Recommended practices – Part-6: Manage end-users via Active Directory

This is a multi-part series on recommended IT practices for organizations and their end-users. Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege. And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships: Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior. (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-usera

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege.  And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships:  Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior.  (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-users include:

  • Enforce password use and complexity
  • Require periodic password changes
  • Lock screen after time-out
  • Restrict access
  • Grouping

Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important:  A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed.  (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft.  (We require password changes every 90 days.)  When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk.  To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week.  However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

  • Read – Allow access to a file
  • Change – Permit adding, modifying, and removing a file
  • Full Control – Change permissions settings in a file
  • Deny – Override all other access settings to prevent access

Read, Change, and Full Control work on a “most permissive” basis.  For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access.  Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set.  (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.

s include:

Enforce password use and complexity
Require periodic password changes
Lock screen after time-out
Restrict access
Grouping
Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important: A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed. (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft. (We require password changes every 90 days.) When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk. To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week. However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

Read – Allow access to a file
Change – Permit adding, modifying, and removing a file
Full Control – Change permissions settings in a file
Deny – Override all other access settings to prevent access
Read, Change, and Full Control work on a “most permissive” basis. For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access. Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set. (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.