Basic IT Security #7|淺談資訊保安 #7

in #cn5 years ago (edited)

Hi everyone! Thanks for your support on the IT security series and it come to the 7th post now. So, last time we have discussed about the shared folder problem in the network? And introduced the tools NetScan which could help you to perform a network scan to identify all the resource shared in the local network. And you can configure the access control according to the scan result.

And I would like to continue the topic of access control in this post. As we all know, Windows have sort of complexity in terms of access control. It use different user group to classify the user authority. So, if we wrongly assign an over privileged user group to the wrong user, it could somehow become a serious problem. So, I would like to introduce you how to check the user access right in your computer in this post.


First, you should enter the Control Panel and then chose Administrative Tools:



After that, choose Computer Management:



Then click Local Users and Groups:



In the Users section, you can see the local account in your computer. You can see that there is default Administrator, Guest and user account:

在用戶的部分,你們可以看到你電腦中的本地帳戶,你可以看到一些系統予設的帳號,比如說Administrator, Guest:


You can double click the account name to check its property, and remember, usually it is suggested that the Guest account should be properly disabled:



And you can go to the “Member Of” tab to check which user group this account is belonging to. For example, the Administrator account belongs to the Administrator group:

你也可以去“Member Of”的頁面去查看一下這個用戶到底是在那個用戶群組裏面。比如說,Administrator的帳號就在Administrator的用戶群組裏:


And then, we should now go to the “Groups” section. There are a lot of different group which have different kinds of feature or restriction, which you may have a check on the Microsoft website the details. However, I will remind you to check the below 3 groups which I think it is more critical:



You can double click the group to see what users are into the group which has the related authority.



“Administrators” group actually have ultimate feature for the computer, which should not be allowed to grant users other than the real system administrator. “Power Users” group have a bit less authority than the Administrator groups, however, it is still so powerful and can perform many system operation, and which should not be granted to normal users. “Network Configuration Operators” groups can perform network related configuration to the computer, and normal user should not need that right, and somehow it can bring you some trouble if you not properly granted to someone.

“Administrators” 基本上擁有系統上一切的權限,限了真的的系統管理者以外,不應該把這個權限發放給任何人。“Power Users” 的權限比“Administrators”的少一點,可是它仍然擁有很多的權限,可以改變系統上的某些設定跟操作,所以也不建議發放給一般的用戶。“Network Configuration Operators” 可以操作許多有關於系統網絡上的運作跟設定,一般的用戶基本上都不會用得到,如果隨便發放這個權限的話有時候會帶給的各種麻煩。


I hope this post can give you some idea on how to check the user authority and how to distinguish what authority should be granted to the user. And remember, user authority should always be granted as the Principle of Least Privilege!


Thanks for reading, I hope you enjoy it!
And please follow me and see my other post if you like it: @victorier

如果你覺得不錯的話請你追蹤我,也可以看我其他的文章: @victorier

Coin Marketplace

STEEM 0.25
TRX 0.08
JST 0.042
BTC 29490.65
ETH 1824.35
USDT 1.00
SBD 2.53