Chapter 2

Windows Network Concepts

1
 Workgroup

• A workgroup is usually associated with a peer-

to-peer network where user accounts are
decentralized and stored on each individual
computer.
– Since each computer has its own security
database, when you have several users that
need access to the computer (while requiring
unique username and passwords), you will need
to create a user account for each user on the
computer.
2
Authentication
• Authentication is the process of identifying
an individual, usually based on a username
and password. After a user is authenticated,
users can access network resources based
on the user’s authorization.

3
 Authorization and Auditing
• Authorization is the process of giving
individuals access to system objects based on
their identity.
• Auditing is the process of keeping track of a
user’s activity while accessing the network
resources, including the amount of time spent
in the network, the services accessed while
there and the amount of data transferred
during the session.
4
 Authentication Methods
• A user can authenticate using one or more of
the following methods:
– What they know: Such as using a password or
Personal Identity Number (PIN).
– What they own or possess: Such as a passport,
smart card, or ID card.
– What a user is: Usually using biometric factors
based on fingerprints, retinal scans, voice input,
or other forms.
5
 Password
• The most common method of authentication with
computers and networks is the password.
• A password is a secret series of characters that
enables a user to access a file, computer, or
program.
• To make a password more secure, you need to
choose a password that nobody can guess.
• Therefore, it should be long enough and
considered a complex or strong password.
6
Complex Password
• Cannot contain the user’s account name or parts of
the user’s full name that exceed two consecutive
characters.
• Must be at least six characters in length or the
number of characters specified in the Minimum
password length policy setting.
– Must contain characters from at least three of the
following four categories: English uppercase alphabet
characters (A–Z), English lowercase alphabet
characters (a–z), base-10 digits (0–9), and non-
alphanumeric characters (for example, !$#,%).
7
User Account
• A user account enables a user to log on to a
computer and domain. As a result, it can
used to prove the identity of a user, which
can then be used to determine what a user
can access and what kind of access a user
will have (authorization).
• It can be used for auditing so that if there is
a security problem where something was
accessed or deleted, it can be determined
who accessed or deleted the object. 8
User Account
• On today’s Windows networks, there are two
types of user accounts:
– The local user account
– The domain user account

9
Local User Account
• A local user account allows a user to log on
and gain access to the computer where the
account was created.
• The security table located on the local
computer that stores the local user account
is known as the Security Account Manager
(SAM) database.

10
User Accounts
• There are three types of user accounts and
each provides the user with different levels
of control over the computer.
– Administrator
– Standard
– Guest

11
User Accounts
• Windows 7 provides two separate interfaces
for creating and managing local user
accounts:
– User Accounts in the Control Panel
– Local Users and Groups MMC snap-in
• Both of these interfaces provide access to
the same user and group accounts stored in
the SAM, so any changes you make using
one interface will appear in the other.
12
User Accounts Control Panel

13
Local Users and Groups Snap-in

14
Local Users and Groups Snap-in

15
User Profile
• A user profile, which is a collection of folders and data
that store the user’s current desktop environment and
application settings, is associated with each user
account.
• A user profile also records all network connections that
are established so when a user logs on to a computer,
it will remember the mapped drives to shared folders.
• When a user logs on to a computer, they will get the
same desktop environment that they previously had on
the computer.
• For Windows 7, the profiles are stored in the C:\Users
folder. 16
Credential Manager
• Credential Manager allows you to store credentials,
such as usernames and passwords that you use to
log on to websites or other computers, on a network.
• By storing your credentials, Windows can
automatically log you on to websites or other
computers.
• Credentials are saved in special folders on your
computer called vaults. Windows and programs
(such as web browsers) can securely give the
credentials in the vaults to other computers and
websites.
17
Active Directory
• A directory service stores, organizes, and provides
access to information in a directory.
• It is used for locating, managing, administering,
and organizing common items and network
resources, such as volumes, folders, files, printers,
users, groups, devices, telephone numbers, and
other objects.
• A popular directory service used by many
organizations is Microsoft’s Active Directory.

18
 Active Directory
• Active Directory is a technology created by Microsoft
that provides a variety of network services, including:
– Lightweight Directory Access Protocol (LDAP)
– Kerberos-based and single sign-on (SSO)
authentication
– DNS-based naming and other network information
– Central location for network administration and
delegation of authority
• Active Directory is often a key component in
authentication, authorization, and auditing.
19
 Active Directory
• Active Directory is a Directory Service which
Contains Information of All User Accounts and
Shared Recourses on a Network.
• A directory service (DS) is a software application- or
a set of applications - that stores and organizes
information about a computer network's users and
network resources.
• Active Directory is a Centralized Hierarchical
Directory Database
• Allows network administrators to manage users'
access to the resources
• Act as an abstraction layer between users and
20
shared resources
 What Is Active Directory?
Active Directory

Directory service functionality Centralized management

Organize
Manage Resources Single point of administration
Control

21
 PURPOSE OF ACTIVE DIRECTORY
1.Provide User Logon and Authentication Services

2.To organize and manage:

User Accounts
Computers
Groups and
Network Resources

3 Enables authorized Users to easily locate:

Network Resources

22
 FEATURES OF ACTIVE DIRECTORY

1.Fully Integrated Security

2.Easy Administration using Group Policy
3.Scalable to any Size Network
4.Flexible

NEW FEATURES IN ACTIVE DIRECTORY

❑Provide file shares.

❑ Authenticate users
❑Control access to services and shares
❑ Provide services, such as Email, Access to the internet,
Print services etc.
23
How Directory Service Evolved

Earlier we had no DATABASE Standard

So ITU & ISO introduced X.500
Server
(Directory System Agent)

Backup Server

Directory Info Base

DOP DAP Directory Info Tree

Directory Organization
Client
Management Protocol
(Directory User Agent)

24
The Role of a Directory Service
• A network directory service stores
information about a computer network and
offers features for retrieving and managing
that information.
• Generally considered to be an
administrative tool, but users make use of
directory services to find resources
• Directory services provide a centralized
management tool, but due to complexity,
requires careful planning
25
prior to setup
Windows Active Directory
• X.500 is the basis for its hierarchical structure
• Lightweight Directory Access Protocol (LDAP) is
based on the X.500 Directory Access Protocol
– Uses the more efficient TCP/IP protocol
• Integrating other OSs, such as Linux and UNIX
into an Active Directory network requires using
LDAP
• Windows Active Directory was first used in
Windows 2000 Server
26
Windows Active Directory
• Active Directory offers the following features:
– Hierarchical organization
– Centralized but distributed database
– Scalability
– Security
– Flexibility
– Policy-based administration

27
Overview of the Active Directory Structure
• Physical structure
– Consists of sites and servers configured as
domain controllers
• Logical structure
– Makes it possible to pattern the directory
service’s look and feel after the organization
in which it runs

28
Active Directory’s Physical Structure
• An Active Directory site is simply a physical location
in which domain controllers communicate and
replicate information regularly
• Each domain controller contains a full replica of the
objects that make up the domain and is responsible
for:
– Storing a copy of the domain data and replicating changes
to that data to all other domain controllers in the domain
– Providing data search and retrieval functions for users
attempting to locate objects in the directory
– Providing authentication and authorization services for
users who log on to the domain and attempt to access
network resources 29
Active Directory’s Logical Structure
• Four organizing components of Active Directory:
– Organizational Units (OUs)
– Domains
– Trees
– Forests
• The organizational unit (OU) is an Active Directory
container used to organize a network’s users and
resources into logical administrative units

30
Active Directory’s Logical Structure
• An OU contains Active Directory objects,
such as:
– User accounts
– Groups
– Computer accounts
– Printers
– Shared folders
– Applications
– Servers
– Domain controllers 31
Active Directory’s Logical Structure
• Domain - The core structural unit of an
Active Directory
– Contains OUs and represents administrative,
security, and policy boundaries
• Small to medium companies usually have
one domain; larger companies may have
several domains to separate geographical
regions or administrative responsibilities

32
Active Directory’s Logical Structure
• A tree is a grouping of domains that share a
common naming structure
– Can consist of a parent domain and possibly one or more
child domains
• Forest - A collection of one or more Active
Directory trees that provide a common
Active Directory environment
– All domains in all trees can communicate and share
information
– Can consist of a single tree with a single domain, or it can
contain several trees, each with a hierarchy of parent and
33
child domains
Domain
• A Windows domain is a logical unit of
computers and network resources that
defines a security boundary.
• Different from the local security database
that was previous discussed, a domain uses
a single Active Directory database to share its
common security and user account
information for all computers within the
domain.
34
Domain Controller
• While domains, trees, and forests are logical
representation of your organization, sites and
domain controllers represent the physical
structure of your network.
• A domain controller is a Windows server that
stores a replica of the account and security
information of the domain and defines the
domain boundaries.
• A server that is not running as a domain
controller is known as a member server. 35
Active Directory Consoles
• Several MMC snap-in consoles to manage
Active Directory:
– Active Directory Users and Computers
– Active Directory Domains and Trusts
– Active Directory Sites and Services
– Active Directory Administrative Center
– Group Policy Management Console (GPMC)

36
Finding a Domain Controller
• When a user logs on, Active Directory clients locate
an Active Directory server (using the DNS SRV
resource records) known as a domain controller in
the same site as the computer.
• If you receive an error message saying that it
cannot locate a domain controller or you get a
“RPC Server Unavailable” message, you should
make sure you are pointing to the correct DNS
server and that the DNS server has the correct SRV
resource records for the domain controllers.
37
Organizational Units
• To help organize objects within a domain and
minimize the number of domains, you can use
organizational units, commonly seen as OU.
• OUs can be used to hold users, groups,
computers, and other organizational units.
• An organizational unit can only contain objects
that are located in a domain.

38
Delegating Administration
• By delegating administration, you can assign a range of
administrative tasks to the appropriate users and
groups.
• You can assign basic administrative tasks to regular
users or groups, and leave domain-wide and forest-
wide administration to members of the Domain Admins
and Enterprise Admins groups.
• You also help secure your network from accidental or
malicious damage by limiting the membership of
administrator groups.

39
Active Directory Objects
• An object is a distinct, named set of
attributes or characteristics that represents
a network resource.
• Common objects used within Active Directory
are computers, users, groups, and printers.

40
Active Directory Objects
• Active Directory objects are assigned a 128-
bit unique number called a globally unique
identifier (GUID), sometimes referred to as
security identifier (SID) to uniquely identify
an object.
• If a user changes his or her name, you can
change the name and he or she will still be
able to access all objects and have all of the
rights as before since those rights are
assigned to the GUID. 41
Domain User
• A domain user account is stored on the domain
controller and allows you to gain access to
resources within the domain, assuming you have
been granted the permissions needed to access
those objects.
• The administrator domain user account is the only
account that is created and enabled by default in
Windows when you first create a domain.
• While the administrator domain user account
cannot be deleted, it can be renamed.
42
Domain User

43
Domain User

44
Domain User

45
Computer Account
• Like user accounts, Windows computer accounts
provide a means for authenticating and auditing
the computer’s access to a Windows network and
its access to domain resources.
• Each Windows computer to which you want to
grant access to resources must have a unique
computer account.
• It can also be used for auditing purposes specifying
what system was used when something was
accessed.
46
Computer Account
• Like user accounts, computer accounts are assigned
passwords when the computer is added to the
domain, and those passwords are automatically
maintained between the computer and the domain
controllers.
• Unfortunately, from time to time, a computer account
can become untrusted where the security identifier
(SID) or password is different from those stored in
Active Directory.
– Unfortunately, you cannot reset the password.
Instead, the best thing to do is to rejoin the
computer to the domain. 47
Groups
• A group is a collection or list of user accounts
or computer accounts.
• Different from a container, the group does not
store the user or computer, it just lists them.
• The advantage of using groups is to simplify
administration, especially when assigning
rights and permissions.

48
Groups
• Any group, whether it is a security group or a
distribution group, is characterized by a
scope that identifies the extent to which the
group is applied in the domain tree or forest.
The three group scopes are:
– Domain Local group
– Global group
– Universal group

49
Group Policies
• Group Policy is one of the most powerful
features of Active Directory that controls the
working environment for user accounts and
computer accounts.
• Group Policy provides the centralized
management and configuration of operating
systems, applications, and users’ settings in
an Active Directory environment.

50
Group Policies
• Group policies can be set locally on the workstation
or can be set at different levels (site, domain, or
organizational unit) within Active Directory.
• Group policies are applied in the following order:
1. Local
2. Site
3. Domain
4. OU

51
Group Policies

52
Rights
• When specifying what a user can do on a
system or to a resource is determined by two
things: rights and permissions.
• A user right authorizes a user to perform
certain actions on a computer such as
logging on to a system interactively or
backing up files and directories on a system.
– User rights are assigned through local
policies or Active Directory group policies.
53
Group Policies

54
Permission
• A permission defines the type of access that is
granted to an object (an object can be identified
with a security identifier) or object attribute.
• The most common objects assigned permissions
are NTFS files and folders, printers and Active
Directory objects.
• To keep track of which user can access an object
and what the user can do is record in the access
control list (ACL) which lists all users and groups
that have access to the object.
55
 Account Lockout Policy
• An Account Lockout Policy specifies the number
of unsuccessful logon attempts that, if made
within a pre-defined amount of time, may hint of
an unauthorized person trying to access a
computer or the network.
• An Account Lockout Policy can be set to lock the
account in question after a specified number of
invalid attempts.
• Additionally, the policy specifies the duration that
the account remains locked. 56
Account Lockout Policy

57
Password Control
• Group policies can be used to control
passwords including how often a user
changes a password, how long the password
is, and if the password is a complex
password.
• To help manage passwords, you can
configure settings in the Computer
Configuration\Windows Settings\Security
Settings\Account Policies\Password Policy
node of a group policy. 58
Password Control

59
Auditing
• It is important that you protect your
information and service resources from
people who should not have access to them,
and at the same time make those resources
available to authorized users.
• Auditing is not enabled by default. To enable
auditing, you specify what types of system
events to audit using group policies or the
local security policy (Security Settings\Local
Policies\Audit Policy). 60
Auditing

61
Auditing
• To audit NTFS files, NTFS folders, and
printers is a two-step process. You must first
enable Object Access using group policies.
Then you must specify which objects you
want to audit.

62
Troubleshooting Authentication Issues
• Authentication issues are a common
problem that everyone has to deal with.
• The simplest and easiest mistake for users
is forgetting their password, which then
needs to be reset.
• A common but easy mistake to make when
typing a username or password is to have
the caps lock or num lock key on.

63
Troubleshooting Authentication Issues
• Other items that you should check include:
– When typing in your username and password,
always check the caps lock and num lock keys
first.
– Make sure you have the correct language
defined and that the keyboard is operating fine
where all of the buttons click properly.
– If the time is off, authentication can fail.
– If your computer is no longer part of the domain
or is no longer trusted, you will not be able to log
in to the domain. 64
Skill Summary
• A workgroup is usually associated with a peer-to-peer
network in which user accounts are decentralized and
stored on each individual computer.
• When you create a local user account on a computer
running Windows 7, it is stored in the Security
Accounts Manager (SAM). SAM is a database stored as
a registry file.
• A user account enables a user to log on to a computer
and domain. As a result, it can be used to prove the
identity of a user, which can then be used to determine
what a user can access and what kind of access a user
will have (authorization). 65
Skill Summary
• Associated with a user account is the user
profile, which is a collection of folders and
data that store the user’s current desktop
environment and application settings.
• Credential Manager allows you to store
credentials, such as usernames and
passwords that you use to log on to websites
or other computers on a network.

66
Skill Summary
• Authentication is the process of identifying an
individual, usually based on a username and
password. After a user is authenticated, users can
access network resources based on the user’s
authorization.
• Authorization is the process of giving individuals
access to system objects based on their identity.
• Auditing is the process of keeping track of a user’s
activity while accessing the network resources,
including the amount of time spent in the network, the
services accessed while there, and the amount of data
transferred during the session. 67
Skill Summary
• Active Directory is a directory service and
technology created by Microsoft that
provides a variety of network services,
including LDAP, Kerberos-based and single
sign-on authentication, DNS-based naming,
and other network information, as well as a
central location for network administration
and delegation of authority.

68
Skill Summary
• A Windows domain is a logical unit of
computers and network resources that
define a security boundary. A domain uses a
single Active Directory database to share its
common security and user account
information for all computers within the
domain, allowing centralized administration
of all users, groups, and resources on the
network.
69
Skill Summary
• A server that is not running as a domain
controller is known as a member server.
• A domain controller is a Windows server that
stores a replica of the account and security
information of the domain and defines the
domain boundaries.
• To help organize objects within a domain
and minimize the number of domains, you
can use organizational units (OUs).
70
Skill Summary
• A server that is not running as a domain
controller is known as a member server.
• A domain controller is a Windows server that
stores a replica of the account and security
information of the domain and defines the
domain boundaries.
• To help organize objects within a domain
and minimize the number of domains, you
can use organizational units (OUs).
71
Skill Summary
• Like user accounts, Windows computer accounts
provide a means for authenticating and auditing
the computer’s access to a Windows network and
its access to domain resources.
• A group is a collection or list of user accounts or
computer accounts.
• Group Policy provides the centralized management
and configuration of operating systems,
applications and users’ settings in an Active
Directory environment.
72
Skill Summary
• A user right authorizes a user to perform
certain actions on a computer such as
logging on to a system interactively or
backing up files and directories on a system.
• A permission defines the type of access that
is granted to an object (an object can be
identified with a security identifier) or object
attribute.

73
Skill Summary
• An Account Lockout Policy specifies the
number of unsuccessful logon attempts that,
if made within a pre-defined amount of time,
may hint of an unauthorized person trying to
access a computer or the network.
• To help protect against someone guessing a
user’s login password, users should change
their passwords regularly.

74