This chapter discusses issues related to user accounts on a network. The objectives important to this chapter are:
Concepts:Authentication is any process used to prove identity to network security programs. Your text says it is a method of proving a user's true identity, but we all know of instances of users who share IDs and passwords. Authentication systems only work as intended when users keep their authentication information private. Two kinds of security models are discussed in the chapter. The first is peer-to-peer, or peer-level security. The text goes on to say that this is also called share-level security. In a peer-to-peer network, each device may have resources that can be shared with some or all other devices. Allowing other devices (users) to access your files or resources is sometimes called creating a network share. In Microsoft terms, it is just called a share. This type of sharing does not require a client-server environment. It is normally simple to establish, unless you are running Windows XP, in which case it becomes a pain. (The link in the previous line goes to a Microsoft information site. It will probably go bad within a year or two, since they never leave their information unchanged.) In most versions of Windows, you share a resource by changing its properties. You give it a name to be known as on the network, set rights, and establish whether it is password protected. When you set rights to a folder, for example, you can set it to be shared as read-only, set it to full rights, or make the rights dependent on the password used, setting one password for read-only and another for full rights. This is much more limited than the rights that can be assigned in a client-server environment. In the peer environment, computers are typically put into groups called workgroups. Rights given in a workgroup are given to all computers in that group. User-level access is more common on client-server networks. The author tells us that there may be a user accounts database on the network, which stores information such as what rights each user has to each object in the network. He refers to this as the access control list. In some networks, it is more appropriate to consider each object in the database as having its own access control list. In a Microsoft network, the database is probably Active Directory. In a Novell network it is eDirectory, or Novell Directory Services (older Novell networks).In a user-level access environment, rights are stored in the directory, so a user is required to log in to the network, at which point rights are granted to the user for the current session. In a Microsoft network, this gets more complicated. A user may have rights that are granted based on their login that apply only to the computer where they are working, such as rights to folders and files on that computer. The user may also have rights granted specifically by the server they log in to, which makes those rights part of the local accounts database on that server. This is not the same database as the Active Directory database that covers all servers and computers in a Windows domain. This subject requires much more discussion than the author gives it, so we will let it go for now. (You may wish to pursue more information in Microsoft certification classes.) The text lists several vendors that sell network software that supports user-level accounts. Microsoft, Novell, and all forms of UNIX are listed. When creating a user account on a network, the user needs to be told their user name and their first password. I called the password their first password, since it is common to force the user to change the password on the first login. The user name may be called a user ID, a logon name, or other similar phrase. In well run networks, administrators follow some rule for creating user names that makes them understandable and predictable. One common standard is to use the user's surname and first initial, adding consecutive integers in the case of duplicates. The obvious changes are made for names in which the surname (family name) comes first. In older systems that had limits on the length of object names, the first part of the ID was commonly truncated to seven characters. We are mostly past that problem now. A user account is also associated with a serial number that is generated when the account is created. In a UNIX network the number is called a User ID (UID). In a Microsoft or Novell network, it is called a Security ID (SID). This number is typically unknown to users and administrators alike, but it exists, and the author discusses it to make a point. Rights can be granted to a user, the user can have their account deleted and recreated, and the rights no longer apply to the account. It is because the account gets a new serial number when it is recreated, making it a different account, even though the account name is the same. In most networks, the person creating the account also has to place the user in at least one group. The text cryptically explains that Microsoft networks have local groups and global groups, and that users are meant to be placed in global groups, while the global groups the users are in are placed in local groups that are granted access to selected resources. User accounts are typically created and managed with tools that are specific to the kind of network you have. A Microsoft network will use the Microsoft Management Console (MMC), a Novell network will use NetWare Administrator or ConsoleOne, and a UNIX network will vary greatly depending on what kind of UNIX it is. The text continues with a discussion of permissions in a Microsoft network. The point seems to be that a user is not given a permission until the user logs in to the layer of the network that grants the permission. This is, of course, after the administrator has performed the necessary tasks to assign permissions to the user. All three major network vendors support the concepts of read, write, and execute permissions. In most networks, the concept of permissions is additive: your effective permissions are the sum of the permissions granted to your account and those granted to each group you belong to.
In Windows and Novell environments, you can set and change permissions to files and folders with graphic utilities. In UNIX environments, you need to know some command line tools. Files (and directories) have permissions assigned to them. There are three basic permissions:
UNIX also divides the world into three categories, with regard to files. First, you should know that users on a UNIX system are classified as belonging to groups. These groups are artificial, and are set up by the system administrator. A user on the system must fall into one of three categories with respect to any particular file:
Think of permissions as being in three groups of three when seen on a list of files. Use the ls command with the modifier -al (In DOS we use forward slashes to show how to do a command. In UNIX we use hyphens.) The command might look like: ls -al It means you want the long form listing of all files in the current directory. On the left side of the listing are the permissions. Directories have a d first, file permission lists start with a hyphen (They love that hyphen in UNIX.) A file's permissions might look like this: -rwxr-xr-- This is three sets of three letters (or hyphens). The first set is for the User, and rwx means he/she can read, write and execute that file. The second set of three is for the Group the User belongs to. The combination r-x would means they can read it and execute it, but not write to it (the w is missing). The third set is for anybody else wandering across this file in the system. They got r-- in this example. That means they can read the file but not write to it or execute it (unless they know the trick we will see soon.) There are several ways to set or change the permissions assigned to a file. Only the owner, a system administrator, a superuser, or a semi-talented hacker can do so. I usually use the chmod command with decimal integers that summarize the permissions down to three digits. Each digit represents the rights you grant one category above. Use this chart to decide what number to give each kind of person:
Issue the command like this chmod 751 filename This sets the owner's permissions to full (7), the group's permissions to read and execute (5), and common people's rights to execute only (1). When setting up a user account, the administrator often creates and assigns a "home directory" to the user. This is typically a folder on a network server that is named for the user, which may be in a folder that holds many folders named for users. The user will be assigned a drive mapping to this folder: a letter/colon combination, such as H:, that allows the user to access this folder like a drive. The drive mapping is typically done in the user's logon script (also called a login script). The text says that a logon script is an application. It is not. It is typically a short executable text file, like a DOS batch file, that contains several system commands. It executes each time the user logs in to the network. To perform tasks like creating and managing user accounts, an administrator needs rights to the network directory and the file system that are more extensive than those needed by other users. On a UNIX system, this may be referred to as having root-level access. On a Microsoft or Novell network, the terms administrator and supervisor are typically used, sometimes interchangeably. Several pages are devoted to passwords. A password may have several restrictions, depending on your network system, and the policies you choose to enforce.
Users should be told about passwords, told how to change them, told the requirements for them, and assisted in using them. The rules for your network should not be made so strict that users cannot remember their passwords. This will cause them to write the password on a post-it note attached to their monitor, ruining the security of the user's account.
|