Harambee University

Web Development and Database

Administration
Level - I
LEARNING GUIDE 1
Protect Application or
Unit of Competence:
System Software
Protecting Application or
Module Title:
System Software
LG Code: EIS WDDBA1 04 1221 LO1 – LG1
TTLM Code: EIS WDDBA1 TTLM 1221v4

LO 1: Ensure User Accounts are

Controlled
 Instruction Sheet Learning Guide 1
This learning guide is developed to provide you the necessary information regarding
the following content coverage and topics –
 User Account Control
 User Account Configuration
 Notifications Displayed at Logon
 Utilities Used to Check Strength of Passwords
 Accessing Information Services

This guide will also assist you to attain the learning outcome stated in the cover
page. Specifically, upon completion of this Learning Guide, you will be able to –
 Modify default user settings to ensure that they conform to security policy
 Previously created user settings are modified to ensure they conform to
updated security policy
 Ensure legal notices displayed at logon are appropriate
 Appropriate utilities are used to check strength of passwords and consider
tightening rules for password complexity
 Emails are monitored to uncover breaches in compliance with legislation
 information services are accessed to identify security gaps and take
appropriate action using hardware and software or patches

T. Sendera .J Page 2
Information Sheet - 1 User Account Control
1.1. User Access
We do want our users to access the system; it’s just that we want them to have the
appropriate access. The control of user access can take many forms and apply at
several levels. Once a computer is physically accessed, the user usually logs on to
gain access to applications. These applications will access data in files and folders.
We can simplify the process down to 3 things.
 Physical access
 Authentication
 Authorisation

1.1.1. Physical Access

The first layer of management and security is the physical access to the
computer. To prevent unauthorised access, a company may make use of:
 locks on the front doors
 locks on each floor
 locks on offices, etc
 security guards
 cameras
 keys on computer systems.
Only those who have permission and keys will be able to access a computer in
the company’s premises. The Internet, however, presents issues concerning
access to corporate information or systems because physical restrictions cannot
be imposed.

1.1.2. Authentication
Authentication is the process of verifying the identity of people who are
attempting to access the network or system. Typically, a user identifies himself to
the system, then is required to provide a second piece of information to prove
their identity. This information is only known by the user or can only be produced
by the user.
The most common method used to authenticate users is the Username and
Password method. Using this method a user identifies itself with a username.
They are then prompted for a password. The combination of name and password
are then compared by the system to its data on configured users and if the
combination matches the system’s data the user is granted access.
Other authentication methods include:
 Username with static passwords - the password stays the same until
changed by the user at some time
 Usernames with dynamic passwords - the password is constantly
changed by a password generator synchronized with the user and system.

T. Sendera .J Page 3
  Other challenge response systems- this may involve PINs, questions to
the user requiring various answers or actions
 Certificate Based - this requires the user to have an electronic certificate
or token. This may also need to be digitally signed by a trusted authority.
 Physical devices - these include the use of smartcards and biometrics.
Generally, the entire authentication process occurs on the local
workstation, thus eliminating the need for a special server.
Whatever method is used is determined by the organisational policy and security
requirements.

1.1.3. Authorisation
Once a user has been authenticated (that is their identity validated) they are
granted access to the network or system. For the user to then access data or an
application or execute some task or command they need be authorised to do so.
The authorisation process determines what the user can do on the network. In
other words it enforces the organisation policy as applicable to the user.
The Network and System administrators are responsible for the technical
configuration of network operating systems, directory services and applications.
Part of the configuration includes security settings that authorise user access.
The administrators use an organisational policy to determine these settings.
1.2. User Account
A user account is a collection of information that tells Windows which files and
folders you can access, what changes you can make to the computer, and your
personal preferences, such as your desktop background or screen saver. User
accounts let you share a computer with several people, while having your own files
and settings. Each person accesses his or her user account with a username and
password.
There are three types of accounts. Each type gives users a different level of control
over the computer:
 Standard Accounts are for everyday computing.
 Administrator Accounts provide the most control over a computer, and
should only be used when necessary.
 Guest Accounts are intended primarily for people who need temporary use
of a computer.

T. Sendera .J Page 4
 1.2.1. Standard User Account
A standard user account lets you use most of the capabilities of the computer.
You can use most programs that are installed on the computer and change
settings that affect your user account. However, you can't install or uninstall some
software and hardware, you can't delete files that are required for the computer to
work, and you can't change settings that affect other users or the security of the
computer. If you're using a standard account, you might be prompted for an
administrator password before you can perform certain tasks.
Why use a Standard User Account instead of an Administrator Account?
The standard account can help protect your computer by preventing users from
making changes that affect everyone who uses the computer, such as deleting
files that are required for the computer to work. We recommend creating a
standard account for each user.
When you are logged on to Windows with a standard account, you can do almost
anything that you can do with an administrator account, but if you want to do
something that affects other users of the computer, such as installing software or
changing security settings, Windows might ask you to provide a password for an
administrator account.

1.2.2. Administrator Account

An administrator account is a user account that lets you make changes that will
affect other users. Administrators can change security settings, install software
and hardware, and access all files on the computer. Administrators can also
make changes to other user accounts.
When you set up Windows, you'll be required to create a user account. This
account is an administrator account that allows you to set up your computer and
install any programs that you would like to use. Once you have finished setting up
your computer, we recommend that you use a standard user account for your
day-to-day computing. It's more secure to use a standard user account instead of
an administrator account because it can prevent a person from making changes
that affect everyone who uses the computer.

1.2.3. Guest Account

A guest account allows people to have temporary access to your computer.
People using the guest account can't install software or hardware, change
settings, or create a password. You have to turn on the guest account before it
can be used.

T. Sendera .J Page 5
1.3. User Profiles
User profile is a collection of settings that make the computer look and work the way
you want it to. It contains your settings for desktop backgrounds, screen savers,
pointer preferences, sound settings, and other features. Your user profile ensures
that your personal preferences are used whenever you log on to Windows.
A user profile is different from a user account, which you use to log on to Windows.
Each user account has at least one user profile associated with it.

1.4. User Account Control

User Account Control (UAC) is a feature in Windows that can help you stay in control
of your computer by informing you when a program makes a change that requires
administrator-level permission. UAC works by adjusting the permission level of your
user account. If you’re doing tasks that can be done as a standard user, such as
reading e-mail, listening to music, or creating documents, you have the permissions
of a standard user—even if you’re logged on as an administrator.
When changes are going to be made to your computer that requires administrator-
level permission, UAC notifies you. If you are an administrator, you can click Yes to
continue. If you are not an administrator, someone with an administrator account on
the computer will have to enter their password for you to continue. If you give
permission, you are temporarily given the rights of an administrator to complete the
task and then your permissions are returned back to that of a standard user. This
makes it so that even if you're using an administrator account, changes cannot be
made to your computer without you knowing about it, which can help prevent
malicious software (malware) and spyware from being installed on or making
changes to your computer.
1.4.1. User Account Control settings
User Account Control (UAC) notifies you before changes are made to your
computer that requires administrator-level permission. The default UAC setting
notifies you when programs try to make changes to your computer, but you can
control how often you are notified by UAC by adjusting the settings.

T. Sendera .J Page 6
 1.4.2. Why is User Account Control necessary?
The most important rule for controlling access to resources is to provide the least
amount of access privileges required for users to perform their daily tasks. Many
tasks do not require administrator privileges. However, because previous
versions of Windows created all user accounts as administrators by default, users
logged on to their computers with an administrator account. Without User
Account Control (UAC), when a user is logged on as an administrator, that user is
automatically granted full access to all system resources.
However, most users do not require such a high level of access to the computer.
Often users are unaware that they are logged on as an administrator when they
browse the Web, check e-mail, and run software. While logging on with an
administrator account enables a user to install legitimate software, the user can
also unintentionally or intentionally install a malicious program. A malicious
program installed by an administrator can fully compromise the computer and
affect all users.
With the introduction of UAC, the access control model changed to help mitigate
the impact of a malicious program. When a user attempts to start an
administrator application, the User Account Control dialog box asks the user to
click Yes or No before the user's full administrator access token can be used. If
the user is not an administrator, the user must provide an administrator's
credentials to run the program.
Because UAC requires an administrator to approve application installations,
unauthorized applications cannot be installed automatically or without the explicit
consent of an administrator.

T. Sendera .J Page 7
 1.4.3. How UAC Work
There are two levels of users: standard users and administrators. Standard users
are members of the Users group and administrators are members of the
Administrators group on the computer.
Both standard users and administrators access resources and run applications in
the security context of standard users by default. When a user logs on to a
computer, the system creates an access token for the user. This access token
contains information about the level of access that the user is granted, including
specific Security Identifiers (SIDs) and Windows privileges. When an
administrator logs on, two separate access tokens are created for the user: a
standard user access token and an administrator access token. The standard
user access token contains the same user-specific information as the
administrator access token, but the administrative Windows privileges and SIDs
are removed. The standard user access token can start standard user
applications but cannot start applications that perform administrative tasks.
When the user needs to run applications that perform administrative tasks
(administrator applications), the user is prompted to change or elevate the
security context from a standard user to an administrator. This default user
experience is called Admin Approval Mode. In this mode, applications require
specific permission to run as an administrator application.

T. Sendera .J Page 8
 Self-Check –1 Written Test

1. Why use a Standard User Account instead of an Administrator Account?(2 pts)

________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
2. List and describe authentication methods used to authenticate users. (4 pts)

________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________

Note: Satisfactory rating - 10 points Unsatisfactory - below 10 points

You can ask your teacher for the copy of the correct answers.

T. Sendera .J Page 9
 Information Sheet – 2 User Account Configuration
2.1. User Account Configuration
Network and System Administrators are responsible for configuring user accounts.
Network operating systems and applications have many security options and setting
relating to user access. How does an administrator determine the configuration and
setting for user accounts?
Organisation policies and procedures provide the guidelines for administrators.

2.1.1. User Account Settings

The organisation’s policies should make statements as to the degree of user
control that is required. Network procedures should contain details as to how
these policies may be implemented. For example, the policy may state that user
passwords should not be less than six characters. The procedures will then
describe how the administrator should configure the operating system to ensure
that all passwords are at least six characters.
The administrator should review the policies to ensure that the procedures
produce the desired outcomes. The procedures should describe in detail how to
make use of the operating system facilities to configure user accounts in
accordance with the security requirements.
The actual way you set these parameters will vary with each operating
environment, however, here are some basic parameters covered by most
operating systems to consider when setting up user account options:
 Password requirements-whether a password is required, minimum
length, complexity, needs to be changed at intervals, etc
 Account lock out settings - disabling accounts that have made a number
of bad logon attempts
 Access hours - the standard days and time that users will be permitted to
access the network
 Account expiry dates - date when account will be disabled
 Logon restrictions-accounts can only be used at specified locations or
workstations.
 Home directory information - a home directory is a folder that usually
has the name of the user and the user has full permissions over.
 Logon scripts - these perform specific tasks or run specific programs
when the user logs on
2.1.2. Configuring User Access
Once user account settings have been determined how do we know who should
have accounts and what access should be set?

T. Sendera .J Page 10
 2.1.2.1. User Authorisations
Once again, organisational policy and procedures provide the necessary
information for the administrators. There should be procedures in place
that inform the appropriate people that a person requires a new user
account or changes to an existing account or a deletion of accounts. The
notification procedure should cover circumstances such as new
employees joining the organisation, employees changing positions in the
organisation and employees leaving the organisation. These notifications
must come from authorised people in the organisation (managers, etc) as
stated in the policy and procedures.
Notifications also need to specify what information, data, resources etc the
account is permitted to access. The request for access must be authorised by
an appropriate person in the organisation (usually department managers). The
access permissions for users should be carefully planned and determined in
writing by appropriate people who have the authority to allocate the access.
Procedures should address:
 Which managers can authorise a new user
 Standards for user id and passwords
 Groups that users can belong to and authority required for each
group
 Basic accesses that all users are allowed
 Authorisation requirements to access sensitive data
 Application accesses
 Ability to install additional software
 Email and internet accesses
 Special accesses that may be required.

2.1.2.2. Use of Groups

The most common way of administering access permissions is to create
groups and put user accounts into appropriate groups. The group is then
permitted or denied access as required. Using groups is an efficient way of
managing authorisation because you only need to set access permission
to a group and not individual accounts.
For example, a company may have thousands of users, but analysis of
what those users want to do may show that there are twenty or more
different combinations of access permissions required. By assigning users
to groups and then allocating permissions to the group, the security
administration is greatly simplified.
Once we have users allocated to groups we can explore other levels of
controlling access. Allocating permissions to folders and files is a major
security provision of network operating systems and one that is important

T. Sendera .J Page 11
 to set up correctly. Can we go lower and look at the content of a specific
file and restrict access there?
The restriction of file access is most applicable in controlling access to
database files.
For example, imagine a Payroll system using a database in which the data
is stored in tables. These tables have columns and rows of data. Let us
think about two groups of user, the payroll department staff and the
manager of a department. The payroll group are likely to be allowed full
access to all the data although in a very large organisation there may be
segregation of access.
But what about a department manager? This person may be allowed to
see salary details for the staff that work in the department only.
In the table containing salary details there may be a row for every
employee in the organisation. This means that we only want to show this
manager the rows that relate to the one department. This would be
secured with a filter that only displays staff in the department being
examined.
Furthermore there may be information about an employee that even their
manager may not be able to see, such as medical or financial information.
This information may be restricted by controlling the columns returned in a
report or query.
This type of security is really part of the application control rather than the
network but it is still an important part of the overall security of the system
and needs to be addressed by the organisational procedures.

2.1.2.3. Permissions and Rights

Permissions generally refer to file and directory access. The user account
or group can be set with the following type of permissions:
 No access at all to files and directories
 Read only.
 Modify where the contents of files and directories may be
accesses but changed or added to but not deleted
 Full Control or Supervisory where files and directories can be
view modified and deleted.
Rights (or privileges) generally refer to the restriction on user accounts or
group in performing some task or activity. For example a user account or
group may be assigned administrator or supervisor rights meaning that the
user can perform administration tasks like create, modify or delete user
accounts. Care must be taken with rights to ensure security is not
compromised.

T. Sendera .J Page 12
2.2. Managing User Accounts
Once user accounts are configured we still need to manage the accounts as required
by organisational policy. For example user accounts for contractors are active only
for as long as the contractor are physically on site. This means that accounts need to
be enabled and disabled. This activity should be addressed by procedures.
Note also that many networks on different OS’s allow’ ’guest’ and’ ’temporary’
accounts. These are usually set up for either read-only or short-term access to
people who would not normally have access to the system. Great care must be
taken in configuring or using these accounts firstly because they can allow
anonymous and uncontrolled use of a system and secondly guest passwords can
sometimes be guessed easily and provide a doorway for hackers/crackers.
Administrators need to review procedures to ensure that they remain current and
address any changes to the organisation and the network.
Administrators need to be aware of user activities and practices when accessing the
network. Organisational policy and procedures should address how users should
access the network. In time users may develop shortcuts and practices that
knowingly or unknowingly are in breech of policy and may compromise network
security. For example a user may log on to the network on one workstation. Then to
allow access for a colleague who has forgotten their password the users logs in on
another workstation for the colleague. The result is two concurrently network
connections for one user account but for two different people who have different user
access requirements.
To manage user accounts appropriately administrators should
 Regularly review organisational policies and procedures to be aware of
requirements and address any organisational or network changes
 Conduct regular checks to ensure the change management procedures are
working for new, changed and deleted users
 Review and investigate current work practices regarding user network
access
 Conduct information and training sessions for network users to reinforce
appropriate practices and organisational policy
 Conduct regular audits of network access—verifying current users and
deleting expired accounts
Managing user accounts can be a complex and tedious task but we can make things
easier by ensuring appropriate policy and procedures are in place.

T. Sendera .J Page 13
 Self-Check –2 Written Test

Directions: Answer all the questions listed below. Use the Answer sheet provided
in the next page:
1. _____________________ generally refer to the restriction on user accounts or
group in performing some task or activity.(1 pts)
2. List what administrators should do to manage user accounts appropriately. (4
pts)
3. Managing user accounts can be a complex and tedious task but we can make
things easier by ensuring appropriate __________________ are in place.(1 pts)

Note: Satisfactory rating - 11 points Unsatisfactory - below 11 points

You can ask your teacher for the copy of the correct answers.

T. Sendera .J Page 14
 Information Sheet - 3 Notifications Displayed at Logon

3.1. Identifying Logon Restrictions

Often, authentication problems occur because administrators have configured logon
restrictions to enforce the organization’s security requirements. Logon restrictions
include locking accounts after several incorrect attempts at typing a password,
allowing users to log on only during specific hours, requiring users to change their
passwords regularly, disabling accounts, and accounts that expire on a specific date.
The sections that follow describe each of these types of logon restrictions.

3.1.1. Account Lockout

If a user provides incorrect credentials several times in a row (for example, if an
attacker is attempting to guess a user’s password, or if a user repeatedly
mistypes a password), Windows can block all authentication attempts for a
specific amount of time.
Account lockout settings are defined by Group Policy settings in the Computer
Configuration\Windows Settings\Security Settings\Account Policies\Account
Lockout Policies\ node as follows:
 The number of incorrect attempts is defined by the Account Lockout
Threshold setting.
 The time that the number of attempts must occur within is defined by the
Reset Account Lockout Counter After policy.
 The time that the account is locked out is defined by the Account Lockout
Duration policy.
If a user receives an error message indicating that her account is locked out or
she cannot log in even if she thinks she has typed her password correctly, you
should validate the user’s identity and then unlock the user’s account. To unlock
a user’s account, view the user’s Properties dialog box, and clear the Account Is
Locked Out check box (for local Windows 7 user accounts) Then, click Apply.

3.1.2. Logon Hour Restrictions

Administrators can also use the Account tab of an AD DS user’s properties to
restrict logon hours. This is useful when administrators do not want a user to log
on outside his normal working hours.
If a user attempts to log on outside his allowed hours, Windows 7 displays the
error message “Your account has time restrictions that prevent you from logging
on at this time. Please try again later.” The only way to resolve this problem is to
adjust the user’s logon hours by clicking the Logon Hours button on the Account
tab of the user’s Properties dialog box.

T. Sendera .J Page 15
 3.1.3. Password Expiration
Most security experts agree that users should be required to change their
passwords regularly. Changing user passwords accomplishes two things:
 If attackers are attempting to guess a password, it forces them to restart
their efforts. If users never change their passwords, attackers would be
able to guess them eventually.
 If an attacker has guessed a user’s password, changing the password
prevents the attacker from using these credentials in the future.
Password expiration settings are defined by Group Policy settings in the
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy node as follows:
 The time before a password expires is defined by the Maximum Password
Age policy.
 The number of different passwords that users must have before they can
reuse a password is defined by the Enforce Password History policy.
 The time before users can change their password again is defined by the
Minimum Password Age policy. When combined with the Enforce
Password History policy, this can prevent users from changing their
password back to a previous password.
If users attempt to log on interactively to a computer and their password has
expired, Windows prompts them to change their password automatically. If users
attempt to access a shared folder, printer, Web site, or other resource using an
expired password, they will simply be denied access. Therefore, if a user calls
and complains that she cannot connectto a resource, you should verify that the
user’s password has not expired. You can prevent specific accounts from
expiring by selecting the Password Never Expires check box on the Account tab
of the user’s Properties dialog box.

3.1.4. Disabled Account

Administrators can disable user accounts to prevent a user from logging on. This
is useful ifa user is going on vacation and you know she won’t be logging on for a
period of time, or if a user’s account is compromised and IT needs the user to
contact them before logging on.
To enable a user’s disabled account, clear the Account Is Disabled check box in
the user’sProperties dialog box.

T. Sendera .J Page 16
 3.1.5. Account Expiration
In AD DS domains, accounts can be configured to expire. This is useful for users
who will be working with an organization for only a limited amount of time. For
example, if a contract employee has a two-week contract, domain administrators
might set an account expiration date of two weeks in the future.
To resolve an expired account, edit the account’s properties, select the Account
tab, and set the Account Expires value to a date in the future. If the account
should never expire, you can set the value to Never.

3.2. Determining Logon Context

Users can authenticate to the local user database or an AD DS domain. Logon
restrictions defined for the domain only apply to domain accounts, and vice versa.
Therefore, when examining logon restrictions for users, you must determine their
logon context.
The quickest way to do this is to open a command prompt and run the command set
to display all environment variables. Then, look for the USERDOMAIN line. If the
user logged on with a local user account, this will be the computer name (shown on
the COMPUTERNAME line). If the user logged on with an AD DS user account, this
will be the name of the domain. You can also check the LOGONSERVER line to
determine whethera domain controller or the local computer authenticated the user.

T. Sendera .J Page 17
 Self-Check –3 Written Test

1. Write the two things that changing user passwords accomplishes:(2 pts)

________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________

2. If users attempt to log on interactively to a computer and their password has

expired Windows prompts them to ______________________________. (1 pts)
3. Administrators can ______________________ to prevent a user from logging
on.(1 pts)

Note: Satisfactory rating - 5 points Unsatisfactory - below 5 points

You can ask your teacher for the copy of the correct answers.

T. Sendera .J Page 18
Information Sheet - 4 Protect Your Computer with a Password

4.1. Definitions of a Password

A password is a string of characters that people can use to log on to a computer and
access files, programs, and other resources. Passwords help ensure that people do
not access the computer unless they have been authorized to do so. In Windows, a
password can include letters, numbers, symbols, and spaces. Windows passwords
are also case-sensitive. To help keep your computer secure, you should always
create a strong password.
To help keep the information on your computer secure, you should not give out your
password or write it in a placewhere others can see it.
4.1.1. STRONG PASSWORDS AND PASSPHRASES
A password is a string of characters used to access information or a computer.
Passphrases are typically longer than passwords, for added security, and contain
multiple words that create a phrase. Passwords and passphrases help prevent
unauthorized people from accessing files, programs, and other resources. When
you create a password or passphrase, you should make it strong, which means
it's difficult to guess or crack. It's a good idea to use strong passwords on all user
accounts on your computer. If you're using a workplace network, your network
administrator might require you to use a strong password.

Tables 4-1 makea password or passphrase strong

A strong password:
 Is at least eight characters long.  Is 20 to 30 characters long.
 Does not contain your user name,
real name, or company name.
 Does not contain a complete
word.
 Is significantly different from
previous passwords.
A strong passphrase:
 Is a series of words that create a phrase.
 Does not contain common phrases found
in literature or music.
 Does not contain words found in the
dictionary.
 Does not contain your user name, real
name, or company name.
 Is different from previous passphrases.

T. Sendera .J Page 19