Hi everyone! Thanks for your support on the IT security series and it come to the 7th post now. So, last time we have discussed about the shared folder problem in the network? And introduced the tools NetScan which could help you to perform a network scan to identify all the resource shared in the local network. And you can configure the access control according to the scan result.
大家好!很感謝大家對資訊保安這個系列的支持,讓我可以繼續的跟大家分享這部份的內容。我們上一次談到如何處理網絡上的共享資料夾,而且介紹了NetScan這個工具讓大家可以做一個網絡掃描,輕鬆的找出有什麼資源在本地網絡中分享了出來,然後就可以根據結果去作出相對的訪問控制調整。
And I would like to continue the topic of access control in this post. As we all know, Windows have sort of complexity in terms of access control. It use different user group to classify the user authority. So, if we wrongly assign an over privileged user group to the wrong user, it could somehow become a serious problem. So, I would like to introduce you how to check the user access right in your computer in this post.
而今天,我希望多談一點訪問控制的事情。大家都知道,微軟的視窗操作系統有很多不同的訪問控制細項。它可以根據不同的用戶群組來為不同的訪問權限作出分類。所以,如果我們不小心的把某些用戶分類到了一些權限過大的用戶組的話,就有可能產生一些挺大的問題了。所以,我想要在這個帖子裏面介紹一下到底我們該如何查看各種用戶的使用權限。
First, you should enter the Control Panel and then chose Administrative Tools:
首先,你要先進入控制台,然後擇管理工具:
After that, choose Computer Management:
之後,你再選計算機管理:
Then click Local Users and Groups:
然後再選本地用戶跟用戶組:
In the Users section, you can see the local account in your computer. You can see that there is default Administrator, Guest and user account:
在用戶的部分,你們可以看到你電腦中的本地帳戶,你可以看到一些系統予設的帳號,比如說Administrator, Guest:
You can double click the account name to check its property, and remember, usually it is suggested that the Guest account should be properly disabled:
你可以雙按用戶的名字,然後查看它們的屬性。記著,Guest帳號最好是也它關掛:
And you can go to the “Member Of” tab to check which user group this account is belonging to. For example, the Administrator account belongs to the Administrator group:
你也可以去“Member Of”的頁面去查看一下這個用戶到底是在那個用戶群組裏面。比如說,Administrator的帳號就在Administrator的用戶群組裏:
And then, we should now go to the “Groups” section. There are a lot of different group which have different kinds of feature or restriction, which you may have a check on the Microsoft website the details. However, I will remind you to check the below 3 groups which I think it is more critical:
然後,我們可以去“Groups”的部份。你可以看到這裏有很多不同的用戶群組,它們都有不同的權限跟作用。你可以在微軟的網頁上找到這些群組的詳細資料。而我個人建議你要對以下這3個群組特別的留意:
You can double click the group to see what users are into the group which has the related authority.
你可以雙按那個群組去看一下到底有什麼用戶在裏面:
“Administrators” group actually have ultimate feature for the computer, which should not be allowed to grant users other than the real system administrator. “Power Users” group have a bit less authority than the Administrator groups, however, it is still so powerful and can perform many system operation, and which should not be granted to normal users. “Network Configuration Operators” groups can perform network related configuration to the computer, and normal user should not need that right, and somehow it can bring you some trouble if you not properly granted to someone.
“Administrators” 基本上擁有系統上一切的權限,限了真的的系統管理者以外,不應該把這個權限發放給任何人。“Power Users” 的權限比“Administrators”的少一點,可是它仍然擁有很多的權限,可以改變系統上的某些設定跟操作,所以也不建議發放給一般的用戶。“Network Configuration Operators” 可以操作許多有關於系統網絡上的運作跟設定,一般的用戶基本上都不會用得到,如果隨便發放這個權限的話有時候會帶給的各種麻煩。
I hope this post can give you some idea on how to check the user authority and how to distinguish what authority should be granted to the user. And remember, user authority should always be granted as the Principle of Least Privilege!
希望這個帖子可以帶給你一些用戶權限上的概念,也希望你能夠在往後的日子裏懂得分清楚不同用戶應該擁有什麼權限。另一件事情就是,記得,用戶的權限發放應該好好的遵守最小特權原則。
Thanks for reading, I hope you enjoy it!
And please follow me and see my other post if you like it: @victorier
感謝你的閱讀,希望你會喜歡!
如果你覺得不錯的話請你追蹤我,也可以看我其他的文章: @victorier