september 18, 2002 introduction to windows 2000 server components ryan larson david greer
TRANSCRIPT
September 18, 2002
Win2K ComponentsWin2K Components Overview Overview
• Monitoring Components• User and Group Management• Group Security Policies• Windows 2000 Security Services
September 18, 2002
Monitoring ComponentsMonitoring Components
• Computer Management– Click Start, Settings, Control Panel,
Administrative Tools, Computer Management
• Event Viewer• Performance Log • Shared Folders• Services
September 18, 2002
Event ViewerEvent Viewer
• The Event Viewer gathers information about hardware, software, and system problems and monitor Windows 2000 security events
• Application Log– Events logged by applications or programs.
• Security Log– Records security events such as valid and invalid logon
attempts, as well as events related to resource use, such as creating, opening, or deleting files.
• System Log– Events logged by the Windows 2000 system components.
September 18, 2002
Performance LogPerformance Log
• Performance Logs and Alerts contains features for logging counter and event trace data and for generating performance alerts.
• Can record data about hardware usage and the activity of system services from local or remote computers.
• Logging can occur manually on demand, or automatically based on a user-defined schedule
September 18, 2002
Shared FoldersShared Folders
• Create, view, and set permissions for shares, including shares on computers running Windows NT 4.0.
• View a list of all users who are connected to the computer over a network and disconnect one or all of them.
• View a list of files opened by remote users and close one or all of the open files.
• Configure Services for Macintosh. This enables personal computer users and Macintosh users to share files and other resources, such as printing devices, through a computer running Windows 2000 Server.
September 18, 2002
ServicesServices
• Using Services, you can start, stop, pause, or resume services on remote and local computers, and configure startup and recovery options. You can also enable or disable services for a particular hardware profile.
• With Services, you can:– Manage services on local and remote computers, including
remote computers running Windows NT 4.0. – Set up recovery actions to take place if a service fails, such
as restarting the service automatically or restarting the computer (on computers running Windows 2000 only).
– Create custom names and descriptions for services so that you can easily identify them (on computers running Windows 2000 only).
September 18, 2002
Users and GroupsUsers and Groups
Overview
•Administrator Account•Guest Account•Managing User Accounts•Group Types•Managing Groups
September 18, 2002
Administrator AccountAdministrator Account
Admins can do the following:• Access any file or directory• Create and delete users and groups• Establish trust relationships• Manage printers and print sharing• Assign operators• Create and modify logon scripts• Set default account policies• Set and change passwords• Manage auditing and security logs• Not be deleted
September 18, 2002
Administrator Account Administrator Account (cont.)(cont.)
Admins are by default in the following groups:
• Administrators• Domain Admins• Domain Users• Enterprise Admins• Group Policy Admins• Schema Admins
September 18, 2002
Guest AccountGuest Account
• Guest account is disabled by default• Enable the Guest account only in low-
security networks• Always assign a password• Can rename Guest account, but cannot
delete it• Should only have low privileges
September 18, 2002
Managing User Managing User PropertiesProperties
The New User Dialog Box Buttons Tab Description General This tab captures tombstone data for the user, for example, name,
description, office, telephone numbers, email address, home page URL, and other Web pages.
Address Use this tab to document street address, P.O. Box, city, state or province, zip or postal code, and country or region.
Account This tab documents the user’s account options. Profile Use this tab to set a profile path, login script, home directory, and
shared document folder. Telephones/Notes Use this tab to document home, pager, mobile, fax, and IP phone
numbers and any comments you might have regarding these numbers.
Organization This tab documents the user’s title, department, company, manager, and any direct reports.
Member Of Use this tab to document the groups where the user belongs. Dial-in Use this tab to document the dial-in properties for the user.
September 18, 2002
Manage User OptionsManage User Options
Account Options Options Default Description User Must Change Password at Next Logon
OFF Selected when you created the account, but you can change it here.
User Cannot Change Password
OFF Selected when you created the account, but you can change it here.
Password Never Expires OFF Selected when you created the account, but you can change it here.
Save Password as Encrypted Clear Text
OFF Selecting this option allows your Macintosh clients to log on, which is the only password the Macintosh computers can send.
Account Disabled OFF Selected when you created the account, but you can change it here.
User Must Log On Using a Smart Card
OFF Selecting this option forces your users to use smart cards, which require additional hardware.
Account Is Trusted for Delegation
OFF Selecting this option allows administration of this account to be delegated to , for instance, a departmental manager.
Account Is Sensitive and Can Not Be Delegated
OFF See above.
Uses DES Encryption Types For This Account
OFF Sets the encryption algorithm for use with, say, Kerberos.
Don’t Require Kerberos Authentication
OFF Selecting this means the user doesn’t use Kerberos for authentication.
September 18, 2002
Managing User AccountsManaging User Accounts
Managing User Accounts• Click Start, Settings, Control Panel, Administrative Tools,
Computer Management• Expand System, Local Users and Groups
Creating User Accounts• Right-Click Users, and then click New User• Fill in the appropriate fields
Managing User Properties• Right-Click on a User, and then click Properties• Modify the appropriate fields
September 18, 2002
Group TypesGroup Types
• Domain Local Group– Open membership: members can come from any
domain– Members can access resources only in the local domain
• Global Group– Limited membership: members only come from local
domain– Members can access resources in any domain
• Universal Group– Open membership: members can come from ay
domain– Members can access resources in any domain
September 18, 2002
Groups Types (cont.)Groups Types (cont.)
Points to keep in mind…• Local groups on domain controllers have rights only on
the domain where they were created.• Local groups on Windows 2000 Workstation computers
and member servers (non-Domain Controllers) have rights on the computer where they were created.
• Local groups cannot contain other local groups; they can contain only user accounts or global groups from the same domain or other domains.
• Global groups contain user accounts from only one domain. They cannot contain local groups or other global groups.
• Universal groups contain user accounts from any domain. They can contain universal accounts, global groups, local groups, and user accounts.
September 18, 2002
Predefined GroupsPredefined Groups
Predefined Local Groups Administrators Members can fully administer the local computer and any domain
resources. This group is the most powerful. Within the Administrators group is a built-in account that you cannot delete.
Account Operators Members can use User Manager for Domains to manage domain user and group accounts. An Account Operator cannot change or delete the Domain Admins, Account Operators, Backup Operators, Print Operators, or Server Operators groups. Also, an Account Operator cannot change or delete administrator users accounts or administer security policies.
Backup Operators Members can perform backups and restores, and can bypass the security restrictions on directories and files to back them up.
Guests Members can access the server from the network but cannot log on locally. In other words, Guests have limited access to the domain. In effect, these users can log on if they know the Guest account and password, but they cannot change any settings on the local computer. This group is for the occasional or one-time user to log on. The built-in Guest account is automatically a member of the Guest group.
September 18, 2002
Predefined Group (cont.)Predefined Group (cont.)
Power Users Member can do everything that members of the User group can do. In addition, these members can create user accounts, modify the user accounts that they created, put any user accounts on the computer into the Power Users, Users, and Guest built-in groups, share and stop sharing files and directories and printers located at the computer, and set the computer’s internal clock.
Print Operators Members can administer the domain printers. They can create, manage, and delete printer shares for an NTS server.
Replicators Members can manage replication services. They are granted the appropriate privileges to replicate files in the domain. Use this group only to support the Directory Replication service.
Server Operators Members can manage the servers in the domain. Tasks include logging on locally, restarting the server, and shutting down the server.
Users Members can access the server from the network but cannot log on locally. They are normal users of the domain and have limited access to the domain and their computers. They can make some configuration changes to their environment but have limited functionality. They cannot create new shared directories, for example, or stop and start services.
September 18, 2002
Special GroupsSpecial Groups
Special Groups Group Description Anonymous Users Any unauthenticated user on the computer. Authenticated Users This group consists of users who provided a valid username and
password at some point. Batch Any batch process accessing a resource on the computer. Creator Owner A user who creates or takes ownership of a resource, such as
subdirectories, files, and print jobs. Dialup Any user who has access to resources on the computer using dial-
up networking. Everyone All users who access a computer, whether locally or remotely.
This group includes both interactive and network users. Interactive Users who log on to the local computer. Interactive users access
resources on the machine at which they are sitting. Network Users who log on to a network or remote computer using their
account or an enabled Guest account. Service Any service. System The operating system.
September 18, 2002
Managing GroupsManaging Groups
Managing Groups• Click Start, Settings, Control Panel, Administrative Tools,
Computer Management• Expand System, Local Users and Groups
Creating Groups• Right-Click Groups, and then click New Group• Fill in the appropriate fields
Add Members to Group• Right-Click on a Group, and then click Add to Group• Click Add, Select User(s), Click Add, Click OK
September 18, 2002
Security PolicySecurity Policy
• Password Policy• Account Lockout Policy• Audit Policy• User Rights Assignment• Security Options• Encrypting File System Properties• Kerberos Properties• IPSec Properties• Configuring and Analyzing by Templates
September 18, 2002
Opening MMC Snap-InsOpening MMC Snap-Ins
To open Microsoft Management Console Snap-ins
• Click start, run• Type “mmc” and hit enter• Under the “Console” menu, click
“Add/Remove Snap-in”• Click “Add”, select Snap-in, click “Add”• Opt: Fill any options, click “ok”• Click “close”, click “ok”
September 18, 2002
Security PolicySecurity Policy
• It is important to notice:• Almost all of these settings can be
enforced at the local level, or at the domain level, if the computer is on a domain (in which case the domain settings would be taken from Active Directory)
• Settings at higher levels of the Active Directory Tree override those at lower levels
September 18, 2002
Password PolicyPassword Policy
• Open “Group Policy” snap-in• Under Computer Configuration/Windows
Settings/Security Settings/Account Policies• Controls the formation and changing of
user passwords• Age, Length, History, Complexity
September 18, 2002
Account Lockout PolicyAccount Lockout Policy
• Open “Group Policy” snap-in• Under Computer Configuration/Windows
Settings/Security Settings/Account Policies• Controls the lockout settings for incorrect
passwords
September 18, 2002
Audit PolicyAudit Policy
• Open “Group Policy” snap-in• Under Computer Configuration/Windows
Settings/Security Settings/Local Policies• Controls which system events are
recorded in the Event Log, to be viewed in the Eventviewer later
• For all events, successes and/or failures may be logged
• Must be careful not to audit too much
September 18, 2002
Audit Policy (Example)Audit Policy (Example)
• By double clicking on Audit Account Logon Events and checking “success” and “failure”, you can log to the Event Log every attempt at access to the computer
September 18, 2002
User Rights AssignmentUser Rights Assignment
• Open “Group Policy” snap-in• Under Computer Configuration/Windows
Settings/Security Settings/Local Policies• Controls which users and groups have
access to special system-level commands, such as shutting down the computer
September 18, 2002
Security OptionsSecurity Options
• Open “Group Policy” snap-in• Under Computer Configuration/Windows
Settings/Security Settings/Local Policies• Controls miscellaneous other security
options, especially the permissions of remotely connected users.
September 18, 2002
Security Options Security Options (Examples)(Examples)
• Using “Rename Administrator Account”, you can change the admin name and create a dummy “Administrator” account with no privileges, that is heavily logged
• Set “Clear memory pagefile when system shuts down” to prevent the swap file from being recovered (easily)
September 18, 2002
Encrypting File System Encrypting File System PropertiesProperties
• Open “Group Policy” snap-in• Under Computer Configuration/Windows
Settings/Security Settings/Public Key Policies
• Or open “Certificates” Snap-in• Controls the certificates (public keys) of
Encrypted Data Recovery Agents• Whenever a file is encrypted by a user,
there must be a recovery agent
September 18, 2002
Encrypting File System Encrypting File System (Examples)(Examples)
• Under certificates for a File Recovery Agent (default Admin), Personal/Certificates, Right click on the file recovery certificate and click All Tasks, export.
• You can export and delete the recovery agent private key, and store it in a secure location for later recovery
• Thus, one cannot get the recovery agent key, even by breaking the account password
September 18, 2002
Kerberos in W2KKerberos in W2K
• Windows 2000 uses Kerberos V for authenticating computers and users between domains
• The domain controller acts as the KDC (a trusted third party) in mutually authenticating clients to servers in inter- and intra domain communication
• Secret-key tickets are given to communicating parties
September 18, 2002
Kerberos SettingsKerberos Settings
• Open “Group Policy” snap-in• Under Computer Configuration/Windows
Settings/Security Settings/Account Policies/Kerberos Policy
• Only for computers on Domains• Controls the details of Kerberos tickets and
authentication• Microsoft says, and NSA agrees, the
default settings are OK
September 18, 2002
IPSec SettingsIPSec Settings
• Open “Group Policy” snap-in• Computer Configuration/Windows Settings/
Security Settings/IP Security Policy• Controls the policies for secure
communication via IPSec and its cryptographic settings
• Allows filtering of packets of various protocols without authentication and IPSec
• Can require that all communication be Secured (Secure Server)
September 18, 2002
Configuring and Analyzing Configuring and Analyzing Security Properties by Security Properties by
TemplatesTemplates
• Open “Security Configuration and Analysis” snap-in
• Right click “Security Configuration and Analysis” and click “open database”, make a new database file, click “open”, and select a template, such as “hisecws.inf” (high secure workstation/server) and click open
• Right click “Security Configuration and Analysis” again and choose to configure (set your settings to template) or to analyze (compare your settings to template