Managing users is one of the more challenging aspects of IT administration. You need to make sure that users can always access their stuff and that they can perform the required tasks to do their jobs. You also need to ensure that users' stuff is always secure from unauthorized users and that users can't perform any tasks that don't fit their job description. It's a tall order, but we aim to show that it's doable. In this chapter, we'll look at how to lock down user accounts and user credentials to protect them from attackers and snoopers. We'll also look at how to prevent users from having any more privileges than they have to have in order to perform their jobs.

The specific topics covered in this chapter are as follows:

• The dangers of logging in as the root user
• The advantages of using sudo
• Setting up sudo privileges for full administrative users and for users with only certain delegated privileges
• Advanced tips and tricks to use sudo
• Locking down users' home directories
• Enforcing strong password criteria
• Setting and enforcing password and account expiration
• Preventing brute-force password attacks
• Locking user accounts
• Setting up security banners
• Detecting compromised passwords
• Understanding central user management systems