Chapter two

Accounts and Security

Administration, and Access
Control (DAC, RBAC)
Network and System Administration 1
 Contents

• Host Management
• User Management
• Accounts
• Security Administration
• Access Control Lists
• Managing files and folder permission

Network and System Administration 2

 Host Management (Server)
Physical considerations of server room
• Critical hardware needs to be protected from accidental and malicious damage.

• Any server room should have, at the very least,

 A lockable door,

 Cooling or ventilation equipment to prevent the temperature from rising

above about 20 degrees Celsius

 some kind of anti-theft protection.

 Backup tapes should never be stored in the same room as the hosts they
contain

Network and System Administration

Duplicate servers are best placed in different physical locations.
3
 Computer startup and shutdown

• The two most fundamental operations which one can perform on a host are to
start it up and to shut it down.

• With a multitasking operating system, the problem is that it is never possible to

predict when the system will be performing a crucial operation in the
background.

• For this simple reason, every multitasking operating system provides a

procedure for shutting down safely.

• A safe shutdown avoids damage to disks by mechanical interruption, but it also

synchronizes hardware and memory caches, making sure that no operation is
leftNetwork
incomplete.
and System Administration 4
 Cont.

• Startup is a plug and play in server host

or pressing power button.
• Best techniques to safely shutdown the
machine
1. By pressing “alt + f4” and the select
“shutdown” and then press “enter”. (for
windows)
2. Click start menu, click power icon and
then click shutdown.
3. Simply press the power button in our
Network and System Administration 5

system unit.
 Partitioning

• Disks can be divided up into partitions.

• The main difference between two partitions on one disk and two
separate disks is :

 partitions can only be accessed one at a time, whereas multiple

disks can be accessed in parallel.

• Partitioning a disk allows us to reserve a fixed amount of space for a

particular purpose.

• For example, it makes sense to place the operating system on a

separate partition, and user data on another partition.
Network and System Administration 6
 Formatting and building file systems

• Disk formatting is a way of organizing and finding a way around the surface of
a disk.

• It is the process of preparing storage devices. It involves

• Creating file system (NTFS, FAT32)
• Erasing existing data
• Checking for bad sectors

• On a disk surface, it makes sense to divide up the available space into sectors or
blocks.

• The way in which different operating systems choose to do this differs, and thus
one kind of formatting is incompatible with another.
Network and System Administration 7
 Installation of the operating system
• The installation process is one of the most destructive things we can
do to a computer.

• Everything on the disk will disappear during the installation process.

• One should therefore have a plan for restoring the information if it
should turn out that reinstallation was in error.

• Today, installing a new machine is a simple affair.

• The operating system comes on some removable medium (like a CD
or DVD or USB Drive) that is inserted into the player and booted.
One then answers a few questions and the installation is done.
Network and System Administration 8
 Dual boot

• Dual booting mean installing two or more operating system

on a single computer and choose one to run at startup.

• There are many advantages to having both Windows and

Linux (plus any other operating systems you might like) on
the same PC.

• This is now easily achieved with the installation procedures

provided by these two operating systems.

• The only thing we need is two or more partitions of the disk.

Network and System Administration 9
 Software installation in linux

• Most standard operating system installations will not leave us in

possession of an immediately usable system. We also need to install
third party software in order to get useful work out of the host.

• Two methods in installing package software in Linux:

Method 1: By getting the application over the internet

host# sudo apt-get install <software-package-name>

Method 2: By Downloading the package (.deb) and install in manually

Host# sudo dkpg –I <software-package-name.deb>

Network and System Administration 10

 User Management
• User management describes the ability for administrators to manage user access to
various IT resources like systems, devices, applications, storage systems, networks, and
more.

• User management is about interfacing humans to computers. system administrators are

allowed to perform all administrative activities like creating new monitor groups, creating
new actions, add new users, reset user password.

• The primary difference between a standard user and an administrator is the level of
access that the user has over core, protected areas of the computer.

• Administrators can change the system state, turn off the firewall, configure security
policies, install a service or a driver that affects every user on the computer, and install
software for the entire computer.
Network and System Administration 11
• Standard users cannot perform these tasks, and they can only install per-user software.
• One of the first issues on a new host is to issue accounts for users.

• Local system managers to be able to register new users in a global user database.

• Users can be registered at a centralized location by the system manager, and made
available to all of the hosts in the network by some sharing mechanism, such as a
login server, distributed authentication service or by direct copying of the data.

Types of user account

Most organizations need a system for centralizing passwords, so that each user will
have the same password on each host on the network.

 Local Accounts

 Domain Accounts
Network and System Administration 12
• Local account is an account setup on the machine. Local
accounts are stored on computers and only apply to the
security of those machines.

- It is maintained on the local system, not distributed to other

systems.

- In Windows, a local user is one whose username and

encrypted password stored on the computer itself.

Network and System Administration 13

• Domain account: are stored in Active Directory, and security
settings for the account can apply to accessing resources and
services across the network domain.

-use when you login using a domain account on a network.

-You would need a domain controller to be able to setup accounts

to login.

user logging into Domain users evolved in response to the

challenges administrators face when managing large numbers of
computers, peripherals (e.g., printers, network storage), services,
and users.
Network and System Administration 14
 What is security (account policy)?
Security is an important aspect of operating system design because it safeguards
against access to resources by unauthorized users.

The security mechanism can be broken in two steps:

 Authentication and

 Authorization

• Authentication involves identifying a user

• authorization ensures that an identified user has access only to resources that
has been permitted to use.

Network and System Administration 15

 Important Steps to Security

• Password Protection
• Protecting the network by filtering Network Access and
Traffic (i.e. Firewall)

• Running Security Assessments.

• Examine and monitor log files
• Make use of Intrusion Detection tools
• Teach users
Network and System Administration 16
 Access Control

• Access control is a security technique that regulates who or what can

view or use resources in a computing environment.

• Are used to restrict, or prevent access to certain material for certain user.

• There are two types of access control: physical and logical.

• Physical access control limits access to campuses, buildings,

rooms and physical IT assets.

• Logical access control limits connections to computer networks,

system files and data.
Network and System Administration 17
• Access control systems perform identification authentication and
authorization of users and entities by evaluating required login
credentials that can include

• passwords, personal identification numbers (PINs), biometric

scans ,etc.

• This information’s could be stored in an access matrix.

• ACLs are used in two steps:

• First, ACL elements are defined based on IP address, URL

hostname, port numbers, …

• Second, apply them into access rules

Network and System Administration 18
 Access Matrix
• Access matrix is used to define the rights of each process executing in the
domain with respect to each object. The rows of matrix represent domains
and columns represent objects. Each cell of matrix represents set of access
rights which are given to the processes of domain.

• It is used to describe which users have access to what objects

• The matrix can be modified only by the owner or the administrator.

• The access matrix model has 2 dimensions:

 A list of objects. Objects could be files, processes, or disk drivers

Network and System Administration 19
 A list of subjects(domain)
• According to the above matrix: there are four domains and four
objects- three files(F1, F2, F3) and one printer. A process
executing in D1 can read files F1 and F3.
• A process executing in domain D4 has same rights as D1 but it can
also write on files.
• Printer can be accessed by only one process executing in domain
Network and System Administration 20

D2.
 Advantage and disadvantage of ACLs

• Traffic flow control

• Restricted network traffic for better network performance
• A level of security for network access specifying which
areas of the server/network/service can be accessed by a
user and which cannot

• Granular monitoring of the traffic exiting and entering the

system
Network and System Administration 21
 Access Control Models

Three most common access control models:

• Mandatory Access Control (MAC)

• Discretionary Access Control (DAC)
• Role-Based Access Control (RBAC)

Network and System Administration 22

 Mandatory access control (MAC)
• Mandatory access control uses a centrally managed model to provide the highest level of
security. Where access to system resources is controlled by the operating system (under the
control of a system administrator).

• MAC works by applying security labels to resources and individuals. These security labels
consist of two elements:

1. Classification and clearance — MAC relies on a classification system (restricted,

secret, top-secret, etc.) that describes a resource’s sensitivity.

 Users’ security clearances determine what kinds of resources they may access.

2. Compartment — A resource’s compartment describes the group of people (department,

project team, etc.) allowed access.

 A user’s compartment defines the group or groups they participate in.

• A user mayand
Network only access
System a resource if their security label matches the resource’s security
Administration 23 label.
 Discretionary access control (DAC)
• DAC systems use access control lists (ACLs) to determine who can access that
resource.

• These tables pair individual and group identifiers with their access privileges.

• it is decentralizes security decisions to resource owners. allows each user to

control access to their own data

• For each document you own, you can set read/write privileges and
password requirements within a table of individuals and user groups.

• System administrators can use similar techniques to secure access to

network resources.

• Each resource object on a DAC based system has an Access Control List (ACL)
Network and System Administration 24
associated with it.
 Access Control List
• An access control list (ACL) is a list that tells a to the operating system which access rights
each user has to a particular system object, as well as what operations are allowed on given
objects.

• An access control list (ACL) contains rules that grant or deny access to certain
digital environments. There are two types of ACLs:

I. Filesystem ACL- filter access to files and/or directories. Filesystem ACLs tell

operating systems which users can access the system, and what privileges the

users are allowed.

II. Networking ACLs- filter access to the network. Networking ACLs tell

routers and switches which type of traffic can access the network, and which
Network and System Administration 25
activity is allowed.
 Role-based access control (RBAC)
• Role-based access control gives access permissions to users based on
their roles within the organization by administrators who manage and
administer them.
• For example, an accountant in a company will be assigned to the Accountant
role, gaining access to all the resources permitted for all accountants on the
system..

• Examples of Rules Based Access Control include situations such as

permitting access for an account or group to a network connection at
certain hours of the day or days of the week.

• As with MAC, access control cannot be changed by users. All access

Network and System Administration 26
permissions are controlled solely by the system administrator
Network and System Administration 27
 User Profile
A user profile is a collection of a user’s personal files and settings that define his or

her working environment

• Some key folders in a user’s profile

- AppData - Favorites

- Desktop - Music (My Music)

- Documents (My Documents) - Pictures (My Pictures)

- Downloads
Network and System Administration - 28
 Types of User profile

1. Local profile
• A local profile is a user profile stored on the same system where the user logs on

• Local profiles are created from a default profile when the user first logs on to a specific
machine

• Changes on one local profile will not migrate to another local profile on another machine

• For consistent profiles that reflect changes made on multiple machines, use roaming
profiles

• Any changes made to your local user profile are specific to the computer on which you
made the changes.
Network and System Administration 29
 2. Roaming profile

• Roaming Profiles is what allows a user to logon onto any

computer in an organization and have all their personal files and
setting apply to that computer.

• Roaming profiles have the advantage of users have their personal

settings and files available on all computers they login to.
• the administrator, create this profile, and store it on a network
server. This profile is available when a user logs on to any
computer on the network.
• Any changes made to roaming user profiles are automatically
updated on the server when the user logs off.
Network and System Administration 30
 3. Mandatory User Profile

• Mandatory user profiles are stored on a network server and are

downloaded each time the user logs on. This profile does not
update when the user logs off.

• It is useful for situations where consistent or job-specific settings

are needed Only administrators can make changes to mandatory
user profiles.

• If the mandatory user profile is unavailable, the user cannot log

on.

31
Network and System Administration
 Password Aging and Default User Files
• Password aging is a mechanism you can use to force users to periodically change their passwords.

• Password aging allows you to:

• Force a user to choose a new password the next time the user logs in.

• Specify a maximum number of days that a password can be used before it has to be
changed.

• Specify a minimum number of days that a password has to be in existence before it can be
changed.

• Specify that a warning message be displayed whenever a user logs in a specified number of
days before the user's password time limit is reached. (

• Specify a maximum number of days that an account can be inactive. If that number of days
pass without the user logging in to the account, the user's password will be locked.

• Specify an absolute date after which a user's password cannot be used, thus denying the user
Network and System Administration 32
the ability to log on to the system.
• To list the password aging settings for the specific user "chage -l" command is used .

• You can also view some of this information using the passwd -S command

• chage command doesn’t show you if an account is locked; it only shows the password
aging settings.

• The passwd -S command, on the other hand, will tell you when a password is locked.

• For example, you might configure a password so that it cannot be used for more
than 90 days (maximum) and then add that it cannot be changed before it has been
in effect for a week or 10 days (minimum days).

Use this command $ sudo chage -M 90 -m 10 username

• You can also set a specific expiration date for an account using the -E option.

$ sudo chage -E 2020-11-11 username

Network and System Administration 33

 User Private Groups
• Linux uses a user private group (UPG) scheme, which makes
UNIX groups easier to manage.

• A UPG is created whenever a new user is added to the system.

• A UPG has the same name as the user for which it was created
and that user is the only member of the UPG.

• UPGs makes it safe to set default permissions for a newly created

file or directory which allow both the user and that user's group to
make modifications to the file or directory.

Network and System Administration 34

• Linux is a multiuser operating system, security is often based on
accounts.

• Each person is provided a user account and each user account is a

member of one or more group accounts.

• By using group accounts, you can easily apply a security policy

to multiple user accounts.

• Being a member of a group allows a user special access or

prevent to system resources, such as files, directories, or
processes (programs) that are running on the system.

Network and System Administration 35

 Primary versus Secondary Groups
• The first group is called the user’s primary group.

• Any additional groups a user is a member of are called the user’s secondary
groups.

• Group membership can be displayed by executing either the $id or groups

command

• The primary group is always listed first.

• Each file is owned by a user ID and a group ID. When a user creates a file, the
user’s primary group membership is used for the group ownership of the file.

• After a file has been created, a user can change the group ownership of the file
to another group by using the chgrp command.
36
Network and System Administration
 Process Management and Monitoring
• A process is a running instance of a launched, executable program. It
consists of:
• An address space of allocated memory

• Security properties, including ownership credentials and privileges

• One or more execution threads of program code

• The process state

• Processes need to be managed and monitored because they consume system

resources like CPU time, memory and disk space. There are also security
and safety implications.

• Monitoring and managing processes is, therefore, an important function of

37
systems
Network administrators.
and System Administration
 Process states

• In a multi-tasking operating system, each CPU (or CPU core) can work
on one process at a single point in time.

• As a process runs, its immediate requirements for CPU time and resource
allocation change. The process state also changes.

• A program is identified by its process ID (PID) as well as it’s parent

processes ID (PPID), therefore processes can further be categorized into:

• Parent processes – these are processes that create other processes

during run-time.

• Child processes – these processes are created by other processes

during run-time.
Network and System Administration 38
 Linux process states

39

Network and System Administration

 Managing files and folder permission
• “In UNIX everything is a file.”

• The following file-system objects can be found

• ‘normal’ (text-) files
• executable files (binary files or shell scripts)
• directories
• device files
• pipes
• symbolic or hard links (references to files)
• All files and file system objects are ordered within a hierarchical file
tree with exactly one root directory ‘/’.

Network and System Administration 40

 File systems
Administering a file system includes tasks such as:

• Making local and remote files available to users

• Monitoring and managing the system’s disk
resources

• Protecting against file corruption, hardware

failures, and user errors via a well planned backup
schedule

• Ensuring data confidentiality by limiting file and

system
Network andaccess.
System Administration 41
Network and System Administration 42
 Path Names

Network and System Administration 43

 Listing Files and Directories

Network and System Administration 44

 Creating Directories

Network and System Administration 45

 Creating Files

Network and System Administration 46

 Changing to a Different Directory

Network and System Administration 47

 Working with Files

• All files are case sensitive

• Linux is case sensitive; this means that
FILE1 is different from file1, and /etc/hosts
is different from /etc/Hosts (the latter one
does not exist on a typical Linux computer).

Network and System Administration 48

 Copying Files

Network and System Administration 49

 Moving/renaming Files

Network and System Administration 50

 Removing Files and Directories

Network and System Administration 51

 Displaying Content of Files
on Screen

Network and System Administration 52

 File permissions/Access rights

• The UNIX file system distinguishes between three different

access rights or file mode bits.
• r (read): permits the reading of file contents, or, for
directories, the listing of their content.
• w (write): permits the modification of files (incl.delete). To
create or delete files, the parent directory(ies) need write
access as well!
• x (execute): permits the execution of binary
files(commands, programs) and of shell scripts from the
command line.

Network and System Administration 53

 Managing Disk Quotas
💾 What is a Disk Quota?
• A disk quota is a limit set by the system administrator on the amount of disk
space (or number of files) that a user or group can use on a file system.
• Purpose of Disk Quotas:
• Prevent any single user from using all the disk space.
• Encourage users to manage their files responsibly.
• Maintain system stability and performance in multi-user environments (like
schools or servers).

Network and System Administration 54

 How System Administrators Manage Disk
Quotas
1. Enable Quota Support on the Filesystem
2. Create Quota Database Files
3. Enable Quotas
4. Assign Disk Quotas
5. View and Monitor Usage

Reading Assignment:
1. Specify the Linux commands used to
manage Disk Quotas in each step (1 up to 5)?
Network and System Administration 55
 Thank You!

Network and System Administration 56