Local Area Network Management,Design and Security
description
Transcript of Local Area Network Management,Design and Security
![Page 1: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/1.jpg)
Local Area NetworkManagement,Design and
Security• Windows
– Kap.8 i kursboken
![Page 2: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/2.jpg)
Historia mm.• DOS 1.0 (81) upp till 64 Kbyte RAM• Windows 1.0 (85)• W 2.0 (87)• W 3.0 (90)• W 3.11wfwg (92) Windows for WorkGroup• W95 (94)• W98 (98) Active Desktop IE i OS• Me (99) W95-core
DOS
MS-Windows
DOS
MS-Windows
Network support
LAN cable
![Page 3: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/3.jpg)
Historia mm.
• NT3.1 (93) NewTechnology-core• NT3.5/3.51 (94) Server/Workstation• NT4.0 (96) Server/Workstation• W2k (00) Server/Pro• XP (H01) Pro/Home• [.net (XP-server)] kom aldrig!• W2003 (W2k3) 24 April 2003• ServicePack (Uppdatering) och ”Patches” (Fixar)
LAN cable
WindowsNT
![Page 4: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/4.jpg)
W2k (Windows 2000)• Professional (Pro) workstation• (2003 server Web Edition)• Standard server• Advanced server (2003 Enterprise
Edition)• Datacenter server (NOS kan inte köpas
separat, endast förinstallerad)
![Page 5: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/5.jpg)
W2k Pro• FAT16/32 & NTFS5.0 (NT File System 5)• Äkta inloggning• Krav: Min: Rek: Max
P133 PIII Dual CPU64MByte 128 4GB685MByte+RAM 2GB->
• Volym Min Max Max filstorlekNTFS5 10MByte 2TB 2TB eller vol.FAT32 512MByte 2TB(32GB) 4GBFAT16 Floppy 4GB 2GBOBS W2k-server kan formatera FAT32-volymer till MAX 32 GByte
![Page 6: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/6.jpg)
W2k Pro• Users
– Administrator– Personal user– Guest user
• Grupper• Lösenord
– Max/Min ålder– Min antal tecken– Unika– ”Login restriction”
”Foolproof”
![Page 7: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/7.jpg)
W2k Server/Advanced server/Datacenter server
• FAT16/32 & NTFS5.0 (NT File System 5)• ”Mycket äkta” inloggning• Krav: Min: Rek: Max S,AS,DS
P133 PIII 4,8,32128MByte 256-> 4,8,32GB
685MByte+RAM 2GB->• Volym se W2k Pro
![Page 8: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/8.jpg)
W2k-Nätprotokoll• TCP/IP• NetBEUI• NWLink• DLC – DataLinkControl• EAP• RADIUS• IPSec• L2TP• BAP• +många fler!
![Page 9: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/9.jpg)
W2k Pro i nät
• W2k Pro måste anslutas till domän-kontrollant för att få access till domänen. (Måste ske m.h.a Administratörskonto)
• Workgroup/Arbetsgrupp– PeerToPeer– Share
![Page 10: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/10.jpg)
Ansluta W2k-dator till domän-kontrollanten
![Page 11: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/11.jpg)
Servertyper
• Domaincontroller Användarkonton mm.
• Memberserver [DCPROMO.EXE]
• Standalone server [Som ”W2k Pro” men server, med egen
säkerhet]
![Page 12: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/12.jpg)
Domain
• W2k Pro/server och nyare kan vara med i Domän• W9X m.fl. kan använda resurser (PreW2000).
W2Kprof.
W2KServer
W2KServerW2K
Server
Domain 1
Dom
ain
3
Domain 2
W2Kprof.
W2Kprof.
W2Kprof.
W2Kprof.
W2Kprof.
W2Kprof.
W2Kprof.
W2Kprof.
![Page 13: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/13.jpg)
Transitive Trust
Transitive Trust
W2KServer
W2Kprof.
W2Kprof.
W2Kprof.
W2KServer
W2Kprof.
W2Kprof.
W2Kprof.
W2KServer
W2Kprof.
W2Kprof.
W2Kprof.
Domain 3
Domain 1
Domain 2
![Page 14: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/14.jpg)
Domain-Tree fig 8.10 s.325root
child1.root child2.root
grandchild.child1.root
![Page 15: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/15.jpg)
Forestroot
child1.root child2.root
grandchild.child1.root
Two-Way Transitive Trust
ibm
child1.ibm child2.ibm
grandchild.child1. ibm
![Page 16: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/16.jpg)
Active Directory
• Directory service, MS svar på NDS– Object – Resurser i AD– Objekt Classes – Typer av objekt– Properties – Attribut för objektet
• Databasen lagras i DNS:en som därför måste vara dynamisk.
![Page 17: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/17.jpg)
”Containers” i AD
• ”Containers” används för att skapa struktur och gruppering av resurser i AD
• För att skapa Forest, Trees mm. används speciella Containers.
• För vanlig administration används uteslutande Organizational Unit (OU)
![Page 18: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/18.jpg)
Organizational Unit (OU)
• User• Group• Computer• Printer
• Contact• Shared Folder *• Andra OU• (Security policy)• (Application)
Objekt som kan användas i OU:
* Pekare till Share i filsystem
![Page 19: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/19.jpg)
AD-Design
1. Geografisk2. Objekt-baserat3. Kostnadsställe4. Projektvis5. Avdelningsvis6. Organisationsvis7. Hybrid – blandning av ovanstående
![Page 20: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/20.jpg)
USA
Washington California
Europe
Norway Germany
DomainMulticorp
Domain
OU
Geografisk modell fig.8.13 s. 328
![Page 21: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/21.jpg)
Adm
Sale Accounting
DomainMulticorp
Domain
OU
Avdelningsvis Fig 8.14 s.329
![Page 22: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/22.jpg)
Nätverksinställningar Windows 2003
Alternativ för att få upp ”Network Connections” dvs dina nätverksanslutningar och för att kunna göra inställningar för dessa.
Alt 1 /Start/All Programs/Accessories/ Communications /Network Connections
Alt 2 /Start/Control Panel/Network ConnectionsAlt 3 C:\Documents and settings\All Users\Start menu\
programs\Assessories\Network ConnectionsAlt 4&5 I Windows Explorer: (run explorer.exe)• <höger musknapp> på My Network Places
<Välj> properties /Network Connectionseller
• Control Panel/Network Connections
![Page 23: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/23.jpg)
Objekt i AD
Verktyg:• MMC-administration Microsoft Management Console
Ett kraftfullt verktyg med ”PlugIns” dvs.fler program och verktyg kan läggas in vilket gör det väldigt dynamiskt och anpassningsbart.[”För mycket på en gång” för nybörjare?]
• Active Directory Users and Computers
![Page 24: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/24.jpg)
![Page 25: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/25.jpg)
![Page 26: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/26.jpg)
HÖGERKLICKA
![Page 27: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/27.jpg)
![Page 28: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/28.jpg)
Användar-administration
• First name• Initials• Last name• Full name• User logon name• User logon name (pre-windows 2000)
![Page 29: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/29.jpg)
Password
• User must change password at next logon• User cannot change password• Password never expires• Account is disabled
•Password•Confirm password
![Page 30: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/30.jpg)
![Page 31: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/31.jpg)
Funkar bara i NT &fr.o m W2k
Tips: %USERNAME%
Profiles
![Page 32: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/32.jpg)
Profiles
• User profile: Personlig inställningar som skrivbordsbakgrund, ikoner, startmeny, mm.
• Administreras av Administratör eller varje användare själv.
• Local profile – Lagras på klienten eller• Roaming profile – Lagras på server och ”följer
med” användaren i nätverket.– Personal user profile (användarnamn.dat) – Mandatory user profile (byt till .man) [Låst profil]
![Page 33: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/33.jpg)
Groups
Två typer:•Security•Distribution
Tre scope:•Domain local•Global•Universal
![Page 34: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/34.jpg)
Global-Local-Universal
• Global group (GG)– Användare från domänen– Kan användas i hela forest
• Local group (LG)– Användare och globala grupper från hela forest– Kan användas endast i domänen
• Universal (UG) endast i Native mode (Inga NT4)– Användare och Global/Universal grupper från hela forest– Kan användas i hela forest
![Page 35: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/35.jpg)
Domain Magazine
Domain Cars Domain Boats
LGCommon Shared
resources
GGCar
GGBoat
OlaJan PHildeTed
JohnMaryMarkLouise
•Car•Boat
![Page 36: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/36.jpg)
Builtin groups
Några inbyggda grupper:• Guests, Users, Domain Users, Administrators
![Page 37: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/37.jpg)
Builtin groups
Några inbyggda grupper:• Guests, Users, Domain Users, Administrators
![Page 38: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/38.jpg)
Builtin groups
Några inbyggda grupper:• Guests, Users, Domain Users, Administrators
![Page 39: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/39.jpg)
Builtin User
![Page 40: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/40.jpg)
File Security
Två delar:• Share/Share-rights [ACL]• NTFS-rights [ACL]
FAT16/32 har inga file-rights
Det måste först skapas en Share som användaren kan använda, sedan kan ”filerights” sättas för användaren.
![Page 41: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/41.jpg)
Sharing: Dela ut!
Work+
WINNT+
Home+
Data+
(C:)
W2+
W1+
Share:Arbete
Högerklicka på mappen, välj Sharing
Share:Data
Share:Jobb
![Page 42: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/42.jpg)
Sharing rights• Fullcontroll• Change• Read• Allow & DenyOBS Deny gäller även om Allow
erhållits från annan ”källa” OBS
Standard-shares:•NETLOGON – C:\WINNT\sysvol\sysvol\dev.local\SCRIPTS•SYSVOL – C:\WINNT\sysvol\sysvol
Domain
![Page 43: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/43.jpg)
Hidden Share$
• Osynlig, dvs man måste veta vad den heter för att kunna använda den.
Standard hidden shares:• C$ - C:• Admin$ - W2k-systemfiler [C:\WINNT]
![Page 44: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/44.jpg)
Folder/file rights:Basic rights [ACL]
• Table 8.2 och lista s.351 beskriver alla de rättigheter som kan sättas för foldrar och filer.
• Standard rights är en gruppering av dessa för att förenkla arbetet.
![Page 45: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/45.jpg)
Folder/file rights: Standard rights• Full control• Modify• Read & Execute• List Folder Contents• Read• Write
• Advanced…• Inherited rights
![Page 46: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/46.jpg)
Folder/file rights: Standard rights• Summan av rättigheter från
olika källor är de”effektiva rättigheterna”
Men:• Deny bestämmer, om den
sätts här (inte arv)• NoAccess bestämmer• Inherited rights kan
blockeras• Den share som man kommer
genom kan också begränsa. (Man kan aldrig få mer)
Finjustering av basic rights [ACL]
Arv (Skuggad/Grå)
![Page 47: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/47.jpg)
AD-Access, vem får göra vad i AD:et?
• Full control• Read• Write• Create all child objects• Delete all child objects• Apply Group Policy – med
Group policy kan vi styra konfigurationen av säkerheten för hela eller stora delar av vårt nät. (överkurs)
![Page 48: Local Area Network Management,Design and Security](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e89550346895dcd1849/html5/thumbnails/48.jpg)
Group policy
• Password template• Account lockout• Kerberos• User rights assignment:
Vad får en användare göra i systemet. Fig 8.37s.357 t.ex. log on localy
Tungt: Inget under labben