Once you have configured user objects, and users are authenticating against those accounts, you expose yourself to two additional challenges: security vulnerabilities, which if unaddressed could compromise the integrity of your enterprise network; and social engineering challenges, as you work to make the network, and authentication in general, friendly and reliable for users. Unfortunately, these two dynamics are at odds with each other—the more secure a network, the less usable it becomes. In this lesson, we will address issues related to user authentication. You will learn the impact of domain account policies, including password policies and account lockout policies. You will also learn how to configure auditing for logon-related events, and to perform various authentication-related tasks on user objects. After this lesson, you will be able to ■ Identify domain account policies and their impact on password requirements and authentication ■ Configure auditing for logon events ■ Modify authentication-related attributes of user objects Estimated lesson time: 15 minutes
Securing Authentication with Policy
Active Directory on Windows Server 2003 supports security policies to strengthen pass-words and their use within an enterprise. Of course, you must design a password pol-icy that is sufficiently daunting to attackers while being sufficiently convenient for users, so that they do not forget passwords (resulting in increased calls to the help desk) or, worse, write down their passwords.
A system running Windows Server 2003 as a member server maintains a policy related to its local user accounts. The local security policy can be managed using the appropriately named snap-in: Local Security Policy.
You will more often be concerned with the policy that affects domain user objects. Domain account policy is managed by the Default Domain Policy. To examine and modify this policy, open Active Directory Users and Computers. Select the domain node and choose Properties from the Action menu. Click the Group Policy tab. The GPO listed as the first, or top object link is the policy object that will drive the domain account policies. It is typically, and in best practice, the Default Domain Policy. Select that policy and click Edit. The Group Policy Object Editor console opens, focused on the Default Domain policy. Navigate to Computer Configuration, Windows Settings, Security Settings, Account Policies.
Lesson 4 Securing and Troubleshooting Authentication 3-39 Password Policy
The domain password policies enable you to protect your network against password compromise by enforcing best-practice password management techniques. The policies are described in Table 3-5.
Table 3-5 Password Policies
Enforce Pass-word History
Maximum Password Age
Minimum Password Age
Minimum Password Length
Passwords Must Meet Complexity Requirements
When this policy is enabled, Active Directory maintains a list of recently used passwords, and will not allow a user to create a password that matches a pass- word in that history. The result is that a user, when prompted to change his or her password, cannot use the same password again, and therefore cannot cir cumvent the password lifetime. The policy is enabled by default, with the maximum value of 24. Many IT organizations use a value of 6 to 12.
This policy determines when users will be forced to change their passwords. Passwords that are unchanged or infrequently changed are more vulnerable to being cracked and utilized by attackers to impersonate a valid account. The default value is 42 days. IT organizations typically enforce password changes every 30 to 90 days.
When users are required to change their passwords—even when a password history is enforced—they can simply change their passwords several times in a row to circumvent password requirements and return to their original pass- words. The Minimum Password Age policy prevents this possibility by requir ing that a specified number of days must pass between password changes. Of course, a password can be reset at any time in Active Directory by an adminis trator or support person with sufficient permissions. But the user cannot change their password more than once during the time period specified by this setting.
This policy specifies the minimum number of characters required in a pass- word. The default in Windows Server 2003 is seven.
This policy enforces rules, or filters, on new passwords. The default password filter in Windows Server 2003 (passfilt.dll) requires that a password: ■ Is not based on the user’s account name.
■ Is at least six characters long.
■ Contains characters from three of the following four character types:
❑ Uppercase alphabet characters (A…Z)
❑ Lowercase alphabet characters (a…z)
❑ Arabic numerals (0…9)
❑ Nonalphanumeric characters (for example, !$#,%) Windows Server 2003 enables this policy, by default.
3-40 Chapter 3 User Accounts Note Configuring password length and complexity requirements does not affect existing passwords. These changes will affect new accounts and changed passwords after the policy is applied. Account Lockout Policy
Account lockout refers, in its broadest sense, to the concept that after several failed logon attempts by a single user, the system should assume that an attacker is attempting to compromise the account by discovering its password and, in defense, should lock the account so no further logons may be attempted. Domain account lockout policies determine the limitations for invalid logons, expressed in a number of invalid logons in a period of time, and the requirements for an account to become unlocked, whether by simply waiting or contacting an administrator. Table 3-6 summarizes Account Lockout policies.
Table 3-6 Account Lockout Policies
Account Lockout Threshold
Account Lockout Duration
Reset Account Lockout Counter After
This policy configures the number of invalid logon attempts that will trig ger account lockout. The value can be in the range of 0 to 999. A value that is too low (as few as three, for example) may cause lockouts due to normal, human error at logon. A value of 0 will result in accounts never being locked out. The lockout counter is not affected by logons to locked workstations.
This policy determines the period of time that must pass after a lockout before Active Directory will automatically unlock a user’s account. The policy is not set by default, as it is useful only in conjunction with the Account Lockout Threshold policy. Although the policy accepts values ranging from 0 to 99999 minutes, or about 10 weeks, a low setting (5 to 15 minutes) is sufficient to reduce attacks significantly without unreason- ably affecting legitimate users who are mistakenly locked out. A value of 0 will require the user to contact appropriate administrators to unlock the account manually.
This setting specifies the time that must pass after an invalid logon attempt before the counter resets to zero. The range is 1 to 99999 min utes, and must be less than or equal to the account lockout duration.
Lesson 4 Securing and Troubleshooting Authentication 3-41 Cross-Platform Issues Organizations commonly implement a mix of directory service, server, and client platforms. In environments in which Windows 95, Windows 98, Windows Me, or Windows NT 4 participate in an Active Directory domain, administrators need to be aware of several issues. ■ Passwords: While Windows 2000, Windows XP Professional, and Windows Server 2003 support 127-character passwords, Windows 95, Windows 98, and Windows ME support only 14-character passwords. ■ Active Directory Client: The Active Directory Client can be downloaded from Microsoft’s web site and installed on Windows 95, Windows 98, Windows Me, and Windows NT 4 systems. It enables those platforms running previous editions of Windows to participate in many Active Directory features avail-able to Windows 2000 Professional or Windows XP Professional, including the following: ❑ Site-awareness: a system with the Active Directory Client will attempt to log on to a domain controller in its site, rather than to any domain con-troller in the enterprise. ❑ Active Directory Service Interfaces (ADSI): use scripting to manage Active Directory. ❑ Distributed File System (Dfs): access Dfs shared resources on servers running Windows 2000 and Windows Server 2003. ❑ NT LAN Manager (NTLM) version 2 authentication: use the improved authentication features in NTLM version 2. ❑ Active Directory Windows Address Book (WAB): property pages ❑ Active Directory search capability integrated into the Start–Find or Start– Search commands. The following functionalites, supported on Windows 2000 Professional and Windows XP Professional, are not provided by the Active Directory client on Windows 95, Windows 98, and Windows NT 4: ■ Kerberos V5 authentication ■ Group Policy or Change and Configuration Management support ■ Service principal name (SPN), or mutual authentication.
3-42 Chapter 3 User Accounts In addition, you should be aware of the following issues in mixed environments: ■ Windows 98 supports passwords of up to 14 characters long. Windows 2000, Windows XP, and Windows Server 2003 can support 127-character pass-words. Be aware of this difference when configuring passwords for users who log on using Windows 98. ■ Without the Active Directory client, users on systems using versions of Windows earlier than Windows 2000 can change their password only if the system has access to the domain controller performing the single master operation called primary domain controller (PDC) emulator. To determine which system is the PDC emulator in a domain, open Active Directory Users And Computers, select the domain node, choose the Operations Masters command from the Action menu, and then click the PDC tab. If the PDC emulator is unavailable (that is, if it is offline or on the distant side of a downed network connection), the user cannot change his or her password. ■ As you have learned in this chapter, user objects maintain two user logon name properties. The Pre-Windows 2000 logon name, or SAM name, is equivalent to the user name in Windows 95, Windows 98, or Windows NT 4. When users log on, they enter their user name and must select the domain from the Log On To box. In other situations, the user name may be entered in the format <DomainName>\<UserLogonName>. ■ Users logging on using Windows 2000 or later platforms may log on the same way, or they may log on using the more efficient UPN. The UPN takes the format <UserLogonName>@<UPN Suffix>, where the UPN suffix is, by default, the DNS domain name in which the user object resides. It is not necessary to select the domain from the Log On To box when using UPN logon. In fact, the box becomes disabled as soon as you type the “@” symbol.
If you are concerned that attacks may be taking place to discover user passwords, or to troubleshoot authentication problems, you can configure an auditing policy that will create entries in the Security log that may prove illuminating.
The following policies are located in the Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy node of Group Policy Object Editor (or the Local Security Policy snap-in). You can configure auditing for successful or failed events.
■ Audit Account Logon Events This policy audits each instance of user logon that involves domain controller authentication. For domain controllers, this policy is defined in the Default Domain Controllers GPO. Note, first, that this policy will
! Lesson 4 Securing and Troubleshooting Authentication 3-43 create a Security log entry on a domain controller each time a user logs on inter-actively or over the network using a domain account. Second, remember that to evaluate fully the results of the auditing, you must examine the Security logs on all domain controllers, because user authentication is distributed among each domain controller in a site or domain.
■ Audit Account Management Configures auditing of activities including the creation, deletion, or modification of user, group, or computer accounts. Password resets are also logged when account management auditing is enabled.
■ Audit Logon Events Logon events include logon and logoff, interactively or through network connection. If you have enabled Audit Account Logon Events policy for successes on a domain controller, workstation logons will not generate logon audits. Only interactive and network logons to the domain controller itself generate logon events. Account logon events are generated on the local computer for local accounts and on the domain controller for network accounts. Logon events are generated wherever the logon occurs. Tip Keep track of the distinction between Account Logon and Logon events. When a user logs on to their workstation using a domain account, the workstation registers a Logon event and the domain controller registers an Account Logon event. When the user connects to a network server’s shared folder, the server registers a Logon event and the domain controller registers an Account Logon event. Security Event Log
Once you have configured auditing, the security logs will begin to fill with event messages. You can view these messages by selecting Security from the Event Viewer snap-in, and then double-clicking the event. Exam Tip Remember that Account Logon events will need to be monitored on each domain controller. Logon events must be monitored on all systems.
Administering User Authentication
When users forget their passwords, are transferred or terminated, you will have to manage their user objects appropriately. The most common administrative tasks related to user account security are unlocking an account, resetting a password, disabling, enabling, renaming, and deleting user objects.
3-44 Chapter 3 User Accounts Unlocking a User Account
The account lockout policy requires that when a user has exceeded the limit for invalid logon attempts, the account is locked and no further logons can be attempted for a specified period of time, or until an administrator has unlocked the account.
To unlock a user, select the user object and, from the Action menu, choose Properties. Click the Account tab and clear the check box: Account Is Locked Out.
Resetting User Passwords
If a user forgets his or her password, you must reset the password. You do not need to know the user’s old password to do so. Simply select the user object and, from the Action menu, choose the Reset Password command. Enter the new password twice to confirm the change, and as a security best practice, select the User Must Change Pass-word At Next Logon option.
Disabling, Enabling, Renaming, and Deleting User Objects
Personnel changes may require you to disable, enable, or rename a user object. The process for doing so is similar for each action. Select the user and, from the Action menu, choose the appropriate command, as follows:
■ Disabling And Enabling A User When a user does not require access to the network for an extended period of time, you should disable the account. Re-enable the account when the user needs to log on once again. Note that the only one of the commands to Disable or Enable will appear on the Action menu depending on the current status of the object.
■ Deleting A User When a user is no longer part of your organization, and there will not soon be a replacement, delete the user object. Remember that by deleting a user, you lose its group memberships and, by deleting the SID, its rights and per-missions. If you recreate a user object with the same name, it will have a different SID, and you will have to reassign rights, permissions, and group memberships.
■ Renaming A User You will rename a user if a user changes their name, for example through marriage, or in the event that a user is no longer part of your organization, but you are replacing that user and you want to maintain the rights, permissions, group memberships, and most of the user properties of the previous user. Tip Be certain to understand the difference between disabling and deleting an object; and between enabling and unlocking a user.
注册－收款工具那么多，为何选择Payoneer？ ｜ 为何申请Payoneer万事达预付卡+欧美日收款银行账号？
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 ｜ P卡公司帐户注册教程
Payoneer欧元帐户（虚拟卡） ｜ Payoneer英镑帐户 ｜ Payoneer日元帐户 ｜ 订购实体卡（P卡）
Payoneer卡年费啥时候扣？ ｜ Payoneer卡休眠和激活 ｜ P卡到期后如何更换？ ｜ 如何注销P卡？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer官方费用表 ｜ 如何减少Payoneer的手续费？ ｜ 点此免除入账费 ｜ 点此降低提现费
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Payoneer支持从美国电商平台Newegg收款
CJ联盟设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer收款 ｜ Amazon联盟设置P卡收款
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
Payoneer可接受个人与公司信用卡付款（请求付款） ｜ 关于Payoneer卡充值
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元