Every user who accesses a network must have a user account. User accounts allow the network administrator to determine who can access the network and what network resources each user can access. In addition, the user account can be customized to provide many convenience features for users, such as a personalized Start menu or a display of recently used documents. Every user account is associated with a username (sometimes called a user ID), which the user must enter when logging in to the network. Each account also has other information associated with it. In particular:

The user’s password:
This also includes the password policy, such as how often the user has to change his or her password, how complicated the password must be, and so on.

The user’s contact information:
This includes full name, phone number, e-mail address, mailing address, and other related information.

Account restrictions:
This includes restrictions that allow the user to log on only during certain times of the day. This feature enables you to restrict your users to normal working hours so that they can’t sneak in at 3 a.m. to do unauthorized work. This feature also discourages your users from working overtime because they can’t access the network after hours, so use it judiciously. You can also specify that the user can log on only at certain computers.

Account status:
You can temporarily disable a user account so that the user can’t log on.

Home directory:
This specifies a shared network folder where the user can store documents.

Dial-in permissions:
These authorize the user to access the network remotely via a dialup connection.

Group memberships:
These grant the user certain rights based on groups to which they belong.

Most network operating systems come preconfigured with two built-in accounts, named “Administrator” and “Guest.” In addition, some server services, such as Web or database servers, create their own user accounts under which to run. The following sections describe the characteristics of these accounts.

The Administrator account

The Administrator account is the King of the Network. This user account is not subject to any of the account restrictions to which other, mere mortal accounts must succumb. If you log in as the administrator, you can do anything.

Because the Administrator account has unlimited access to your network, it is imperative that you secure it immediately after you install the server. When the NOS Setup program asks for a password for the Administrator account, start off with a good random mix of uppercase and lowercase letters, numbers, and symbols. Don’t pick some easy-to-remember password to get started, thinking you will change it to something more cryptic later. You will forget, and in the meantime, someone will break in and reformat the server’s C: drive or steal your customer’s credit card numbers. Here are a few additional things worth knowing about the Administrator account:

• You can’t delete it. The system must always have an administrator.
  
  
• You can grant administrator status to other user accounts. However, you should do so only for users who really need to be administrators.
  
  
• You should use it only when you really need to do tasks that require administrative authority. Many network administrators grant administrative authority to their own user accounts. That is not a very good idea. If you are killing some time surfing the Web or reading your e-mail while logged in as an administrator, you are just inviting viruses or malicious scripts to take advantage of your administrator access. Instead, you should set yourself up with two accounts: a normal account that you use for day-to-day work, and an Administrator account that you use only when you need it.
  
  
• The default name for the Administrator account is usually simply “Administrator.” You may want to consider changing this name. Better yet, change the name of the Administrator account to something more obscure and then create an ordinary user account that has few - if any - rights and give that account the name “Administrator.” That way, hackers who spend weeks trying to crack your Administrator account password will discover that they’ have been duped, once they finally break the password. In the meantime, you will have a chance to discover their attempts to breach your security and take appropriate action.
  
  
• Above all, do not forget the Administrator account password. Write it down in permanent ink and store it in Fort Knox, a safe deposit box, or some other secure location.

The Guest account

Another commonly created default account is called the Guest account. This account is set up with a blank password and few - if any - access rights. The Guest account is designed to allow anyone to step up to a computer and log on, but after they do, it then prevents them from doing anything.

Service accounts

Some users are actually software processors that require access to secure resources and therefore require user accounts. These user accounts are usually created automatically for you when you install or configure server software.

For example, when you install Microsoft’s Web server (IIS), an Internet user account called IUSR is created. The complete name for this account is IUSR_. So if the server is named WEB1, the account is named IUSR_WEB1. IIS uses this account to allow anonymous Internet users to access the files of your Web site.

As a general rule, you should not mess with these accounts unless you know what you are doing. For example, if you delete or rename the IUSR account, you must reconfigure IIS to use the changed account. If you don’t, IIS will deny access to anyone trying to reach your site. (Assuming that you do know what you are doing, renaming these accounts can increase your network’s security. However, don’t start playing with these accounts until you have researched the ramifications.)

User accounts and passwords are only the front line of defense in the game of network security. After a user gains access to the network by typing a valid user ID and password, the second line of security defense - rights - comes into play.

In the harsh realities of network life, all users are created equal, but some users are more equal than others. The Preamble to the Declaration of Network Independence contains the statement, “We hold these truths to be self-evident, that some users are endowed by the network administrator with certain inalienable rights....”

The specific rights that you can assign to network users depend on which network operating system you use. Here is a partial list of the user rights that are possible with Windows servers:

Log on locally:
The user can log on to the server computer directly from the server’s keyboard.

Change system time:
The user can change the time and date registered by the server.

Shut down the system:
The user can perform an orderly shutdown of the server.

Back up files and directories:
The user can perform a backup of files and directories on the server.

Restore files and directories:
The user can restore backed-up files.

Take ownership of files and other objects:
The user can take over files and other network resources that belong to other users. NetWare has a similar set of user rights.

User rights control what a user can do on a network-wide basis. Permissions enable you to fine-tune your network security by controlling access to specific network resources, such as files or printers, for individual users or groups. For example, you can set up permissions to allow users into the accounting department to access files in the server’s \ACCTG directory. Permissions can also enable some users to read certain files but not modify or delete them.

Each network operating system manages permissions in a different way. Whatever the details, the effect is that you can give permission to each user to access certain files, folders, or drives in certain ways.

Any permissions that you specify for a folder apply automatically to any of that folder’s subfolders, unless you explicitly specify a different set of permissions for the subfolder.

File system rights are referred to as trustee rights. NetWare has eight different trustee rights, listed in Table below. For every file or directory on a server, you can assign any combination of these eight rights to any individual user or group.

NetWare Trustee Rights

Trustee Right	Abbreviation	What the User Can Do
Read	R	The user can open and read the file.
Write	W	The user can open and write to the file.
Create	C	The user can create new files or directories.
Modify	M	The user can change the name or other properties of the file or directory.
File Scan	F	The user can list the contents of the directory.
Erase	E	The user can delete the file or directory.
Access Control	A	The user can set the permissions for the file or directory.
Supervisor	S	The user has all rights to the file.

Windows refers to file system rights as permissions. Windows servers have six basic permissions, listed below. As with NetWare trustee rights, you can assign any combination of Windows permissions to a user or group for a given file or folder.

Windows Basic Permissions

Permission	Abbreviation	What the User Can Do
Read	R	The user can open and read the file.
Write	W	The user can open and write to the file.
Execute	X	The user can run the file.
Delete	D	The user can delete the file.
Change	P	The user can change the permissions for the file.
Take Ownership	O	The user can take ownership of the file.

Note the last permission. In Windows, the concept of file or folder ownership is important. Every file or folder on a Windows server system has an owner. The owner is usually the user who creates the file or folder. However, ownership can be transferred from one user to another. So why the Take Ownership permission? This permission prevents someone from creating a bogus file and giving ownership of it to you without your permission. Windows does not allow you to give ownership of a file to another user. Instead, you can give another user the right to take ownership of the file. That user must then explicitly take ownership of the file.

You can use Windows permissions only for files or folders that are created on drives formatted as NTFS volumes. If you insist on using FAT or FAT32 for your Windows shared drives, you can’t protect individual files or folders on the drives. This is one of the main reasons for using NTFS for your Windows servers

User profiles are a Windows feature that keeps track of an individual user’s preferences for his or her Windows configuration. For a non-networked computer, profiles enable two or more users to use the same computer, each with his or her own desktop settings, such as wallpaper, colors, Start menu options, and so on.

The real benefit of user profiles becomes apparent when profiles are used on a network. A user’s profile can be stored on a server computer and accessed whenever that user logs on to the network from any Windows computer on the network. The following are some of the elements of Windows that are governed by settings in the user profile:

• Desktop settings from the Display Properties dialog box, including wallpaper, screen savers, and color schemes.
  
  
• Start menu programs and Windows toolbar options.
  
  
• Favorites, which provide easy access to the files and folders that the user accesses frequently.
  
  
• Network settings, including drive mappings, network printers, and recently visited network locations.
  
  
• Application settings, such as option settings for Microsoft Word.
  
  
• The My Documents folder

A group account is an account that does not represent an individual user. Instead, it represents a group of users who use the network in a similar way. Instead of granting access rights to each of these users individually, you can grant the rights to the group and then assign individual users to the group. When you assign a user to a group, that user inherits the rights specified for the group.

For example, suppose that you create a group named “Accounting” for the accounting staff and then allow members of the Accounting group access to the network’s accounting files and applications. Then, instead of granting each accounting user access to those files and applications, you simply make each accounting user a member of the Accounting group. Here are a few additional details about groups:

• Groups are one of the keys to network management nirvana. As much as possible, you should avoid managing network users individually. Instead, clump them into groups and manage the groups. When all 50 users in the accounting department need access to a new file share, would you rather update 50 user accounts or just one group account?
  
  
• A user can belong to more than one group. Then, the user inherits the rights of each group. For example, suppose that you have groups set up for Accounting, Sales, Marketing, and Finance. A user who needs to access both Accounting and Finance information can be made a member of both the Accounting and Finance groups. Likewise, a user who needs access to both Sales and Marketing information can be made a member of both the Sales and Marketing groups.
  
  
• You can grant or revoke specific rights to individual users to override the group settings. For example, you may grant a few extra permissions for the manager of the accounting department. You may also impose a few extra restrictions on certain users.

A logon script is a batch file that runs automatically whenever a user logs on. Logon scripts can perform several important logon tasks for you, such as mapping network drives, starting applications, synchronizing the client computer’s time-of-day clock, and so on. Logon scripts reside on the server. Each user account can specify whether to use a logon script and which script to use. Here is a sample logon script that maps a few network drives and synchronizes the time:

net use m: \\MYSERVER\Acct
net use n: \\MYSERVER\Admin
net use o: \\MYSERVER\Dev
net time \\MYSERVER /set /yes

Logon scripts are a little out of vogue because most of what a logon script does can be done via user profiles. Still, many administrators prefer the simplicity of logon scripts, so they are still used even on Windows Server 2003 systems.

discuss this topic to forum