This page intentionally left blank 253 Chapter 17 Administering Windows Server 2008: The Basics 254 Networking: A Beginner’s Guide I nstalling and setting up Windows Server 2008 is only the tip of the iceberg. Far more important and time-consuming is the process of administering the server. This process includes regular and common duties such as adding new users, deleting old users, assigning permissions to users, performing backups, and so forth. These topics are covered in this chapter. Good administration habits will ensure that the network and the server remain productive and secure. Thinking About Network Security Before delving into the administrative activities discussed in this chapter, you should spend some time thinking about network security and how it relates to your specific company. Administering a server must be predicated on maintaining appropriate security for your network. The key here is to remember that every network has an appropriate level of security. The security requirements for a Department of Defense (DoD) contractor that designs military equipment will be different from the security requirements for a company that operates restaurants. Many beginning network administrators think they need to set up their networks to follow the strongest security measures available. The problem with this approach is that these measures almost always reduce the productivity of people using the network. You need to strike a balance between productivity and security in accordance with the needs of your company. For example, Windows Server 2008 enables you to set various security policies that apply to users. These include forcing password changes at specified intervals, requiring that passwords be a certain minimum length, disallowing reuse of old passwords, and so on. For example, you could set up policies to require passwords that are at least 20 characters long and that must be changed weekly. In theory, these settings should be more secure than shorter, less-frequently changed passwords. A 20-character password is virtually impossible to crack using standard methods, and weekly password changes reduce the chance that someone else will discover a user’s password and be free to use it for an extended period of time. One problem with such strict policies is that users may resort to writing down their passwords so they can remember them from week to week. A written password is far less secure than one that is remembered, because someone else can find the written password and bypass security easily after doing so. Another problem is that users might frequently forget their passwords, which will lead to them being locked out of the system for periods of time. This means they will require a lot of help from the network administrator (you!) to clear up these problems each time they occur. For a DoD contractor, these trade-offs might be worthwhile. For the restaurant operator, however, they would be inappropriate and would end up hurting the company more than they help. 255 Chapter 17: Administering Windows Server 2008: The Basics The primary reason you should pay attention to this subject before learning about administration is that you should determine the appropriate network security early, so that you can allow for it as you administer the network on a daily basis. Network security doesn’t need to take up much of your time, provided you set up your administrative procedures so they presuppose the level of security you require. For example, if you know what your password policies will be on the network, it takes only a few seconds to ensure that new users have those policies set for their account. If you know that you maintain a paper-based log of changes to security groups in the network, then it takes only a second to follow this procedure as you change group membership occasionally. Failing to determine these security practices and policies early on will result in needing to undertake much larger projects as part of a security review or audit. Security is an area where you’re much better off doing things right the first time! Working with User Accounts For anyone—including the administrator—to gain access to a server running Windows Server 2008, the user must have an account established on the server or in the domain. (A domain is essentially a collection of security information shared among Windows servers.) The account defines the user name (the name by which the user is known to the system) and the user’s password, along with a host of other information specific to each user. Creating, maintaining, and deleting user accounts is easy with Windows Server 2008. NOTE Every account created for a Windows Server 2008 domain is assigned a special number, called a security ID (SID). The server actually recognizes the user by this number. SIDs are said to be “unique across space and time.” This means that no two users will ever have the same SID, even if they have the same user name and even the same password. This is because the SID is made up of a unique number assigned to the domain and then a sequential number assigned to each created account (with billions of unique user-specific numbers available). If you have a user called Frank, delete that account, and then create another account called Frank, the accounts will have different SIDs. This ensures that no user account will accidentally receive permissions originally assigned to another user of the same name. To maintain user accounts, you use the Active Directory Users and Computers console. You can open this console by clicking the Start menu, choosing Programs, and then selecting Administrative Tools. To accomplish activities in the console, you first select either a container in the left pane or an object in the right pane, and then either right-click the container or object or open the Action pull-down menu and choose from the available options. Because the available options change based on the selected container or object, first selecting an object with which to work is important. 256 Networking: A Beginner’s Guide Adding a User To add a user with the Active Directory Users and Computers console, start by selecting the Users container in the left pane (with the tree open to the domain you are administering), as shown in Figure 17-1. Then right-click the Users container, choose New from the pop-up menu, and choose User from the submenu. You see the New Object – User dialog box, as shown in Figure 17-2. Fill in the First Name, Last Name, and User Logon Name fields. Then click the Next button to move to the next dialog box. TIP You should establish standards by which you assign logon names on your network. Small networks (those with fewer than 50 users) often just use people’s first names, followed by the first initial of their last names when conflicts arise. A more commonly used convention is to use the user’s last name followed by the first initial of their first name. This latter standard allows far more combinations before conflicts arise, and you can then resolve any conflicts that arise by adding the person’s middle initial, a number, or some other change so that all user names at any given time on the system are unique. Figure 17-1. The Active Directory Users and Computers console allows you to manage user accounts. . number assigned to each created account (with billions of unique user-specific numbers available). If you have a user called Frank, delete that account, and then create another account called Frank,. initial of their first name. This latter standard allows far more combinations before conflicts arise, and you can then resolve any conflicts that arise by adding the person’s middle initial, a. ever have the same SID, even if they have the same user name and even the same password. This is because the SID is made up of a unique number assigned to the domain and then a sequential number