19. MANAGING USERS WITH NET.EXE Chapter 13: MANAGING USERS AND GROUPS The NET USER command can be called from batch files to automate repetitive management tasks. It is useful for scripted user account additions and changes.
In this chapter, students learn how to put together users and groups. They are introduced to user accounts, groups, user rights assignment, account policy, and cached credentials. These slides illustrate some of the topics in more detail than in the text, showing students the dialog boxes and answering any questions they might have.
User accounts are the basic unit of identity for a user. All processes in Windows XP run under the guise of a user account. System processes and service processes even run as users. You can grant users access to resources by associating their security identifier (SID), a part of their identity, with discretionary access control lists (DACLs) belonging to objects. This association, embodied in an access control entry (ACE), forms the foundation for security in Windows XP. In Active Directory, user accounts are even more important—they are the repository for data about the user. They can contain a user’s address, phone/fax numbers, and even personnel data.
Users can be collected into groups to simplify assignment of permissions. By collecting users into a group, you can make a single assignment to grant permissions to all those users at once. In Active Directory, groups can be designated for security or distribution. Distribution groups are used to simplify messaging.
Built-in accounts are created during setup of the operating system. The Administrator account is intended for system administration tasks and has the appropriate rights and permissions to perform any maintenance and configuration task on the system. The Guest account is for granting temporary access to guests. It is disabled by default. This account does not have any administrative function or permissions. Discuss the security implications of these two accounts. The Administrator account can be renamed, but it retains its distinctive SID and is a favorite target for hackers because it cannot be locked out. The Guest account is usually left disabled, and guests are instead added to the Guests local group. Mention the System account as well. It does not have interactive logon ability, but it is the account most system processes are executed under. It is equal in power and permissions to the Administrator account.
Built-in groups are designed to allow users to be given specific rights and permissions based on their role. Placing users in certain built-in groups gives them specific administrative abilities on the system. Discuss the built-in groups listed in the textbook. Describe how some of these groups are used to define administrative roles in Windows XP. Give an example of when each group might be used.
Implicit groups are an important tool that administrators can use to control access to resources based on how those resources are accessed. The list in the textbook describes how some of these groups are used. Be prepared to offer an anecdote about how you have used an implicit group to simplify a security issue.
Service accounts allow system services and services required by installed applications to access resources. Permissions can be granted to the accounts as if they were real users. Discuss the built-in service accounts: Service, Local Service, and Network Service. Also discuss some of the user rights (such as Log On As A Service) required for a service to use a service account properly. Also mention that service accounts should be configured to not allow passwords to expire. Mention some of the service accounts (such as IUSR_ <system name> , used by Windows XP to support IIS and other applications). Open the Services console and show students how service accounts are assigned to services.
When you discuss domain user accounts and groups, point out how users and groups from the domain can be placed into local groups to give them rights and permissions on the local system.
This slide shows the Local Users and Groups snap-in, both in the Computer Management console and in a standalone console. If time permits, demonstrate how to create a custom user management console by adding the standalone Local Users and Groups snap-in to an empty Microsoft Management Console.
This slide depicts the User Accounts tool in Control Panel. Point out that this tool creates only basic user accounts, placing them in the Users or Administrators built-in group. Managing user profile settings or assigning membership in other groups requires use of the Local Users and Groups snap-in or the Net User tool. However, the User Accounts tool is the only tool that allows you to designate the user’s logon icon.
This slide depicts the Active Directory Users and Computers console, the principal user management tool for Active Directory domains. Mention other tasks you can perform with it, such as Group Policy management and management of domain computer accounts.
The NET USER command can be called from batch files to automate repetitive management tasks. It is useful for scripted user account additions and changes. You can also create a batch file that uses command-line parameters to quickly add or remove specific user accounts. Point out the available command options in the textbook and, if time permits, demonstrate adding and removing a user using Net.exe.
This slide shows the planning stages for users and groups. It begins with users and files. Users are collected into groups, and the files are collected into folders. Permissions are given to the group, and in the last frame, a new user gains access to the folder simply by being placed into the group. As you explain this approach, try to offer real-world examples.
Use this slide to discuss how to provide the listed users with unique usernames. Discuss ways to ensure uniqueness, such as adding numbers to the end of the name or including the middle initial. Present a few real-world scenarios as well.
Passwords are a weakness in many organizations. Discuss ways to create strong but memorable passwords. Discuss the use of nonalphanumeric characters in passwords. Describe the two main hacker attacks against passwords and how a long, complex password makes those attacks less likely to succeed. Dictionary attack, where the attacker uses word combinations to guess the password Brute force attack, where the attacker uses every combination of letter, number, and special characters until he guesses the password
This slide depicts the selection of the Welcome screen and Classic logon dialog box in the User Accounts tool in Control Panel. Discuss when each logon method might be useful. Demonstrate the configuration of this option if time permits.
This slide shows the Local Users and Groups snap-in being used to manage a user account from creation to deletion. As you step through the frames, discuss each dialog box and its options.
This slide shows the Local Security Settings console displaying the User Rights Assignment section of Local Security Policy. Discuss the user rights listed in the textbook and describe how or where each might be used. Describe a real-world scenario such as a system that requires shutdown restrictions or a user who is responsible for backing up and restoring files.
This slide depicts the management of a group using Local Users and Groups. If possible, walk through this process in class. Point out the warning at the end, and be sure to note its content—that a group created later with the same name will have a new SID and will not gain access to resources granted to this group.
This slide depicts the management of the local group Finance using the Net command with the Localgroup option. If possible, discuss the management of users and groups using the Net command, and demonstrate the creation of a group. Also, mention the Group option of the Net command for domain global group management.
This slide shows a user being created, managed, and deleted with the User Accounts tool in Control Panel. Discuss the limitations of this method—namely, the inability to work with any groups other than the built-in Users and Administrators groups.
This list mirrors the best practices list in the textbook. Discuss the reasoning behind each point, and ask students for examples of when each item would apply.
This slide depicts the addition of the user John to the list of users allowed to shut down the system. If possible, demonstrate this using a system in the classroom.
Discuss the settings available in Local Security Policy to manage password strength. Demonstrate the configuration of these settings, if possible.
Discuss the settings available in Local Security Policy to manage account lockouts. Demonstrate the configuration of these settings, if possible. Describe real-world scenarios where use of account lockouts can thwart an attacker.
Cached credentials are used for mobile systems that are not always connected to a domain and to speed startup and logon by letting users log on before network services are fully started. Discuss the use of cached credentials and the following guidelines: Users must log on to the domain once to cache credentials for future logons. Users whose passwords were changed might be able to log on with their previous password. Disabled or deleted users can log on if their credentials have not been deleted.
This slide depicts the Group Policy setting used to manage cached credentials in Windows XP. Describe the effects on a system if this value is set to 0 (cached credentials disabled).
This slide lists three potential issues with cached credentials. Discuss the symptoms of each and see if students can offer the correct solution to each scenario. Be sure to discuss the necessity of logging on to a domain at least once to cache credentials for offline use.
This slide follows the summary in the textbook. Discuss each item, emphasizing important points. Answer any final questions.