CHAPTER 5
DESIGNING GROUP SECURITY
Chapter Scenario:
Hanson Brothers want to deploy Exchange Server to provide e-mail services between Warroad,
Last month Hanson brothers bought out a former competitor in
single domain to two domains.
Not all users will be included during the initial rollout of Exchange Server, and Hanson Brothers
wants to use Windows 2000 security groups to ensure that only authorized users can install or
configure the Outlook 2000 client software.
You must design custom groups to ensure that only approved employees will be able to install the
Outlook 2000 software.
Exchange server requires the creation of a service account. This service account must have the
following user rights assigned in any domain where Exchange Server is deployed:
Lesson 1:
Designing Microsoft Windows 2000 Security Groups
Your choice of security group type and scope will determine your network’s security and
manageability levels.
Windows 2000 Groups
In a Windows 2000 network, access to network resources is authorized through the inspection
of the user Security Identifier (SID) and any group SIDs for the user account.
Windows 200 Group Types
You can define two different types of Windows 2000 groups: security groups and distribution
groups.
Security Groups. For entries in discretionary access control lists (DACLs) and system
access control lists (SACLs) to define security and auditing settings for an object.
Distribution groups. For such applications as e-mail distribution lists. When an access
token is built for a user, security group SIDs are included in the access token but
distribution group memberships are ignored.
======================================================================
winsec5.html PAGE 2 2002/04/14
Do Distribution Groups Have SIDs?
Yes. Even though you can’t assign a distribution group permissions to an object, you can still
convert the distribution group into a security group in Active Directory Users and Computers.
You can identify the SID of a distribution group by using the Active Directory Administration
Tool (Ldp.exe) that’s included with the Windows 2000 Support Tools. This tool allows you to
bind to Active Directory and query objects in Active Directory by issuing LDAP commands.
Windows 2000 Group Scopes
Once you’ve selected the group type, you must set the scope for the group. The scope defines
where the group can be used, where the membership of the group is maintained, and how the
group can be used.
NOTE: By implementing native mode in a Windows 2000 domain, you increase your options for
setting security group scopes. Mixed-mode domains may contain Windows NT BDCs that limit
the types of groups you can create because they don’t recognize the newer Windows 2000
scopes (domain local and universal groups) and don’t recognize new functionality, such as
nesting global groups within other global groups.
When Windows 2000 Active Directory is configured to run in
native mode, you can
select four group scopes for a Windows 2000 group. They are:
Domain Local Groups. Use domain local groups to grant permissions to resources. You can
use the Domain Local Group on any computer that’s a member of the domain in native mode.
Membership of domain local groups is maintained in the domain where the domain local group
exists. In a mixed-mode, domain local groups can only be used on DCs.
Global Groups. Use global groups to combine users who have similar business requirements.
Global groups may only contain user accounts and global groups from the same domain as
members. Membership of global groups is maintained in the domain where the domain local
group exists.
======================================================================
winsec3.html PAGE 3 2002/04/14
Universal Groups. Use universal groups to collect similar groups that exist in multiple domains.
The key difference between universal groups and other security groups is that memberships are
stored both in the domain where the universal group exists and in the global catalog.
Computer local groups. Windows 2000-based computers that aren’t DCs maintain their
own user accounts database.
Assessing Group Usage
When designing your network’s security, consider how you will assign permissions to resources.
The next step is to think about methodology.
A-G-DL-P:
One of the more common ones is A-G-DL-P. Account, Global, Domain Local to Permissions.
In this strategy you place accounts only into global groups to simplify administration. In native
mode, global groups may also have other global groups as members.
TIP You most often use A-G-DL-P in a forest that has a single domain. You don’t need to
use universal groups if the forest has only a single domain.
The A-G-DL-P strategy simplifies the troubleshooting of permissions because you only have
to inspect domain local groups. Within any listing of Access Control Entries (ACEs), there
should only be domain local groups.
A-G-DL-U-P:
As in the previous strategy, you assign users only to global groups, which can be made members
of other global groups. The difference with this methodology is that you can collect global groups
from multiple domains into a single universal group. You then add the universal group as a
member of a domain local group. Finally, you assign the domain local group permissions to
the object to which it requires access.
By not placing user accounts directly into the universal group, you can minimize changes to
group membership of the universal group and subsequent changes to the global catalog. By
reducing the changes in membership of the universal group, you then reduce replication traffic
related to global catalog replication.
======================================================================
winsec3.html PAGE 4 2002/04/14
Making the Decision
When you design custom groups to provide access to Windows 2000 resources, consider
the following criteria:
you probably have to create more than one group.
intentionally or accidentally perform an undesirable task.
memberships of the new group in other groups, and what purpose the group serves.
Applying the Decision
The Hanson Brothers needs to make the following decisions for the deployment of Exchange
Server and the creation of custom security groups:
for the distribution share.
create security groups, you must create the groups shown, page 153.
153 also.
growth. If they don’t expect much more growth, A-G-DL-P will meet their security needs
and won’t require additional security groups to be created. Document the newly created
groups. In the documentation give the who’s and the why’s.
======================================================================
winsec3.html PAGE 5 2002/04/14
Lesson Summary:
will use for assigning permissions to resources.
domains are in native mode, and the amount of replication traffic related to universal group
membership changes.
**** Do the activity
on page 157 ***
Lesson 2:
Designing User Rights
Windows 2000 allows administrators to define precisely what users can and can’t do. By
defining user rights, administrators authorize users to perform specific actions.
Defining User Rights with Group Policy
User rights define who can log on to a computer, the methods that can be used to log on to a
computer, and the privileges that have been assigned to a user or group on that computer.
User Rights Within Windows 2000
User rights define who can log on to a computer, the methods that can be used to log on to the
computer, and the privileges that have been assigned to a user or group on that computer.
You can define several user rights. You have to base your choices on knowing which
privileges a user right provides to any security principals (users or security groups)
assigned the user right.
Access This computer From Network. This user right allows a security principal to
access the computer from the network. Default membership in this group includes
Administrators, Everyone, and Power Users.
Act as Part of The Operating System. You commonly assign this user right to service
accounts that must authenticate as a user and access resources where they must
authenticate as a user.
Add Workstations To A Domain. This user right allows a security principal to add
a computer to a specific domain. A security principal assigned this permission may
add only up to 10 computers within the domain.
======================================================================
winsec3.html PAGE 6 2002/04/14
NOTE: Alternatively, you can delegate a security principal the Create computer Objects
permission in Active Directory. This permission allows a security principal to create an unlimited
number of computers within the domain or OU where the permission is delegated.
Backup Files and Directories. A security principal to access files using the NTFS backup
application programming interface (API) even if NTFS permissions don’t normally allow the
security principal access.
Bypass Traverse Checking. A Security principal can navigate through folders where they don’t
have explicit or implicit permissions.
Change the System Time. Time of the computer’s internal clock.
Create pagefile. The security principal can create a new pagefile on any computer volume.
Create a Token Object. Create an access token through API.
Create Permanent Shared Objects. This task is commonly performed by components that run in
kernel mode. This right is necessary only if the object doesn’t run in kernel mode.
Debug Programs. The Security Principal can debut any process using a kernel or application
debugger.
Deny Access To This Computer From the Network. Deny access to troublemaking students in
class. Not mentioning any names!!!!
Deny Logon As a Batch Job.
Deny Logon as a Service.
Deny Logon Locally. This user right prevents a security principal from logging on at the console
of the computer with this user right applied.
Enable Computer And User Accounts To Be Trusted For Delegation. This user right allows a
security principal to change the Trusted For Delegation setting on a user or computer object
within Active Directory. In addition to the user right, the security principal must also have write
access to the object’s account control flags.
Force Shutdown From a Remote System. You can use the Microsoft Utility shutdown.exe
from their Windows 2000 Server Resource Kit.
Generate Security Audits. Entries in the security log.
Increase Quotas. To do this the initial process must have write access to the second process.
Increase Scheduling Priority. Access execution programs or use Task Manager.
Load and Unload Device Drivers. Only administrators can install or uninstall non-Plug and Play
device drivers.
Lock Pages In Memory. In Windows 2000 this privilege is obsolete and isn’t set by default.
Log On As A Batch Job. Used for Batch-queue process.
======================================================================
winsec3.html PAGE 7 2002/04/14
Log On As A Service. This user right allows a security principal’s credentials to be used by a
service for authentication.
Log On Locally. This user right allows a security principal to log on at the local console (the
keyboard) of the computer where this user right applied.
Manage Auditing And Security Log. This user right allows a security principal to modify the
SACL for individual objects. The SACL specifies auditing options for the object. You must
do success and failure of the object access.
Modify Firmware Environment Values. This is using the System program in Control Panel or
through an API call.
Profile Single Process. Performance Logs and Alerts MMC console to monitor nonsystem
processes.
Profile System Performance. Performance Logs and Alerts MMC console to monitor
nonsystem processes.
Remove computer From a Docking Station. To undock a portable computer from a docking
station.
Replace a Process Level Token. This user right allows a security principal associated with a
process to replace the access token for a child process that’s spawned by the initial process.
Restore Files and Directories. This user right also allows the security principal to change the
owner of the object.
Shut Down The System. This user right allows a security principal to shut down the local
computer.
Synchronize Directory Service Data. This user right is only applied at DCs where the Active
Directory is maintained.
Take Ownership Of Files Or Other Objects. Objects that this affects include Active Directory
objects, files, folders, printers, registry keys, processes and threads.
Assessing Where to Apply User Rights.
You can define user rights in local computer policy or at Group Policy defined at the site, domain,
or OU. Group Policy settings always take precedence over local computer policy.
When you decide where to apply user rights, it’s important for you to group computers that
require like assignments into the same container.
Maintain the default of storing DCs within the Domain Controllers OU and apply user rights for
DCs in the Default Domain Controllers Policy.
Collect all Windows 2000 member servers into a common OU structure. If specific user rights
assignments are required, based on the type of information stored at the member server, apply
the user right Group Policy settings at the individual OU, see page 163.
======================================================================
winsec3.html PAGE 8 2002/04/14
Assuming the same user rights must be assigned to all computers uniformly, apply the user rights
settings at the domain to affect all computers running Windows 2000 Professional in the domain.
Making the Decision
group rather than to an individual user account.
site, domain, or OU level. For DCs, you should always apply user rights at the Domain Controllers
OU. This ensures consistent application of user rights at all DCs within a domain.
that user rights always take precedence over permissions on objects.
Applying the Decision
For the deployment of Exchange Server, the Exchange Service account must be assigned the
required user rights in each domain where an Exchange Server will be installed.
Normally, the assignment or user rights should be applied to a domain local group rather than to
an individual user account.
Determine a name for service account. You must name the Exchange service account so that the
name doesn’t reveal the service account’s purpose.
Warning: You should name all service accounts and administrative accounts so that the name
doesn’t reveal the user account’s security level. Revealing the purpose through the name can
introduce security weaknesses to the network.
Determine which user rights to assign to the service account.
Determine where to assign the user rights. If the Exchange servers are installed as member
servers in the domain, you should create a separate organizational unit (OU) in both the
Corporate and
define a Group Policy that assigns the three user rights to the Exchange Service account.
======================================================================
winsec3.html PAGE 9 2002/04/14
Lesson Summary:
2000 domain.
to accomplish specific tasks.
domain.