Telecom OnLine: Lecture Mail
Welcome to Lesson 11,
Day 1- Chapter 10 - Network Administration and Support
Course Notes
Lesson 11 Notes
Managing Networked
Accounts
This chapter deals with the generalities
of network administration and support, but focuses on the Windows Server and
Linux operating systems. Windows networking user management principals generally
apply to Linux, but the management utilities are vastly different.
Creating User Accounts
- Two accounts are created by default
when NT Server is installed: Administrator and Guest. It is a very good idea
to create another administrator account with a different name or rename or
disable the Administrator account after the network is running because hackers
use this account to gain access.
- Before creating any accounts,
a network administration plan should be in place which includes the naming
convention for users and groups, the password policy for user accounts, a
policy regarding logon hours and event auditing, and group account guidelines.
- Strictly speaking, all a user
needs to logon to the network is a valid username. Of course, this is not
very secure. By requiring a password, security is increased. Security is also
increased by requiring passwords to be a certain length (at least six, preferably
eight, characters), requiring users to change their password regularly (every
30 to 60 days), and require users to use unique passwords. In addition, the
password policy should state that passwords include mixed case characters
and numbers. Discourage the use of family members' name, the user's birthday,
etc., since this is information is readily availble by doing a little "social
engineering". This virtually eliminates the possibility of a dictionary
attack. Many experts recommend that you combine two dictionary terms with
a punctuation mark to further limit the chances of attack.
- To further prevent attack, the
user’s account should automatically be disabled if they fail to logon
three times in a row.
- Set logon hours: By only allowing
users access to the network during certain hours of the day, the network is
more secure and regular processes, such as backups, can be run without concern
for user intervention.
- Event auditing is a tool that
assists network administrators in determining potential problems from unauthorized
users. This process keeps track of both successful and unsuccessful logon
attempts, object accesses, logoffs, and changes to security information. The
log that tracks these events can grow rather quickly. In a very secure network
environment, this information is often sent directly to a Microsoft SQL Server
system for storage in a database.
- Creating users and setting user
rights: A user’s rights define which network resources they have access
to and what they can do with those resources. It is often easier to create
a group, assign specific rights to that group, and include users in the group
than to assign rights to each user individually.
- Windows NT and Windows 2000 create
certain automatic groups upon install. These groups are listed in your text
on p. 359, Table 10-2. . It is important to remember that these groups exist
and, although users cannot be added manually, they have certain rights which
you may or may not want all users to have.
Managing Group Accounts
- In Windows NT and 2000, managing
group accounts are equally as important as single user accounts, and by adding
users to groups based on such things as access to data requirements, location,
department organization, etc., the network manager's job can be simplified.
Rights can be applied to a group and those group rights are inherited by the
members of that group. Groups can even be added to other groups, within certain
guidelines:
- Global groups can include
individual users
- Local groups can include individual
users and global groups
- Linux supports arbitray nesting
of groups within groups and doesn't recognize the "local-global"
distinction.
- Trust relationships provide cross-domain
access to resources. This is often a very confusing process. First, a domain
must allow itself to be trusted, then a trust is established (either one-way
or two-way). Note that this process must take place on both sides of the trust,
even if the trust will ultimately be one-way.
- In Windows 2000, all trust relationships
are two-way (i.e., if Domain A trusts Domain B, then Domain B must trust Domain
A). After the trust is established, users or groupsmust be added to provide
access for the users of the other domain. The three methods for doing this
are:
- Add each user individually.
- Add each user's Domain A account
to a global group and then give that group rights on Domain B.
- Add the Domain A user accounts
to a global group and then add that group to a local group on Domain B.
Disabling and Deleting User
Accounts
The policies for disabling and deleting
user accounts on a network should be established when the network is setup and
may be something like the following: “In the event that a user leaves
the company, their account will be disabled for 30 days to provide the administrator
time to ensure all data and security settings are available for their replacement.
After 30 days, the account will be deleted.”
Renaming and Copying User
Accounts
It is often easier to rename or
copy an existing account than to create a new one. This ensures that all settings
are the same for the new user account.
Managing
Network Performance
When monitoring network performance,
there are several areas that should be observed on a regular basis. Anomalies
in any of these areas can indicate a potential problem:
- Disk reads and writes
- If the server refuses
to accept large streams of raw data, it is an indication of memory problems
in the server.
- Queued commands
- If the number of
queued commands is more than the number of NICs in the server, there is
a bottleneck.
- Collisions per second (on an Ethernet
network)
- The number of collisions
per second may indicate a bigger problem in the network, such as cable
segment lengths that are too long.
- Errors accessing data (Security
errors)
- A large number security
errors may indicate attempts to illegally access your network - a hacking
attempt.
- Server sessions
- Connection details
between network devices and the server should be monitored, such as the
rate they are made and the disconnect method - normal logoff or error
or server timeout. The latter may indicate server overload. A solution
might be to add more RAM to the server or update other hardware.
Network performance may be also monitored
and managed by using the Event Viewer, the Performance Monitor and the Network
Monitor on Windows 2000 networks.
- The Event Viewer can be used to
track events such as unsuccessful logon attempts. For the Security log to
track logon/logoff events, the filters must be enabled in User Manager for
Domains. Also discuss the Windows 2000 Event Viewer and the differences between
the versions.
- Performance Monitor uses large
amounts of resources and therefore, it is a very good idea to run Performance
Monitor remotely. The Chart view monitors events in real-time and displays
the information in a graphical format.
- The Network Monitor is not installed
automatically when the operating system is installed. It is added through
the Network Neighborhood Services tab. Like the Performance Monitor, the Network
Monitor utilizes a large number of resources and should be run remotely. The
Network Monitor is able to capture data packets and track a conversation between
computers. This information can be very helpful when diagnosing a network
problem. For example, with Network Monitor capturing data going between two
computers, the administrator might find that a response to a query is being
sent, but after the allotted timeout period.
- The Network Monitor is able to
capture data packets and track a conversation between computers. This information
can be very helpful when diagnosing a network problem. For example, with Network
Monitor capturing data going between two computers, the administrator might
find that a response to a query is being sent, but after the allotted timeout
period.
Total System Management
In addition to using the tools mentioned
above, the network administrator must be concerned with what is happening on
the server side in terms of hardware performance. The following key areas deserve
regular attention and review to determine if optimal performance is being achieved:
- Hard Drive Performance
- Memory Usage
- CPU Utilization
- Network statistics (Performance
or Network Monitor)
Network Performance History
and Troubleshooting
By maintaining a network history
of what normal operations look like, the network administrator is better able
to isolate and troubleshoot problems as they arise.
____________________________________________________________________________
Lesson 11, Day 1 - Case Assignment
The administration manager
has taken a leave of absence and will not return for nearly a year. Her temporary
replacement needs to have all access to the network that she had. What is the
best way to ensure her replacement has the correct level of access? How will
you ensure that no one uses the manager’s account while she is gone?
Remember to keep up with your on-line
lessons and quizzes!
mdm and drw