CHAPTER 4
PLANNING A MICROSOFT WINDOWS 2000
ADMINISTRATIVE STRUCTURE
Scenario:
Hanson Brothers
Hockey equipment manufacturer, head-office
in
They use Centralized administration and Windows 2000 Operating system.
You must help them to decentralize the administration to the
new areas
You must not sacrifice security in the process
Existing Network
Both the
The connections are currently experiencing 5% utilization of available network bandwidth.
Account information will be moved to
Hanson Brothers’ Active Directory Design
The hansonbrothers.ltd in Warroad was implemented using a single domain. The IT department
wants to maintain a single domain for the entire organization in order to reduce the management
requirements that would be involved if the organization implemented multiple domains.
All user accounts, computer accounts, and DCs are currently stored in the default locations in
Active Directory. To keep their single domain, they plan to create OUs to delegate control.
Hanson Brother’s Administrative Needs
In the meetings with them you determine the following needs:
Membership in administrative groups that can affect the domain and forest must be monitored
regularly to ensure that no unauthorized membership exists.
======================================================================
winsec4.html PAGE 2 2002/04/14
24 help desk must be able to reset passwords and unlock any locked-out user accounts.
Create their own GPO?
Hanson Brothers uses a Human Resources program that stores its data in Active Directory.
They must be able to modify specific attributes of all users in the organization. Create their own
GPO, and specify the unique attributes or objects that they must be able to alter.
Local administrators in
at their location. Keep the alterations locally, and not remotely for security purposes.
At the
Architecture (SPARC) workstation as that person’s primary desktop.
Lesson 1:
Planning Administrative Group membership
When designing security for your network, you must consider the membership requirements
for Windows 2000 administrative group.
Designing Default Administrative Group Membership
Windows 2000 contains several predefined administrative groups. When designing security for
your Windows 2000 network, you must determine appropriate membership in each group. By
understanding the capabilities of each group and assigning the correct memberships, you can
ensure that users aren’t assigned excess privileges on the Windows 2000 network.
The Default Windows 2000 Administrative Groups
Several default groups exist within Active Directory and are assigned rights on the network.
======================================================================
winsec4.html PAGE 3 2002/04/14
Assessing Administrative Group Membership Design
You should ensure a well designed network by doing the following:
Periodically audit the membership of administrative group membership.
Implement restricted groups in Group Policy to control membership in administrative groups.
Auditing Group Membership
You can use Windows 2000 auditing and periodic manuals audits to ensure that group
membership is as it should be in your Windows 2000 network.
The audit must ensure that both users directly configured as members of the administrative
group and the membership of any composite groups are verified against documented membership.
Use Third-party tools to Determine Group Membership
There are some common third-party tools in the industry such as:
SomarSoft’s Dumpevt. This Dumpevt utility is commonly used to report on the configured
discretionary access control lists (DACLs) that are defined for file and share resources.
Windows Scripting Host. You can use the Windows Scripting Host (WSH) to generate
scripts that report on group membership.
Be careful to assign too many rights, only assign the bare minimum when handing out
permissions.
Using Restricted Groups to Maintain Group Memberships
If you want to limit membership within a specific group, you can use the Restricted Groups
option within Group Policy to predefine membership within the groups.
You can apply Restricted Groups policy at the site, domain, or OU Level. When applied, the
Restricted Groups policy settings provide two forms of protection for a defined group.
======================================================================
winsec4.html PAGE 4 2002/04/14
It protects membership in the group. Within restricted groups you can define which accounts
can be members of the group. If the membership is changed, the next time that Group Policy
is applied it will modify the membership to match the membership defined in the policy.
NOTE: Group Policy will be automatically applied to DCs every 5 minutes. Windows 2000
Pro workstations and Windows 2000 member servers that are members of the domain will
apply the computer policies every 90 minutes by default. You can force the application of the
security policy by running the following command from the command prompt at the target
workstations: SECEDIT/REFRESHPOLICY
MACHINE_POLICY/ENFORCE.
It limits groups that are restricted groups can be a member of.
Making the Decision
When making your decision on administrative group design, you must do the following:
administrative group and paper trail to enforce your reasons.
what rights the member will Don’t grant membership to a group that provides excess
privileges.
administrative group membership, either manually or with automated reporting utilities.
Applying the Decision
The decisions that Hanson Brothers faces include determining membership in the administrative
groups for the Central IT team and ensuring that membership is guarded and audited for
enterprise-level administrative groups.
======================================================================
winsec4.html PAGE 5 2002/04/14
Based on the role definitions provided in this chapter scenario, you must define that administrative
group membership for Hanson Brothers
Administrative Group Memberships for Hanson Brothers
=====================================================================
Group Membership
=====================================================================
account must be restricted further to be used
at only specific locations on the network.
DNS Admins Derek Graham
DHCP Administrators Derek Graham
Account Operators Steve Masters
Schema Admins Yvonne Schleger
Server Operators Eric Miller
Group Policy Creator Owner Stephanie Conroy
======================================================================
There is no Backup Operator Group. This is because Hanson Brothers requires that the
Backup and Restore privileges be divided between Stephanie Conroy and Kim Hightower.
Membership in the Backup Operators group would be an excel assignment of user rights.
The other requirement you must manage is the membership of
the Domain Admins,
Admins, Schema Admins, and Administrators groups. You can mange these groups by:
To ensure that the group memberships are maintained on the domain, the Restricted Groups
policy must be deployed at the Domain Controllers OU for Hanson Brothers.
======================================================================
winsec4.html PAGE 6 2002/04/14
=====================================================================
Group Members Member of
=====================================================================
Domain Admins Administrators Administrators
Schema Admins Administrator None
Yvonne Schleger
Administrators Domain Admins None
Administrators
=====================================================================
Designing Custom Administrative Groups
Sometimes you will require a group to have only a subset of the rights that an administrative
group is assigned. You may need to separate the Backup and Restore privileges, this is a
good idea.
By creating two custom groups and assigning one group the right to back up files and the
there group to restore files, you can reduce the risk associated with a single user account
having the rights to back up and restore files from the network.
Determining when to Create Custom Groups
One group that has a large number of rights on a network is
the
group in the forest root domain. An organization will often create custom groups to delegate
only specific rights to an account,
rather than make the account a member of the
Admins group and provide the account with excel privileges.
Admins group must normally be provided to execute the Dcpromo process. By using
Ntdsutil to create the necessary cross-reference and server objects in Active Directory in
advance, a member of the Enterprise Admins group can allow users who aren’t members to
perform the actual Dcpromo process.
======================================================================
winsec4.html PAGE 7 2002/04/14
NOTE: Use the ntdsutil command: PRECREATE %1 %2, where %1 is the name of the
domain to create and %2 is the name of the DC that will be added to the domain.
Authorize Remote Installation Services (RIS) and DHCP servers in Active Directory. By
default, members of the Enterprise Admins group are the only users who can authorize
DHCP/RIS servers. By default, members of the Enterprise Admins group are the only users
who can authorize DHCP/RIS servers by default. This right can be delegated in Active
Directory.
Install
Administrators group are allowed to create Enterprise Certification Authorities.
Manage sites and subnets. By default, only Enterprise Administrators are allowed to
create new site or subnet objects to design replication for your Windows 2000 network.
Making the Decision
You should base your decision on whether to create custom security groups for the purpose
of administration in your Active Directory on the following guidelines:
requirements.
Applying the Decision
Hanson Brothers must create custom administration groups to meet the following requirements
outlined in this chapter’s case scenario:
Help Desk personnel. You must create a domain local group that contains all the help desk
personnel. They can then be given the ability to change passwords, and clear the account
lockout attribute for all user accounts.
Human Resources. Do the same for Human Resources department. They need to change
related attributes, such as address and phone number.
administrators at each office, and then give these custom groups the ability to manage both
user and computer objects.
Backup Admins. This domain local group would be assigned the user right to Backup Files
and Directories. If the requirement is to back up all Windows 2000-based computers, then
this user right must be assigned at both the Domain Controllers OU in the Default Domain
Controller Group Policy object and at the Domain in the Default Domain Group Policy object.
Restore Admins. Assuming that Kim Hightower would have to restore backup data to any
Windows 2000 based computer in the network, this user right must be assigned at both the
Domain and the Domain Controller OU.
======================================================================
winsec4.html PAGE 8 2002/04/14
Lesson Summary:
that membership is designed not to grant excess rights on the network.
groups, you can verify that only authorized users are members of administrative groups.
Lesson 2:
Securing Administrative Access to the Network
Once you’ve designed the groups that will be allowed to perform administrative tasks on your
network, the next phase of your security plan is to design how these administrative accounts
may be used on the network.
Designing Secure Administrative Access
You can use several methods to secure how administrators can access the network. These
include:
Requiring smart card logon. You can lock the cards into a safe that requires two people to
open it or to access the PIN for the smart card for unlocking the private key on the card.
Restricting which workstation administrators can log on to. This option requires that NetBIOS
is supported on the network, but is can restrict logon on specific management stations using
NetBIOS. If logon is attempted from a different location, the logon attempt will fail.
Configuring logon hours. You can restrict an administration account to usage only at specific
hours.
Renaming the default administrator account. While not the utmost in security, this prevents an
attacker from guessing that the administrator account is named Administrator.
Enforcing strong passwords. Make sure that the administrator accounts use complex
passwords. You could enforce this through domain account policy, but that would affect all
users of the network.
======================================================================
winsec4.html PAGE 9 2002/04/14
Making the Decision
In a high-security network, you can use the decision matrix shown below to restrict
administrative access to the network.
Restricting Administrative Access
======================================================================
To Do the Following
======================================================================
Restrict Administrative 1. Implement workstation restrictions so that only
Access to specific specific workstations can be used by administra-
Workstations tive accounts.
Implement smart card authentication for
Administrative accounts and install smart card
readers only at desired workstations.
Protect administrative 1. Manually implement complex passwords for the
Passwords Administrator account that exceed the domain
account policy.
Implement smart card logon that doesn’t expose
the password of the administrator account.
Protect the administrator 1. Rename the administrator account. Don’t use
account from being easily guessed accounts.
compromised. 2. Don’t leave the administrator account logged on
at a workstation.
Require smart card logon for the administrator
account and store the smart card in a restricted
location, such as a safe.
Don’t make day-to-day accounts administrators
of the network. Require that each administrator
have a day-to-day account for normal network
access.
__________________________________________________________________
Applying the Decision
Hanson Brothers can take several actions to secure administrative access to their network.
These include:
======================================================================
winsec4.html PAGE 10 2002/04/14
Renaming the Administrator account. A common attack that’s performed against networks
is to use default accounts that ship with the operating system. By renaming the Administrator
account, you can reduce the chance that the Administrator account will be used to attack
the network.
Maintaining an Alternative Administrative Account
In some networks, after the Administrative account is renamed, a network
administrator will create a new account named Administrator. But instead of having
administrative rights on the network, this account is only a member of the Domain Guest
group. By mixing the creation of a nonadministrative Administrator account with a strategy
of auditing account logon failures and successes, you can determine if someone is attempting
to use the Administrator account.
Creating dedicated administrative accounts. Rather than assigning the day-to-day user
account for the six administrators into the administrative groups on the network, you can
create dedicated administrative accounts that are used to perform administrative tasks.
Protecting administrative accounts. Restrictions can include restricting the account to
specific administrative workstations or requiring a smart card for logon.
NOTE: The default Administrator account can’t be restricted to specific workstations or
required to use a smart card for logon. To protect this account, a complex password must
be implemented along with additional security processes, such as storage of the password
in a location like a central safe in the IT department.
Designing Secondary Access
Windows 2000 allows administrative tasks to be launched at a higher security level than the
current user’s account. This is done by providing alternate credentials to the RunAs service
when launching the administrative tasks.
Understanding the RunAs Service
The RunAs service allows you to launch processes under a different security context.
You can use several methods to launch a process by using the RunAs service. These
include:
Holding the Sift key while right-clicking a shortcut. This enables the RunAs option on the
pop-up menu.
Using the RUNAS command at a command prompt.
RUNAS^/user:UserName
program
Creating administrative scripts. You can create administrative scripts that launch
======================================================================
winsec4.html PAGE 11 2002/04/14
administrative processes at a higher security context.
Changing a shortcut’s properties. Within the property pages of a shortcut you can
configure the shortcut to Run As A Different User.
To distinguish administrator accounts from everyday accounts, you can require all
administrator accounts to use a prefix such as a_.
Making the Decision
If you plan to implement the RunAs service to allow processes to be urn under alternative
security credentials, you must include the following considerations in your security design:
The RunAs service doesn’t provide facilities for smart card logon.
There is more than on way to launch the RunAs service. Command Prompt, Shortcut’s
properties, or right-click a shortcut and selecting RunAs from the pop-up menu.
Use a standard prefix for administrative accounts.
Create a policy for the usage of administrative accounts on the network. Make up some
other administrative accounts for the day-to-day stuff.
Applying the Decision
Because the process then runs in the security context of the administrative task, the task
can be performed without having to log off the network and then log on using the
administrative account.
Designing Telnet Administration
Some tasks can be performed from a command prompt. To allow remote administration using
these command line tools, you can use the Telnet Service that ships with Windows 2000.
You can use the Telnet Service only to run text-based utilities such as scripts and batch files.
If the utility requires a graphical interface, you must deploy alternative methods, such as the
RunAs or Terminal Services.
======================================================================
winsec4.html PAGE 12 2002/04/14
Your security plan must take into account that Telnet uses clear text for the transmission of
authentication and screen data by default.
To protect all data in the Telnet sessions, you must configure IPSec to encrypt all data
transmitted between the client workstation running the Telnet client and the Telnet Service.
Making the Decision
You can’t use Telnet administration in all circumstances. Remember that Telnet assumes
that text-based administration is taking place. When you design administrative access by using
telnet, use the following considerations when you make your security plan:
You can use NTLM authentication to protect the authentication credentials when transmitted
to the Telnet Services. NTLM can only be used by clients that support the NTLM protocol
for authentication.
of the data as it’s transmitted. Remember that the use of NTLM only protects the credentials
provided during authentication.
Applying the Decision
For the Hanson Brothers, the Telnet service must not be configured to use NTLM for
authentication. This is because there’s an administrator who uses a UNIX SPARC workstation,
which won’t support NTLM authentication.
======================================================================
winsec4.html PAGE 14 2002/04/14
Designing Terminal Service Administration
You can install Terminal Services on a Windows 2000 Server to allow administration of a
computer from a remote location.
The advantage of Terminal Services over other methods of remote administration is that the
client computer doesn’t have to be running the Windows 2000 operating system. Windows
95, 98 and Windows NT clients can all be used to run the Terminal Services Client.
Assessing Terminal Services Administration
You can install Terminal Services in one of two modes. Application and remote administration.
Application mode. Allows multiple connections by regular user accounts (as long as they’ve been
granted Terminal Service access in Active Directory Users and Computers). If the terminal server
must run
in Application mode, you can configure additional security by applying the Notssid.inf
security template, which removes the Terminal Services ID (TSInernetUser) from all DACLs.
Remote Administration. It’s preferable to configure Terminal Services to run in Remote
Administration. Remote Administration has two key benefits when you’re designing secure
administration of the network. First, it’s limited to only two concurrent connections. Second,
only members of the Administrators group are allowed to connect to the terminal server. This
ensures that only administrators of the network can utilize the terminal server.
Applying the Decision
For Hanson Brothers, Terminal Services could be restricted to administrators of the network by
configuring Terminal Service to use Remote administration mode.
The other advantage of Terminal Services is that the new Terminal Services Advanced Client could
be deployed. This would allow clients running other operating systems (but using Internet Explorer)
o perform administrative tasks on the Windows 2000 domain from the alternative client operating
system computer.
NOTE: The only accounts that couldn’t be used in the Terminal Services client would be
administrative accounts that are required to use smart cards for authentication. Smart card
authentication isn’t supported for Terminal Services.
Lesson Summary:
administrator of the network, but also restricting where administration can take place on the
network.
tasks to specific utilities, such as Terminal Services or Telnet Services.