© 2001 by Prentice Hall10-1 Local Area Networks, 3rd Edition David A. Stamper Part 4: Installation...

10-1© 2001 by Prentice Hall

Local Area Networks, 3rd EditionDavid A. Stamper

Part 4: Installation and Management

Chapter 10

LAN Administration: Users, Groups, and

Security


Chapter Preview

• Users and groups

• System programming

• Security

• Virus protection

In this chapter you will study:


Users and Groups

• Users– From the LAN administrator’s perspective, the term users applies only to

employees who use the LAN in doing their jobs. Because LAN users usually do not all have the same access privileges, it is important to be able to distinguish one user from another.

– The user ID is a user’s form of identification to the system. The ID is used to log in to the LAN. Exactly what access is allowed depends on the user’s access rights.

– Many LAN systems automatically establish two types of users at installation time. One type of user has a common user ID with few or no network privileges. The other type of user is all-powerful, with all rights and privileges on the system.

– The LAN administrator should devise a plan for creating consistent user names, matching those user names with the users or functions that use them, and setting up user-access rights.


Users and Groups (cont.)

• Groups– A group is a collection of users. In some systems, each user must

belong to exactly one group. In other systems, a user can belong to none, one, or several groups. The function of a group is to combine many users into a single entity and to use the group to implement security or grant capabilities common to groups of users.

– Users and groups can do certain things on a LAN because they have been given access rights, or permissions.

– The LAN administrator must devise a way to give proper access rights to all users.


User-Access Rights

Rights Extended to Everyone

Rights Extended to All Members of a Personnel Group

Rights Extended to Only a Few Members of a Personnel Group

Rights Extended to Specific Member of a Software Development Group

Logon and logoffSend and receive electronic mail

Change employee addresses, telephone numbers, and names

Retrieve employee dataChange employee ratingsPromote employeesCreate filesUpdate source program

Run word processing and spreadsheet programs

Add new employees

Use department printers

Delete employees

Delete files

Delete source files


System Programming

• The meaning of system programming depends on whether the system is a mainframe or a LAN.

– On a LAN, system programming consists primarily of running the network, solving network problems, installing new software, writing network utilities, and personalizing users’ environments.

• In NetWare, part of a user’s environment is created with a logon script. Through logon script, the LAN administrator can usually carry out the following:

– map server directories to the client's OS drive designators, such as F:– print messages to the user– run one or more programs– set the user’s default drive and directory– synchronize the client’s time to the server’s time– set up printing


Security

• Setting up effective network security is a critical task of the LAN administrator. Although security does guard against different types of outside intrusions, most commonly security protects an organization from accidental or intentional disruption from its own employees.

• Too much security makes a system hard to use. Too little security can result in the loss of data, money, or opportunity because everyone has access to everything. A good security system provides the necessary safeguards without unduly inhibiting the use of the system.

• A comprehensive security program provides both physical security and data access security.


Password Administration

• A properly secured LAN requires all users to identify and authenticate themselves. Authentication is most commonly done via passwords.

• The security of your LAN system depends to a great extent on your policy for creating and changing passwords.

• One way to handle unsuccessful logons is to use a timeout value, which causes the system to refuse to accept another logon attempt from a user ID, station, or both until after a designated interval.

• Some installations like to maintain centralized control of the security system. One way of doing this is to prevent users from changing their own passwords. The LAN administrator is responsible for assigning all passwords.


Suggested Password Policy

Change passwords regularly—at least once per month.

Passwords should be at least six characters long.

Use at least one nonalphabetic character in passwords.

D not write password down.

Do not use initials, month abbreviations, birthdates, and so on when making up a password.

Change a password if you suspect someone else knows it.

Make successive passwords unique; that is , do not use sequence numbers or letters.

Report any instances of suspected unauthorized logons.

Do not leave your workstation unattended while you are logged on.


Logon Restrictions

• Security can be further enhanced by controlling an authenticated user’s access to the system. This requires the LAN administrator to restrict how and where users log on.

• An organization may restrict users to specific workstations. A good security policy might be to limit logons for payroll user IDs to workstations in the payroll department area and for personnel user IDs to be limited to logging on from workstations in the personnel department.

• A major breach of security occurs when a user leaves his or her workstation without logging off. It is a good idea to have workstations set to automatically log off in the absence of input.


Password/User Controls in NetWare and Windows NT

Password expiration

Minimum password age

Minimum password length

Password uniqueness

Lockout after specified number of unsuccessful logins

Station restrictions for login

Time restrictions for login

Allow user to change password

Require passwords for users

Limit concurrent logins

Allow grace logins (number of, after password expires)

Control NetWare Windows NT

X

-

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

-

-


Encryption

• If you cannot prevent users from gaining unauthorized access to data, you can take another measure, encryption, to prevent those users from using that data. Encryption is the process of taking data in its raw form, called plain text, and transforming it into a scrambled form, called cipher text.

• The most common encryption techniques are the data encryption standard (DES), originally established by the U.S. Bureau of Standards, and public key encryption.

• You almost always find encryption being used on LAN files that contain user passwords. Because passwords are stored in a file, access to the passwords in that file seriously jeopardizes system security if the passwords are stored in clear text. To overcome this problem, almost all systems encrypt the passwords before storing them on disk.


Access Matrix

• An access matrix is a grid where users are listed over columns, and files are listed at the beginning of a row, similar to a spreadsheet format. At the intersection of a row and column is a cell defining that user’s rights to that file. The rights represented are read (r), write (w), execute (e), and delete (d); a dash means no capability


Sample Matrix

File-1

File-2

rwed

r---

rw--

----

r---

----

User-1 User-2 User-3


Novell NetWare File and Directory Rights

Supervisory

Read

Write

Create

Erase

File scan

Modify

Access control

Supervisory rights to the directory file and all subdirectories

Read an open file

Write to an open file

Create a new file

Delete an existing file

List names of files or subdirectories in directory

Change file attributes, rename files, and rename directories

Pass rights to directory or file to another user

[S]

[R]

[W]

[C]

[E]

[F]

[M]

[A]


File/Directory Tree Structure

Root

Database

SUB 1

Customer

Notes

= Directories


Some Windows NT Rights

Access this computer from the network

Add workstations to a domain

Back up files and directories

Change the system time

Force shutdown from a remote system

Load and unload device drivers

Log on locally

Manage auditing and security log

Restore files and directories

Shut down the system

Take ownership of files


Windows NT Share Permissions

No Access—no permissions granted for share

Read—read directories, files, run programs

Change—read access, plus can modify files, delete and create directory entries

Full Control—read and change, plus change permissions and take ownership


Security Policy Topics

Password administration

Auditing policy

Consequences of employees intentionally trying to subvert security

Encryption implementation

Virus detection procedures

Data backup/restore policy

Introduction of software/data by employees, I.e., using media from outside the organization

Access to outside networks/nodes

Control of external access, e.g., switched and Internet connections

Disaster recovery

Designation of personnel for monitoring and implementing security

Managing security threats

Security training

Documentation

Security review procedures


Viruses

• A LAN administrator must protect the system from viruses. This is no easy task. In 1991, approximately 500 different viruses had been detected. By 1999, one antivirus software company had over 45,000 viruses registered.

• Viruses disrupt systems in a variety of ways, and some are more destructive than others. All viruses hinder normal system operations.


Virus Detection

• Viruses are detected in two ways. The most obvious but least desirable way is to experience the consequences of having a virus. The best way to detect a virus is to find it before it activates itself. A variety of antivirus programs are available for this purpose.

• Some anitvirus programs are run on demand, whereas others are constantly running. Programs that are constantly running use memory (and contribute to system overhead), but generally provide better protection than on-demand anitvirus programs.

• It is best to have a stand-alone computer conveniently available for virus detection. After data has been received, it and the stand-alone computer can be checked for viruses. After checking for viruses and removing any that are found, the administrator can move the data to the LAN.


How an Antivirus Program Works

1. Workstation application issues request to access a file.

2. Antivirus software examines file being accessed.

3. Antivirus software writes message to log file and system console.

4. Antivirus software does one of the following:

(a) removes virus form file, (b) erases file, (c) moves file to disk area for infected files, (d) renames files, (e) does nothing and allow file to be accessed

Server

Workstation

© 2001 by Prentice Hall10-1 Local Area Networks, 3rd Edition David A. Stamper Part 4: Installation...

Documents

Transcript of © 2001 by Prentice Hall10-1 Local Area Networks, 3rd Edition David A. Stamper Part 4: Installation...