- A person responsible for the operation of all (or part of) an organization's computer network resources
- In smaller organizations, the network administrator may manage all of the organization"s network resources
- In larger organizations, there may be multiple network administrators, with each network administrator typically managing specific network subsystems (database administrator(s), e-mail administrator(s), website administrator(s), etc.)
- Network administrators are also responsible for maintaining the overall network infrastructure (wired cabling, wireless access points, switches, routers, IP, DNS services, DHCP services, user workstations, data centralization, maintaining databases, disaster recovery (backups + restores), security, user training, application roll-out, supporting in-house application developers, etc.)
- Network administrators have quite a bit of responsibility in the workplace
- Computer networks can be divided into (2) distinct models
- Peer-to-Peer Network Models
- Client/Server Network Models
- Peer-to-Peer network models (typically): are not found in the workplace environment, contain no dedicated servers, are managed by the end-users without the need for a formal network administrator, and are relatively small in size (quantity of nodes). Network resources (data files, printers, etc.) are local to each end-user node, and are shared out to the other nodes
- The nodes in your home might be a good example of a Peer-to-Peer network model, if you are sharing network resources between the nodes
- Client/Server network models (typically): are found in the workplace environment, contain (1) or more dedicated servers, have (1) or more network administrators employed to manage the network resources, and are larger in size (quantity of nodes). Sharing of network resources between end-user nodes is usually not permitted, due to security concerns
- Regardless of the network model type, user accounts are required for users to gain access to network resources
- From the end-user"s perspective, their user account contains (3) distinct components
- All of which are required to access network resources successfully
- A username
- A password
- Network administrators are responsible for creating user accounts, and then configuring network resources such that the user accounts can gain access to them
- End-users are responsible for keeping their user account password a secret
- They are not to be sharing them with anyone else
- Network administrators are responsible for creating a password policy:
- User passwords are not to be known by network administrators
- Passwords are a minimum length (e.g. 8 keystrokes minimum)
- Passwords are relatively strong and complex (e.g. contains at least (1) upper case character, number, and symbol)
- User are required to change their password periodically (e.g. every 30 days)
- Passwords are never repeated
- Passwords are never built on previously used passwords (e.g. P&ssw0rd1 -> P&ssw0rd2 -> P&ssw0rd3 -> P&ssw0rd4 -> etc.)
- Security groups are logical "containers" of which users are members
- For example, a (Sales) security group, would contain all of the user accounts that work in the sales department of a company
- Security groups help alleviate the burden of providing network resource access
- Example: Assume there were (100) users in the sales department that need access to print to the (Sales Printer) in the sales office
- A network administrator would need to configure the network printer (100) different times (one time for each user account), before everyone could print successfully
- If all (100) users were members of a single (Sales) security group, then the network administrator would only need to configure the network printer once
- A much faster process
- Either way, all (100) users would be permitted to print to the (Sales Printer) network resource
- One method is just much more efficient than the other
- Permissions are the specific level of access a user has to a network resource
- There are (4) types of permissions:
- Explicit
- Permissions which are definitively given to a user (e.g. Mary can create new files below the Sales Department data folder, because the network administrator purposely gave her that permission)
- Inherited
- Permissions which a user has because they are a member of a security group (e.g. Mary can print to the printer because she is a member of the Sales Department security group
- The Sales Department security group has been given explicit permissions to print to the printer by the network administrator)
- Implicit
- Permissions which a user has because of the state of their user account (e.g. Mary can access Internet resources, because she authenticated successfully
- If Mary did not authenticate successfully, she would not be able to access Internet resources)
- Effective
- The combination of explicit, inherited, and implicit permissions
- Explicit
- Users can be "granted" permissions (a.k.a. "allowed" permissions) to network resources, or denied permissions to network resources
- The "deny" permission trumps all other permissions
- Example: Mary was explicitly granted "full control" permissions to a folder
- Mary is also a member of a security group which was explicitly "denied" permissions to the same folder
- Effectively, Mary has no permissions to the folder, as the "deny" permission she inherited trumps all other permissions she may otherwise have
- The network administrator is responsible for applying the right level of permissions for users to network resources
- Too many permissions, and network resources are not protected properly
- Too little permissions, and network resources cannot be properly accessed
- Authentication occurs when a user proves to the network environment who they actually are
- This is typically done with a user typing in their username and password
- More secure environments might have the user authenticate using some form of biometrics (e.g. fingerprint, retinal scan, voice recognition, gait analysis, etc.)
- Authorization occurs when a user utilizes a network resource (e.g. accesses a file). Permissions are checked to see if the user is permitted to access the resource, and what level of access they have to the resource (e.g. read, write, modify, delete, etc.)
- Every Microsoft Windows and Microsoft Windows Server node, comes with its own SAM (Security Account Manager) database
- The SAM database contains user accounts and security groups local to the node
- SAM database information is not synchronized between nodes
- A person who has (5) users accounts in the network environment (1 per node), would need to change their password (5) different times (1 for each node user account)
- In most business network environments, user accounts and security groups, are centralized in a common database, referred to as a Directory Service
- Microsoft's implementation of their directory service is called Microsoft
- Active Directory Domain Services (or simply: Active Directory)
- On very small networks, Active Directory is typically hosted by a single node
- This single node:
- Has an installation of the Microsoft Windows Server operating system
- Has additional software installed on it to provide Active Directory services
- Has been promoted from a "normal" Microsoft Windows Server node, to a "special" node known as an Active Directory Domain Controller
- Active Directory Domain Controllers do not include a local SAM database, as it is deleted during the promotion process
- On medium to large networks, Active Directory is hosted by a group of nodes
- Each node within the collection:
- Is physically located on the network near nodes that will use them for authentication (e.g. located in close proximity to the user nodes)
- Contains all, or portions of, the single Active Directory database
- This distributed database design improves efficiency, and provides a level of redundancy