Windows 2000 includes several security features. This section explains the basics of Windows 2000 authentication and then examines users, groups, and security policies. This section also describes Windows 2000’s printing and auditing features.
The first element of Windows 2000 security that a user encounters is the logon dialog. To provide security, Windows 2000 does not send passwords across the network during the logon process. The authentication process works as follows:
The user enters a username and password. The password is used to encrypt a string of numbers (the current time), and the resulting encrypted data is sent with the username to the domain controller or to the local computer’s security subsystem when a domain is not in use.
The domain controller or security subsystem looks up the username and reads the encrypted token stored in the security database; if this matches the result sent with the logon request, access is granted.
An access token is sent to the client and used in subsequent network requests to continually verify the user’s identity. The server uses this token to determine whether access is granted for files, folders, or other resources.
Each person who accesses a Windows 2000 computer or network requires a user account that uniquely identifies the user. The user account and password are used at the logon dialog, and the user account’s properties control the user’s abilities on the network. Windows 2000 uses two kinds of user accounts:
- Local users
These are users of a particular computer that does not participate in a domain. These are the only type of users you can create in Windows 2000 Professional.
- Domain users
These are users of a domain; they can only be created on a Windows 2000 Server domain controller. Windows 2000 Professional users can log in to a domain using a domain user account.
You can add or manage local users on a Windows 2000 Professional computer with the Computer Management MMC snap-in. To access this utility, select Programs → Administrative Tools → Computer Management from the Start menu. Open the Local Users and Groups object on the left side of the screen.
Highlight the Users option to display a list of users for the computer. After an installation, only Administrator and Guest (disabled) are included in this list. To add a user, right-click and select New User. To modify an existing user, double-click to display the Properties dialog.
The Properties dialog for a user is divided into three tabs:
- General
Displays basic options. These include the user’s full name and description, as well as options relating to passwords.
- Member of
Lists the groups the user belongs to. Click Add to add a group to the list.
- Profile
Specifies a user profile, which stores settings for the user, and an optional logon script.
Groups allow you to combine similar users and assign them permissions or other functions. Windows 2000 uses two types of groups: local groups , used on standalone computers, and global groups , used in a domain. Windows 2000 Professional supports only local groups.
To manage local groups on a Windows 2000 Professional computer, select Groups under Local Users and Groups. The available groups are displayed. Right-click and select New Group to create a new group. Double-click on an existing group to modify its membership list.
The following user accounts are created by default when Windows 2000 Professional is installed:
- Administrator
This is the default administration account. You are asked to specify a password for this account at installation. This account cannot be disabled or deleted and should be kept secure.
- Guest
This user cannot be renamed or deleted, but can be disabled. It has no password by default. Because this account is present on all systems and is a member of the Everyone group (explained later), it presents a significant security risk.
The following local groups are available by default:
- Administrators
The Administrator user is a member of this group. Members of this group are given full control to all resources of the computer.
- Backup Operators
Members of this group can access all files on the computer, regardless of filesystem security. No users are members by default.
- Guests
The Guest user is a member of this group. This group has a simple set of rights by default.
- Power Users
Users in this group can perform some system tasks: for example, manage printers, install devices, shut down or restart the computer, or change the computer’s date and time.
- Replicator
This is a special group used by the file replication system to duplicate files between computers.
- Users
This group includes a basic set of rights, such as the right to log on locally or over the network. All users are members of this group by default.
In addition to these, there are a number of system groups. These are groups that implicitly represent categories of users, but cannot be modified. The system groups include the following:
- Everyone
Includes all users of the computer or network
- Authenticated Users
Includes any user that has been authenticated with a valid user account
- Creator Owner
For a file or other resource, includes the user who created or owns the resource
- Network
Includes any users accessing the computer across the network (rather than locally)
- Interactive
Includes users accessing the computer via its own console
- Anonymous logon
Includes any user who has not been authenticated with a valid user account
- Dialup
Includes any user accessing the computer via a dial-up connection
Windows 2000 includes a number of security options you can set to customize local and network security. These are called security policies. To modify security policies, use the Security Settings MMC console. You can access this console by selecting Local Security Policy from the Administrative Tools Control Panel applet.
Account policies include options that control the security of user accounts. The first category, Password Policy, includes the following options:
- Enforce password history
If this option is enabled, a number of the user’s previous passwords will be logged. When a password is changed, the previous items cannot be used.
- Minimum and maximum password age
Specifies a minimum and maximum age before a password may be changed. The defaults are days minimum and 42 days maximum.
- Minimum password length
Specifies a minimum length for passwords. There is no minimum by default.
- Passwords must meet complexity requirements
If this option is enabled, passwords must contain one or more capital letters, numerals, or punctuation marks and cannot contain the username or full name.
- Store password using reversible encryption
Stores a reversibly encrypted password for each user. This is only used with a domain and is used for certain security protocols.
The Account Policy section also includes an option for Account Lockout Policy. If this feature is enabled, accounts are locked out (disabled) after a specified number of invalid logon attempts. The following options are available:
- Account lockout duration
The duration of the lockout in minutes.
- Account lockout threshold
The number of invalid logon attempts before lockout. The default is 0, meaning the account lockout feature is disabled.
- Reset account lockout counter after
The number of minutes without an invalid logon attempt before the count of invalid attempts is reset to 0.
The Security Options settings are listed under Local Policies. These include a large number of options to control various local security settings. The following are some important options:
- Allow system to be shut down without having to log on
If this option is enabled, a Shut Down button is displayed in the logon dialog and the computer can be shut down without a valid logon. This option is enabled by default.
- Clear virtual memory pagefile when system shuts down
If this option is enabled, the virtual memory (paging) file is cleared at shutdown. This option is disabled by default.
- Disable Ctrl-Alt-Del requirement for logon
If enabled, the Ctrl-Alt-Del keystroke is not required to display the logon dialog. This option is enabled by default in Windows 2000 Professional.
- Do not display last username in logon screen
If this option is enabled, the most recent username is not displayed in the logon screen. This option is disabled by default.
Windows 2000 includes an auditing feature, which allows you to specify various events that will be logged for later examination. You can configure auditing from the Audit Policy item under Local Policies.
No auditing is enabled by default. To enable auditing for an event, double-click it. You can then choose whether the event’s success or failure will be audited.
The results of auditing are displayed in the Event Viewer console, described in Section 3.7 of this chapter.
Windows 2000 supports a full range of security for NTFS partitions. FAT partitions do not support security. NTFS security treats files and directories as objects. Each file or directory has an ACL, and users or groups can be given permission to access it. The available NTFS permissions are described in Table 3-5.
Table 3-5. NTFS Permissions
|
Permission |
Description |
|---|---|
|
View a directory’s contents or open a file | |
|
Write data to a file or create new files in a directory | |
|
Delete a file or directory | |
|
Modify the permissions assigned to a file or directory | |
|
Execute a program file | |
|
Modify the ownership of a file or directory |
To modify permissions for a file or directory, right-click on it in Explorer. Select the Security tab, then click the Permissions button to display the Permissions dialog.
These permissions can be assigned individually or in preset combinations, such as Full Control, which includes all of the permissions. Another available permission, No Access, explicitly denies the user or group access to the resource, regardless of other permissions.
A user may have one set of permissions granted explicitly for a resource and one or more other permissions based on group membership. When this happens, the least restrictive permission becomes the effective permission, unless one of the permissions is No Access.
Inheritance is not automatic in NTFS security: permissions or restrictions given to a user for a directory are not applied to its subdirectories unless specified by selecting the Replace Permissions on Subdirectories option in the Permissions dialog. Permissions on files within a directory are not changed unless the Replace Permissions on Existing Files option is selected, but new files created in the directory inherit the directory’s permissions.
The Everyone group is given Full Control access to NTFS volumes by default, effectively disabling NTFS security. This permission should be removed or restricted to secure the volume.
Files on NTFS partitions can be moved or copied in the same manner as local files, using Explorer (accessible from the My Computer icon on each computer) or over the network. Permissions are not always moved with the file, however:
If the file is moved, the permissions of the original file are copied to the new location. Files can only be moved within a single NTFS volume. If you drag a file to a location on the same volume, a move operation is performed by default; for a copy, hold down the
Ctrlkey.If the file is copied, the copied file inherits the permissions of the new directory. Dragging a file to a location on a different volume always results in a copy operation.
Of course, if the destination folder is on a FAT or FAT32 partition, NTFS permissions are lost. If a file from a FAT or FAT32 partition is copied to an NTFS location, it inherits the permissions of the new parent directory.
As with other Windows versions, Windows 2000 supports file sharing. A folder can be shared using the Sharing tab of the folder properties dialog. Shared folders are listed by their share names when a user browses the My Network Places window, as described earlier in this chapter.
File sharing supports its own type of security, called shared folder security . Click the Permissions button in the Sharing tab to display the Share Permissions dialog. Shares have a simple set of permissions that provide a lesser degree of security than that provided by NTFS, but can be used even with shared FAT or FAT32 volumes. The share permissions are described in Table 3-6.
Table 3-6. Share Permissions
|
Permission |
Description |
|---|---|
|
Full Control |
Provides full access to files in the folder |
|
Change |
Allows the user to create, write, or delete files in the folder |
|
Read |
Allows Read access to files and directory listings |
As with NTFS security, the Everyone group is given Full Control rights to shares by default. To provide security, this permission should be removed or restricted. For each user with permissions for a folder, you can specify Allow or Deny for each of the permissions listed in Table 3-6. Typically Allow is used to grant access. The Deny setting can be used to explicitly deny access when a user may have access via a group or via a permission setting for a higher directory.
As with NTFS security, a user may have permissions for a share assigned to the user as well as one or more groups. In this case, the least restrictive permission is used, unless one of the permissions is explicitly denied. If a user has both NTFS permissions and share permissions for a directory, the most restrictive permission is used.
Windows 2000 includes the Shared Folders snap-in, which enables you to monitor share use and the files currently opened by users. To access this utility, either add the Shared Folders snap-in to an MMC console or use the Computer Management snap-in. Shared Folders is located under System Tools.
Under Shared Folders, there are three options that allow monitoring and administration of shares:
- Shares
Lists the currently defined shares. For each share, the path the share represents and the number of users currently connected to the share are displayed.
- Sessions
Lists the users who are currently accessing one or more shares on the computer. Highlight a section and select Disconnect Session from the Action menu to disconnect a session.
- Open Files
Lists all shared files currently open. For each file, the current user, the open mode (Read or Write), and the number of locks on the file are displayed.
Windows 2000 includes comprehensive support for printers. Printers installed on a computer are defined in the Printers folder, available from the Control Panel. Several components are involved in the printing process:
- Printer
The Windows 2000 object that corresponds with a hardware printer (print device) and stores jobs to be printed in a queue. Also called a logical printer.
- Print device
A physical printer. Remember that in Windows 2000 terms, printers are software and print devices are hardware.
- Print job
A document sent to the printer. Print jobs are stored in a queue until they are sent to the printer.
- Print server
The server that controls a printer. This is usually the machine the printer is attached to. Both Windows 2000 Professional and Windows 2000 Server can act as print servers; the Professional version is limited to 10 concurrent user connections to the printer.
Select Add Printer from the Printers folder to install a printer. A wizard prompts you for information about the printer. You can configure a local printer or configure local access to a shared printer on another machine or on the Internet. You are asked to specify the port the printer is attached to, the printer manufacturer and type, and whether the printer will be shared.
After a printer is installed, you can access its Properties dialog to configure it. This dialog includes the following tabs:
- General
Includes options for the printer’s location and description and allows you to choose the printer driver.
- Sharing
Specifies whether the printer is shared and under what name. You can also install drivers for the printer for different operating systems from this dialog. Users running other systems (such as Windows 98) can then download a driver when they install a local icon for the shared printer.
- Ports
Specifies the ports the printer is connected to. You can also create a printer pool, described later, by selecting multiple ports. LPT (parallel), COM (serial), and UNC paths to shared printers can be used.
- Advanced
Specifies a time period when the printer is available. The priority for printer access is also set in this tab. When multiple logical printers are defined for one physical printer, documents are printed based on the priority. This allows you to give certain groups of users priority access to a printer.
- Color Management
Includes options for color management, which is used to ensure that colors remain accurate on different display and output devices.
- Security
Allows you to set permissions for access to the printer, similar to those used with NTFS directories. Permissions affect both local and remote users.
- Device Settings
Includes settings specific to the printer, defined by the printer driver software. Depending on the driver, one or more additional tabs may also be available.
A logical printer can be assigned to two or more physical printers on different ports. This configuration is called a print pool. To create a pool, select the Enable printer pooling option in the Ports tab of the PrinterProperties dialog and select two or more ports.
Print pools should be used with identical printers, or at least compatible printers. A document is sent to the first available printer in the pool.
In addition to configuring one printer to access multiple print devices (print pool), you can configure one print device with several printers. This technique is useful to assign several different users or groups permissions for a printer with different priorities or schedules.
To assign schedules and priorities, use the Advanced tab of the Printer Properties dialog. Configure a time period for the printer to be available if needed. Priority can be set between 1 and 99; 99 is the highest priority. Jobs from a higher priority printer are always sent to the print device first.
Open a printer within the Printers folder to display jobs currently printing or waiting to print. The options in the Document menu allow you to pause, resume, restart, or cancel the current document. Members of the Administrators or Print Operators groups can pause all printing or purge all print jobs from the Printer menu.
The print jobs list is managed by the print spooler service. Spool files are stored on the boot partition by default. If this partition has insufficient space, you can change the spool location by selecting Server Properties from the File menu of the Printers folder. Select the Advanced tab and specify a path to the new folder.