Date post: | 04-Jan-2016 |
Category: |
Documents |
Upload: | claire-higgins |
View: | 216 times |
Download: | 2 times |
10-1© 2001 by Prentice Hall
Local Area Networks, 3rd EditionDavid A. Stamper
Part 4: Installation and Management
Chapter 10
LAN Administration: Users, Groups, and
Security
10-2© 2001 by Prentice Hall
Chapter Preview
• Users and groups
• System programming
• Security
• Virus protection
In this chapter you will study:
10-3© 2001 by Prentice Hall
Users and Groups
• Users– From the LAN administrator’s perspective, the term users applies only to
employees who use the LAN in doing their jobs. Because LAN users usually do not all have the same access privileges, it is important to be able to distinguish one user from another.
– The user ID is a user’s form of identification to the system. The ID is used to log in to the LAN. Exactly what access is allowed depends on the user’s access rights.
– Many LAN systems automatically establish two types of users at installation time. One type of user has a common user ID with few or no network privileges. The other type of user is all-powerful, with all rights and privileges on the system.
– The LAN administrator should devise a plan for creating consistent user names, matching those user names with the users or functions that use them, and setting up user-access rights.
10-4© 2001 by Prentice Hall
Users and Groups (cont.)
• Groups– A group is a collection of users. In some systems, each user must
belong to exactly one group. In other systems, a user can belong to none, one, or several groups. The function of a group is to combine many users into a single entity and to use the group to implement security or grant capabilities common to groups of users.
– Users and groups can do certain things on a LAN because they have been given access rights, or permissions.
– The LAN administrator must devise a way to give proper access rights to all users.
10-5© 2001 by Prentice Hall
User-Access Rights
Rights Extended to Everyone
Rights Extended to All Members of a Personnel Group
Rights Extended to Only a Few Members of a Personnel Group
Rights Extended to Specific Member of a Software Development Group
Logon and logoffSend and receive electronic mail
Change employee addresses, telephone numbers, and names
Retrieve employee dataChange employee ratingsPromote employeesCreate filesUpdate source program
Run word processing and spreadsheet programs
Add new employees
Use department printers
Delete employees
Delete files
Delete source files
10-6© 2001 by Prentice Hall
System Programming
• The meaning of system programming depends on whether the system is a mainframe or a LAN.
– On a LAN, system programming consists primarily of running the network, solving network problems, installing new software, writing network utilities, and personalizing users’ environments.
• In NetWare, part of a user’s environment is created with a logon script. Through logon script, the LAN administrator can usually carry out the following:
– map server directories to the client's OS drive designators, such as F:– print messages to the user– run one or more programs– set the user’s default drive and directory– synchronize the client’s time to the server’s time– set up printing
10-7© 2001 by Prentice Hall
Security
• Setting up effective network security is a critical task of the LAN administrator. Although security does guard against different types of outside intrusions, most commonly security protects an organization from accidental or intentional disruption from its own employees.
• Too much security makes a system hard to use. Too little security can result in the loss of data, money, or opportunity because everyone has access to everything. A good security system provides the necessary safeguards without unduly inhibiting the use of the system.
• A comprehensive security program provides both physical security and data access security.
10-8© 2001 by Prentice Hall
Password Administration
• A properly secured LAN requires all users to identify and authenticate themselves. Authentication is most commonly done via passwords.
• The security of your LAN system depends to a great extent on your policy for creating and changing passwords.
• One way to handle unsuccessful logons is to use a timeout value, which causes the system to refuse to accept another logon attempt from a user ID, station, or both until after a designated interval.
• Some installations like to maintain centralized control of the security system. One way of doing this is to prevent users from changing their own passwords. The LAN administrator is responsible for assigning all passwords.
10-9© 2001 by Prentice Hall
Suggested Password Policy
Change passwords regularly—at least once per month.
Passwords should be at least six characters long.
Use at least one nonalphabetic character in passwords.
D not write password down.
Do not use initials, month abbreviations, birthdates, and so on when making up a password.
Change a password if you suspect someone else knows it.
Make successive passwords unique; that is , do not use sequence numbers or letters.
Report any instances of suspected unauthorized logons.
Do not leave your workstation unattended while you are logged on.
10-10© 2001 by Prentice Hall
Logon Restrictions
• Security can be further enhanced by controlling an authenticated user’s access to the system. This requires the LAN administrator to restrict how and where users log on.
• An organization may restrict users to specific workstations. A good security policy might be to limit logons for payroll user IDs to workstations in the payroll department area and for personnel user IDs to be limited to logging on from workstations in the personnel department.
• A major breach of security occurs when a user leaves his or her workstation without logging off. It is a good idea to have workstations set to automatically log off in the absence of input.
10-11© 2001 by Prentice Hall
Password/User Controls in NetWare and Windows NT
Password expiration
Minimum password age
Minimum password length
Password uniqueness
Lockout after specified number of unsuccessful logins
Station restrictions for login
Time restrictions for login
Allow user to change password
Require passwords for users
Limit concurrent logins
Allow grace logins (number of, after password expires)
Control NetWare Windows NT
X
-
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
-
-
10-12© 2001 by Prentice Hall
Encryption
• If you cannot prevent users from gaining unauthorized access to data, you can take another measure, encryption, to prevent those users from using that data. Encryption is the process of taking data in its raw form, called plain text, and transforming it into a scrambled form, called cipher text.
• The most common encryption techniques are the data encryption standard (DES), originally established by the U.S. Bureau of Standards, and public key encryption.
• You almost always find encryption being used on LAN files that contain user passwords. Because passwords are stored in a file, access to the passwords in that file seriously jeopardizes system security if the passwords are stored in clear text. To overcome this problem, almost all systems encrypt the passwords before storing them on disk.
10-13© 2001 by Prentice Hall
Access Matrix
• An access matrix is a grid where users are listed over columns, and files are listed at the beginning of a row, similar to a spreadsheet format. At the intersection of a row and column is a cell defining that user’s rights to that file. The rights represented are read (r), write (w), execute (e), and delete (d); a dash means no capability
10-14© 2001 by Prentice Hall
Sample Matrix
File-1
File-2
rwed
r---
rw--
----
r---
----
User-1 User-2 User-3
10-15© 2001 by Prentice Hall
Novell NetWare File and Directory Rights
Supervisory
Read
Write
Create
Erase
File scan
Modify
Access control
Supervisory rights to the directory file and all subdirectories
Read an open file
Write to an open file
Create a new file
Delete an existing file
List names of files or subdirectories in directory
Change file attributes, rename files, and rename directories
Pass rights to directory or file to another user
[S]
[R]
[W]
[C]
[E]
[F]
[M]
[A]
10-16© 2001 by Prentice Hall
File/Directory Tree Structure
Root
Database
SUB 1
Customer
Notes
= Directories
10-17© 2001 by Prentice Hall
Some Windows NT Rights
Access this computer from the network
Add workstations to a domain
Back up files and directories
Change the system time
Force shutdown from a remote system
Load and unload device drivers
Log on locally
Manage auditing and security log
Restore files and directories
Shut down the system
Take ownership of files
10-18© 2001 by Prentice Hall
Windows NT Share Permissions
No Access—no permissions granted for share
Read—read directories, files, run programs
Change—read access, plus can modify files, delete and create directory entries
Full Control—read and change, plus change permissions and take ownership
10-19© 2001 by Prentice Hall
Security Policy Topics
Password administration
Auditing policy
Consequences of employees intentionally trying to subvert security
Encryption implementation
Virus detection procedures
Data backup/restore policy
Introduction of software/data by employees, I.e., using media from outside the organization
Access to outside networks/nodes
Control of external access, e.g., switched and Internet connections
Disaster recovery
Designation of personnel for monitoring and implementing security
Managing security threats
Security training
Documentation
Security review procedures
10-20© 2001 by Prentice Hall
Viruses
• A LAN administrator must protect the system from viruses. This is no easy task. In 1991, approximately 500 different viruses had been detected. By 1999, one antivirus software company had over 45,000 viruses registered.
• Viruses disrupt systems in a variety of ways, and some are more destructive than others. All viruses hinder normal system operations.
10-21© 2001 by Prentice Hall
Virus Detection
• Viruses are detected in two ways. The most obvious but least desirable way is to experience the consequences of having a virus. The best way to detect a virus is to find it before it activates itself. A variety of antivirus programs are available for this purpose.
• Some anitvirus programs are run on demand, whereas others are constantly running. Programs that are constantly running use memory (and contribute to system overhead), but generally provide better protection than on-demand anitvirus programs.
• It is best to have a stand-alone computer conveniently available for virus detection. After data has been received, it and the stand-alone computer can be checked for viruses. After checking for viruses and removing any that are found, the administrator can move the data to the LAN.
10-22© 2001 by Prentice Hall
How an Antivirus Program Works
1. Workstation application issues request to access a file.
2. Antivirus software examines file being accessed.
3. Antivirus software writes message to log file and system console.
4. Antivirus software does one of the following:
(a) removes virus form file, (b) erases file, (c) moves file to disk area for infected files, (d) renames files, (e) does nothing and allow file to be accessed
Server
Workstation