Reading: Provide and monitor access to secure resources

Provide and monitor access to secure resources

Inside this reading:

Set security, access and sharing to user requirements 2

Creating a share in Windows 2003 2

Test to ensure appropriate access for user groups 5

Document the file system 6

Testing successful access for users 7

Auditing user access 7

User applications and clearance for access 10

User account and security access details 12

The security access register 12

Operating-system security controls 13

User groups and control mechanisms 13

Access control on files and directories 16

Setting permissions for folders in Windows 2003 17

Monitor user access 21

Setting logon notification using Windows Messenger 21

Summary 23

Set security, access and sharing to user requirements

When a computer file system is established, decisions are made about the different types of access allowed to the users, including:

·  when they can access the system

·  what areas they can access (file areas and resources such as printers)

·  what rights they will have

·  which groups they may belong to

·  how often they may be forced to change passwords (and what password restrictions exist)

·  which computers they can use to log on.

All such items will usually be defined in an organisation’s policies and procedures manual to which support personnel will refer when configuring the system.

For users to have access to the file system they must have a valid user account on the file server, be allowed to log in to the system and also be given rights on the file and hardware ‘shares’ that allows them to perform their tasks.

Creating a share in Windows 2003

Normally when a user is added to a system, a share is created called their ‘home directory’. The user will normally have unrestricted access to this share. The home directories would be created in one area of the hard drive to allow for easier backup. On some systems, users are granted access to other shares to allow them to perform their duties. A folder on the server may hold employees pay details, for instance. The payroll group would probably have full access to this, to be able to read, save and change data, whereas the company accountant may have limited or read-only access.

To create a share you identify the folder that you want to share on the file system. In the following example a folder called ‘Accounting’ has been created and then shared. The users from the Accounting group are given full access and the users from the Accounts group are given limited access.

If you wish to follow this activity, create a folder on your computer called Accounting and create two groups called Accounts and Accounting.

1 The screen shot below shows the tool for creating a share (in this case the accounting share) on a Windows 2003 computer. The same screen would be shown on most versions of Windows Servers.

2 The easiest way to access the tool is by right clicking on the folder in Windows Explorer.
3 The name of the share does not have to be the same as the folder and there can be multiple shares on the one folder.
4 When clicking on the permissions tab, the default rights given to a share in Windows 2003 servers is the Read only right to the Everyone group (see Figure 2). /
Figure 1: Accounting share
5 Normally, the ‘Everyone’ group would be removed from the share.
As every user on the server is a member of the Everyone group, leaving this entry would allow everybody access to the share to be able to at least read the documents in the share. /
Figure 2: Permission tab
6 Clicking ‘Add’ allows you to give the various users and groups access to the share.
You can simply type the name of the user or group in the ‘Enter the Object Names’ box or alternatively, enter the first character in the box and click ‘Check Names’.
7 Once you have entered the group (or user) to the box click the ‘OK’ button (as in Figure 4). /
Figure 3: Adding groups
By default the system will only allow ‘Read’ access to the group.
Figure 4 (right): Adding Accounting /
8 To give the accounting group Full Control, ensure the Accounting Group is selected in the Group or User names and simply click the ‘Allow’ box beside the Full Control option. This will also fill in the Change option
Figure 5 (right): All rights Accounting /
9 Repeat the above process for the ‘Account’ group. Again, by default, Accounts will be given only the ability to read any documents in the share. They will not be able to edit or delete any documents in the share.

The utility of groups

It is often better to add users to groups and then give the rights to the groups rather than individual employees. In very large network systems, it can be a large task to assign individual users to shares, as well as being an administrative nightmare in controlling what rights a user has. /
Figure 6: Limited rights for Accounts

An administrator would add users to groups to ease the burden of assigning individual users to resources such as printers or file shares and giving individuals rights to those shares.

It could be possible that if user were a member of a group that had limited rights to a resource, and the administrator also added the user to the share with limited rights, the user would have all rights because of the group rights. It is also possible to have a group as a member of another group. In these situations, an administrator would need to be very aware of where groups are placed, as rights may be granted that shouldn’t be. This is where the organisation’s guidelines on security would be very important.

Test to ensure appropriate access for user groups

Testing user or group access or both is done to ensure that:

·  users or groups have access to the resources they should be able to access

·  users are being denied access according to organisational guidelines.

There is nothing worse for network staff than to have users complaining about being unable to access resources that they know they should be able to access. Testing user access by testing for user connection locally is only half the story. On a domain, many users may need to have access via remote desktop, a virtual private network (VPN) or remote access via a modem. Telecommuting and roaming is a growing means of network access.

The IT support staff would add the users to the system and then add them to the groups that they should belong to. Hopefully, previous tests of user access to the various resources would have been done. Therefore, when a user is added, then the administrators or support staff should feel confident that the user cannot access those areas to which they do not have rights.

User classes

If you have to test the access of different classes of users, then setting users into appropriate groups and giving access privileges to the groups will help streamline tests. As mentioned, this is the manner in which the users should be configured at all times for efficiency. Once a class of user has been tested for correct access then all other users in that group will have similar access privileges—as long as any particular user has not been given any other privileges elsewhere. Therefore, it is important to document any privileges given to individual users as well as the access rights for each group.

Document the file system

A network file system (NFS) allows administrators to manage files on several computers inside a network—as if they were on the local hard disk. So, there’s no need to know where the files are physically located in order to access them.

It’s always important to have documentation for all IT systems, but very much so for the file system. Don’t rely on the characteristics of the operating system structure residing on the computer. If a computer fails, it is important to be able to confirm that the restoration process has worked correctly. Additionally, when a decision is made to update a server system, it is important to recognise the structure of the existing system. All of this requires accurate documentation.

Set network file system controls

How might an administrator set the network file system controls? Which operating systems support network file systems?

As you have seen, an administrator gives users and groups access rights to files and folders. These access rights can be as restrictive as ‘read only’ through to ‘changing and deleting files and folders’. The level of access control depends very much upon the operating system controlling the objects. For example, Novell and Linux allow total control of these objects down to the file level, whereas Windows allows total control of file access only on NTFS-formatted partitions.

The higher the degree of detail, the simpler it is to completely replicate the file system. Therefore, if each access process is documented at the time it is performed, then the overall file system documentation is relatively simple to manage.

Testing successful access for users

Testing successful access for users to authorised resources and data is very much the same as testing the file system to allow access. Once a user has been added to the system, the person responsible for adding the user may force the user to change their password during the first log on. If the help desk does not get a complaint from a user that they cannot access the system, staff can assume that the user has successfully logged on and been forced to change their password and now have access to the resources.

The screen in Figure 7 is part of the process of adding a user to a Windows System. Notice the check box that states the user must change their password at the next logon.
When the user logs in the first time, they must change their password. /
Figure 7: Forcing password change

Auditing user access

It would be near impossible to ask every user on a system to verify they have accessed the system and resources they need. Reports such as help desk calls instead would identify that a user has not been successful.

A system administrator may also ask the support staff to check system logs for messages that show a user is having problems getting onto the system or getting access to resources. This is done through system auditing, which needs to be configured through system control tools.

Auditing user access in Windows 2003

The sequence to follow will show you how to set auditing of user access to the system.

1 Figure 8 shows the Default Domain Controller Security Settings for a windows 2003 server.
This allows the network administrators to audit access to various objects on the system including shares and printers.
Figure 9: Audit success or failure /
Figure 8: Audit object access
/ 2 Right click on the Audit Object Access Policy and select the properties option. This will allow you to define both success and failures of access to the objects.
3 Once the policy has been defined, then you need to apply settings to the object that you want to audit. In the example in Figure 4 we are setting it on the Accounting Folder created in a previous exercise.
Figure 10: Auditing Accounting folder /
4 Click the Advanced button on the previous screen.
Ensure the Auditing Tab is selected and then click Add.
Figure 11: Advanced security settings for Accounting /
5 Select the Accounting group for auditing purposes
6 When you click OK, you can then expand on the items that you want to audit (see Figure 13). Simply click on the ‘Full Control’ – ‘Successful or Failed’ check boxes. Click OK.
7 Once you have clicked the OK button, you will notice how the Accounting group have been added for Auditing purposes (Figure 14). /
Figure 12: Auditing select accounting

Figure 13: Auditing entry for accounting /
Figure 14: Advanced Auditing entry

8 Once the Auditing has been set up, network administrators can check the Event Viewer- Security log for entries when the auditing event has occurred. These are accessed from the Administrative Tools group from the start-up menu. This shows those events set up in auditing for each time a member of the accounting group access the accounting share (see Figure 15).

Figure 15: Auditing security log

Reasons for auditing

The many reasons why an administrator may audit an object include that:

·  concern about security issues

·  ensuring that the users who have access to the system are the correct users to access the resources

·  they may want to know when a user or groups of users are accessing the system at particular times

·  concerns that unauthorised people are managing user accounts

·  policy changes may need to be highlighted, due to security issues

·  certain system events may be occurring that are causing system failure or slowness and the administrator may want to know when and or why and how these events are happening.

User applications and clearance for access

Before any user is allowed access to the system, they must apply for access. The access (and the level of access) must be approved by their department manager before being sent to the IT department. A manager or equivalent in the IT Department should also approve the form before the user is added to the system.