Export (0) Print
Expand All
Expand Minimize

Securing Windows 2000 Network Resources

Operating System

Scenario Guide

Abstract

This scenario describes administration of a Microsoft® Windows® 2000 operating system-based network, the basic resources that it provides (file, print, Web), and the directory service infrastructure (user accounts and authentication) that provides and controls access to these resources. Specifically it will focus on setting up user accounts and using groups to control access to resources such as file share, printers and Web servers. This scenario requires the use of Active Directory™ service.

On This Page

Introduction
Active Directory and Security Overview
Managing the Active Directory
Managing File Resources
Managing Print Resources
Monitoring Security with the Event Log
For More Information

Introduction

In today's world of connected networks the need for security, both on internal networks and the interface to the outside world, the Internet, is more crucial then ever.

The Microsoft® Windows® 2000 platform gives you great flexibility and standards- based methods to achieve the highest level of security for user authentication as well as file, print and Web services.

Windows 2000 introduces new authentication mechanisms like smart card and certificate-based logon. IP Security allows you to encrypt network communications between client and server or between your businesses over the Internet.

Scenario Requirements

This guide builds on the configuration achieved in "Upgrading NT to Windows 2000 Active Directory"

The administration tools are installed by default on all Windows 2000-based domain controllers. On Windows 2000-based stand-alone servers or workstations, the Active Directory™ service administration tools are optional and can be installed from the Optional Windows 2000 components package.

Scenario Tasks

You perform the following tasks in this walkthrough.

Setup and Management Tasks

· Administering Active Directory including-Organizational Units, Delegation of Administration, user accounts (create, delete, rename, finding users), password policy, account lockout
· Administering groups including create, add users
· Administering file resources including create shared folders and assigning permission.
· Administering print resources including create shared printers and assigning permissions.
· Administering Web resources including configuring authentication, permissions and default documents, and creating a virtual directory.
· Monitor event logs including how to set audit triggers and monitor audit logs to maintain a record of security and user-related network events.
· End user tasks-requesting a certificate, creating a Web folder, presenting ad certificate for authentication.

Active Directory and Security Overview

In Windows 2000, Active Directory replaces the Windows NT® account database as the repository for user and machine account information.

Active Directory can, however, not only hold user and machine accounts information, but also policy information, certificates, and an array of additional objects. Active Directory is extensible and can be used by third-party applications.

For more information about Active Directory, see Exploring Directory Services on the Windows 2000 Web site at http://www.microsoft.com/windows2000/technologies/directory/default.asp

Managing the Active Directory

Organizational Unit (OU)

Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains.

Bb742453.netres01(en-us,TechNet.10).gif

An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. Using organizational units, you can create containers within a domain that represent the hierarchical, logical structures within your organization as shown below. This enables you to manage the configuration and use of accounts and resources based on your organizational model.

Organizational units can contain other organizational units. A hierarchy of containers can be extended as necessary to model your organization's hierarchy within a domain. Using organizational units will help you minimize the number of domains required for your network.

You can use organizational units to create an administrative model that can be scaled to any size. A user can be granted administrative authority for all organizational units in a domain or for a single organizational unit. An administrator of an organizational unit does not need to have administrative authority for any other organizational units in the domain.

To add an organizational unit

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, double-click the domain node.

  3. Right-click the domain node or the folder in which you want to add the organizational unit.

  4. Point to New, and then click Organizational Unit.

  5. Type the name of the organizational unit.

Delegating administration

You can delegate administrative control to any level of a domain tree by creating organizational units within a domain and delegating administrative control for specific organizational units to particular users or groups.

To decide what organizational units you want to create, and which organizational units should contain accounts or shared resources, consider the structure of your organization. For example, you may want to create an organizational unit that enables you to grant to a user the administrative control for all user and computer accounts in all branches of a single organizational department, such as a Human Relations department. You may instead want to grant to a user administrative control only to some resources within a department, for example, computer accounts. Another possible delegation of administrative control would be to grant to a user the administrative control for the Human Relations organizational unit, but not to any organizational units contained within the Human Relations organizational unit.

By delegating administrative responsibilities, you can eliminate the need for multiple administrative accounts that have broad authority (such as, over an entire domain). Although you likely will still use the predefined Domain Admins group for administration of the entire domain, you can limit the accounts that are members of the Domain Admins group to highly trusted administrative users.

Windows 2000 defines many very specific permissions and user rights, that can be used for the purposes of delegating or restricting administrative control. Using a combination of organizational units, groups and permissions, you can define the most appropriate administrative scope for a particular person: an entire domain, all organizational units within a domain, or even a single organizational unit.

Administrative control can be granted to a user or group by using the Delegation of Control wizard. The Delegation of Control wizard allows you to select the user or group to which you want to delegate control, the organizational units and objects you want to grant those users the right to control, and the permissions to access and modify objects. For example, a user can be given the right to modify the Owner Of Accounts property, without being granted the right to delete accounts in that organizational unit.

To delegate control of an organizational unit

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, double-click the domain node.

  3. In the details pane, right-click the organizational unit, and then click Delegate control to start the Delegation of Control wizard as shown below.

    Bb742453.netres02(en-us,TechNet.10).gif

To add a user account

  1. Click on Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, double-click the domain node.

  3. In the details pane, right-click the organizational unit where you want to add the user, point to New, and then click User.

  4. Type first name, initials, and last name.

  5. In User logon name, type the name that the user will log on with and, from the drop-down list, click the UPN suffix that must be appended to the user logon name (following the @ symbol).

  6. In Password and Confirm password, type the user's password and select the appropriate password options.

To disable a user account

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, click Users or the folder that contains the desired user account.

  3. In the details pane, right-click the user.

  4. Click Disable Account as shown below.

    Bb742453.netres03(en-us,TechNet.10).gif

To rename a user account

  1. Open Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers

  2. In the console tree, click Users or the container that contains the desired user account.

  3. In the details pane, right-click the user account, and then click Rename.

  4. Type the new name.

    Or, press DELETE, and then press ENTER to display the Rename User dialog box.

  5. In Rename User, in Name, type the user name.

  6. Type the user's first name last name and the display name used to identify the user.

  7. In User logon name, type the name that the user will log on with and, from the drop-down list, click the UPN suffix that must be appended to this name (following the @ symbol).

To find a user account

  1. Open Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

    (Use the Advanced tab for more powerful search options.)

  2. If you want to search the entire domain, in the console tree, right-click the domain node, and then click Find. Or, if you know which organizational unit the user is in, in the console tree, right-click the organizational unit, and then click Find.

  3. Type the name of the user you want to find and click Find Now as shown below.

    Bb742453.netres04(en-us,TechNet.10).gif

To add a group

  1. Open Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, double-click the domain node.

  3. Right-click the folder in which you want to add the group, point to New, and then click Group.

    Bb742453.netres05(en-us,TechNet.10).gif

  4. Type the name of the new group.

    By default, the name you type is also entered as the pre-Windows 2000 name of the new group.

  5. Click the Group scope you want.

  6. Click the Group type you want.

Tips for managing your directory

  • Use OUs rather then domains, if possible.

  • Be aware of your policies. Different OUs may have different policies that may lead to unexpected results. Note that multiple policies may apply to any given user.

  • Use scripts to add large number of users.

  • Use Disabled User accounts rather then deleting them. This is a security measure to prevent a particular user from logging on, rather than deleting the user account.

  • Group scopes as in the table below.

    Universal scope

    Global scope

    Domain local scope

    Native-mode domains can include the following from any domain: members accounts, global groups and universal groups.

    Native-mode domains, can have members accounts from the same domain and global groups from the same domain.

    Native-mode domains can have global groups, and universal groups from any domain, as their members accounts. Plus domain local groups from the same domain.

    In native-mode domains, security groups with universal scope cannot be created.

    Native-mode domains, can have accounts from the same domain as their members.

    Native-mode domains, can have accounts and global groups from any domain as their members

    Groups can be put into other groups (when the domain is in native-mode) and assigned permissions in any domain.

    Groups can be put into other groups and assigned permissions in any domain.

    Groups can be put into other domain local groups and assigned permissions only in the same domain.

    Cannot be converted to any other group scope.

    Can be converted to universal scope, as long as it is not a member of any other group having global scope.

    Can be converted to universal scope, as long as it does not have as its member another group having domain local scope

  • Group types:

    There are two types of groups in Windows 2000:

    • Security groups

    • Distribution groups

Security groups are listed in discretionary access control lists (DACLs) that define permissions on resources and objects. Security groups can also be used as an e-mail entity. Sending an e-mail message to the group sends the message to all the members of the group.

Distribution groups are not security-enabled. They cannot be listed in DACLs. Distribution groups can be used only with e-mail applications (such as Exchange), to send e-mail to collections of users. If you do not need a group for security purposes, create a distribution group instead of a security group.

Managing File Resources

To share a folder or drive with other people

  1. Open the Windows Explorer by clicking Start, point to Programs, point to Accessories, and then click Windows Explorer, and locate the folder or drive you want to share.

  2. Right-click the folder or drive, and then click Sharing.

  3. On the Sharing tab, click Share this folder.

Note:

  • To change the name of the shared folder or drive, type a new name in Share name. The new name is what users will see when they connect to this shared folder or drive. The actual name of the folder or drive does not change.

  • To add a comment about the shared folder or drive, type the text in Comment.

  • To limit the number of users who can connect to the shared folder or drive at one time, under User limit, click Allow, then enter a number of users.

  • To set shared folder permissions on the shared folder or drive, click Permissions as shown below.

    Bb742453.netres06(en-us,TechNet.10).gif

  • To set up this shared folder to be used offline, click Caching.

To set, view, or remove permissions for a shared folder or drive

  1. Open Windows Explorer, and then locate the shared folder or drive on which you want to set permissions.

  2. Right-click the shared folder or drive, and then click Sharing.

  3. On the Sharing tab, click Permissions.

  4. To set shared folder permissions, click Add. Type the name of the group or user you want to set permissions for, and then click OK to close the dialog box.

  5. To remove permissions, select the group or user in Name, and then click Remove.

  6. In Permissions, click Allow or Deny for each permission, if necessary.

Tips and tricks

  • You can hide the shared folder from browsing by typing $ as the last character of the share name. Users will not be able to see this shared folder when they browse using My Computer or Windows Explorer, but they can map to it.

  • In Windows 2000 Professional, the maximum user limit is 10 regardless of the number you type in Allow.

  • You can use the Shared Folders snap-in to create and manage shared folders, view a list of all users who are connected to the shared folder over a network and disconnect one or all of them, and view a list of files opened by remote users and close one or all open files. You can also change permissions for shared folders on remote computers.

  • Shared folder permissions apply to all files and subfolders in the shared folder and are effective only when the folders or files are reached over a network. Shared folder permissions do not protect folders or files when opened locally. To protect files and folders on your local computer, use NTFS permissions, which operate in addition to shared folder permissions. For more information, see Related Topics.

Managing Print Resources

To add a printer attached to your computer

  1. Connect the printer to the appropriate port on your computer according to the printer manufacturer's documentation, and verify that it is ready to print.

  2. Although Windows automatically detects and installs most printers, you might need to provide additional information to complete the installation.

  3. The printer icon will be added to your Printers folder.

  4. If you could not install your printer using Plug and Play, or if the printer is attached to your computer with a serial (COM) port, then open click Start, point to Settings, and then click Printers.

  5. Double-click Add Printer to start the Add Printer wizard, and then click Next.

  6. Click Local printer, and then click Next.

  7. Follow the instructions on the screen to finish setting up the printer by selecting a printer port, selecting the manufacturer and model of your printer, and typing a name for your printer.

To add a printer attached directly to the network

  1. Click Start, point to Settings, and then click Printers.

  2. Double-click Add Printer to start the Add Printer wizard, and then click Next.

  3. Click Local printer, clear the Automatically detect my printer check box, and then click Next.

  4. Follow the instructions on the screen to finish setting up the printer by selecting a printer port, selecting the manufacturer and model of your printer, and typing a name for your printer.

  5. When the Add Printer wizard prompts you to select the printer port, click Create a new port.

  6. From the list, click the appropriate port type and follow the instructions. (By default, only Local Port and Standard TCP/IP Port appear in the list.)

    Bb742453.netres07(en-us,TechNet.10).gif

To set or remove permissions for a printer

  1. Click Start, point to Settings, and then click Printers.

  2. Right-click the printer for which you want to set permissions, click Properties, and then click the Security tab.

    Do one of the following:

    • To change or remove permissions from an existing user or group, click the name of the user or group.

    • To set up permissions for a new user or group, click Add. In Name, type the name of the user or group you want to set permissions for, click Add, and then click OK to close the dialog box.

  3. In Permissions, click Allow or Deny for each permission you want to allow or deny, if necessary. Or, to remove the user or group from the permissions list, click Remove.

To share your printer

  1. Click Start, point to Settings, and then click Printers.

  2. Right-click the printer you want to share, and then click Sharing.

  3. On the Sharing tab, click Shared as and then type a name for the shared printer.

    If you share the printer with users on different hardware or different operating systems, click Additional Drivers. Click the environment and operating system for the other computers, and then click OK to install the additional drivers.

    If you are logged on to a Windows 2000 domain, you can make the printer available to other users on the domain by clicking List in the Directory to publish the printer in the Directory.

    Bb742453.netres08(en-us,TechNet.10).gif

  4. Click OK, or if you have installed additional drivers, click Close.

Tips for printer sharing

  • Printers are not shared by default when you install them on Windows 2000 Professional. On Windows 2000 Server, the printer is shared by default when you add the printer.

  • To view or change the underlying permissions that make up Print, Manage Printers, and Manage Documents, click the Advanced button.

  • If you intend to share the printer with clients other than Windows 2000, you need to install the appropriate printer drivers for these clients on the print server. When clients on Windows NT 4.0, Windows 95, and Windows 98 connect to the printer, the system automatically downloads the correct driver to the client.

Monitoring Security with the Event Log

Establish an audit policy

Before you implement auditing, you must decide on an auditing policy. An auditing policy specifies categories of security-related events that you wish to audit. When Windows 2000 is first installed, all auditing categories are turned off. By turning on various auditing event categories, you can implement an auditing policy, one that suits the security needs of your organization.

Auditing categories are turned on and off with Computer Management.

If you choose to audit access to objects as part of your audit policy, you must turn on either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server). Once you have turned on the correct object access category, you can use each individual object's Properties to specify whether to audit successes or failures for the permissions granted to each group or user.

To set up auditing of files and folders

  1. Click Start, click Run, type mmc /a, and then click OK.

  2. On the Console menu, click Add/Remove Snap-in, and then click Add.

  3. Under Snap-in, click Group Policy, and then click Add.

  4. In Select Group Policy Object, click Local Computer, click Finish, click Close, and then click OK.

  5. In Local Computer Policy, click Audit Policy.

  6. In the details pane, right-click Audit Object Access, and then click Security.

  7. In Local Security Policy Setting, click the options you want, and then click OK.

To set, view, change, or remove auditing for a file or folder

  1. Open Windows Explorer, and then locate the file or folder you want to audit.

  2. Right-click the file or folder, click Properties, and then click the Security tab.

  3. Click Advanced, and then click the Auditing tab.

    Do one of the following:

    • To set up auditing for a new group or user, click Add. In Name, type the name of the user you want, and then click OK to automatically open the Auditing Entry dialog box.

    • To view or change auditing for an existing group or user, click the name, and then click View/Edit.

    • To remove auditing for an existing group or user, click the name, and then click Remove. Skip steps 5, 6, and 7.

Note:

  • If necessary, in the Auditing Entry dialog box, select where you want auditing to take place in the Apply onto list. The Apply onto list is available only for folders.

  • Under Access, click Successful, Failed, or both for each access you want to audit.

    If you want to prevent files and subfolders within the tree from inheriting these audit entries, select Apply these auditing entries.

  • Before Windows 2000 will audit access to files and folders, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit Policy. If you do not, you receive an error message when you set up auditing for files and folders, and no files or folders will be audited. Once auditing is enabled in Group Policy, view the security log in Event Viewer to review successful or failed attempts to access the audited files and folders.

Tips and Tricks

Because the security log is limited in size, you should select the files and folders to be audited carefully. You should also consider the amount of disk space you are willing to devote to the security log. The maximum size is defined in Event Viewer.

To view the security log

  1. Open Computer Management, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Computer Management.

  2. In the console tree, click Event Viewer. Double-click Security Log and in the details pane, examine the list of audit events.

Best practices for auditing

To minimize the risk of security threats, you can take various auditing steps. The following table shows various events that you should audit, as well as the specific security threat that the audit event monitors.

Audit Event

Potential Threat

Failure audit for logon/logoff

Random password hack

Success audit for logon/logoff

Stolen password break-in

Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events

Misuse of privileges

Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files.

Improper access to sensitive files

Success and failure audit for file-access printers and object-access events. Print Manager success and failure audit of print access by suspect users or groups for the printers.

Improper access to printers

Success and failure write access auditing for program files (.EXE and .DLL extensions). Success and failure auditing for process tracking. Run suspect programs; examine security log for unexpected attempts to modify program files or create unexpected processes. Run only when actively monitoring the system log.

Virus outbreak

For More Information

For the latest information on Windows 2000 Server, check out our Web site at http://www.microsoft.com/windows2000 and the Windows 2000/NT Forum at http://computingcentral.msn.com/topics/windowsnt .

Windows 2000 Web Site Resources

Exploring Active Directory http://www.microsoft.com/windows2000/technologies/directory/default.asp

Windows 2000 Planning and Deployment Guide http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2rkbook/dpg.asp

0200

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft