Page 721 - StudyBook.pdf
P. 721

Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  705

                 default account, which has a common name like “Administrator,” but allows IT
                 staff to still perform administration functions. Exercise 12.02 demonstrates how
                 new accounts can be added to an Administrator group in Windows XP, so that the
                 account has the same rights as the default Administrator account.
                    The account with administrator access can be used to create new accounts,
                 change the access associated with other accounts, access all data, and many other
                 user right assignments. By controlling the permissions associated with each
                 account, administrators control what objects each person can or cannot access on a
                 system. Because a company may have hundreds or thousands of users on a network
                 or system, it would be an administrative nightmare to maintain access control over
                 every single account.To make management easier, groups can be used to assemble
                 user accounts together and define access control as a batch. For example, let’s say a
                 network administrator wanted branch office managers to have the ability to backup
                 data on servers and workstations in their individual locations.The administrator
                 could modify the account of every manager, or add each of these accounts to a
                 Backup Operators group, which has the necessary permissions to backup data. By
                 modifying the access control of one group, the access of each account that is a
                 member of that group would also be affected.
                    User accounts and groups may be local to a computer or server, or have the
                 ability to connect to servers on a network.This allows administrators to control
                 what a user or group can do on a specific machine, or on the network as a whole.
                 This is particularly useful when they want users to have different levels of access on
                 individual machines and the network.
                    Network OSes like Novell NetWare also have the ability to control access
                 through roles. Roles are similar to groups, as they can be used to control the access
                 of numerous users as a batch. If a number of users have a similar role in an organi-
                 zation, the administrator can associate them with a role created on the network
                 OS.The role would have specific access to resources such as drive mappings or
                 other privileges unique to this role. For example, department managers might have
                 similar duties in an organization and wish to access a shared directory for storing
                 data that all of the managers would need.You could create a role and associate each
                 of the manager’s accounts with this role.When the managers log in, they would
                 have the same access to the shared directory and any other privileges provided
                 through the role.










                                                                              www.syngress.com
   716   717   718   719   720   721   722   723   724   725   726