, and then re-enabled the account for use by David Elliot, confirming authorization under his credentials.