Chapter 3. Administering Windows 2000 Security
This section describes how to operate Windows 2000 according to the TOE security policy in an IT environment that is consistent with the one described in the Security Target. It describes effective security practices for administering the Windows 2000 in a secure manner. This includes properly setting up user accounts, reviewing audit records, security awareness training, enforcing periodic password changes, etc.
Operating Environment
The security environment of the Evaluated Configuration of Windows 2000 is described in the Windows 2000 ST and identifies the threats to be countered by Windows 2000, the organizational security policies, and the usage assumptions as they relate to Windows 2000. The assumptions and policies are primarily derived from the Controlled Access Protection Profile (CAPP), while the threats were introduced in the Windows 2000 ST to better represent specific threats addressed by Windows 2000. The administrator should ensure that the environment meets the organizational policies and assumptions. They are repeated below from the Security Target.
Organizational Security Policies
Table 3-1 describes organizational security policies that are addressed by Windows 2000.
Table 3-1 Organizational Security Policies
Product |
Role |
PP Source |
---|---|---|
P.ACCOUNTABILITY |
The users of the system shall be held accountable for their actions within the system. |
CAPP |
P.AUTHORIZED_USERS |
Only those users who have been authorized access to information within the system may access the system. |
CAPP |
P.NEED_TO_KNOW |
The system must limit the access to, modification of, and destruction of the information in protected resources to those authorized users which have a "need to know" for that information. |
CAPP |
P.AUTHORIZATION |
The system must have the ability to limit the extent of each user's authorizations. |
|
P-ADD-IPSEC |
THE SYSTEM MUST HAVE THE ABILITY TO PROTECT SYSTEM DATA IN TRANSMISSION BETWEEN DISTRIBUTED PARTS OF THE PROTECTED SYSTEM |
|
P.WARN |
The system must have the ability to warn users regarding the unauthorized use of the system. |
Secure Usage Assumptions
This subsection describes the security aspects of the environment in which the Windows 2000 operating system is to be used. This includes assumptions about the connectivity, personnel, and physical aspects of the environment.
Windows 2000 is assured to provide effective security measures in the defined environment only if it is installed, managed, and used correctly. The operational environment must be managed in accordance with the user and administrator guidance.
Connectivity Assumptions
Windows 2000 is a distributed system connected via network media. It is assumed that the following connectivity conditions will exist.
Table 3-3 Connectivity Assumptions
Assumption
Description
PP Source
A.CONNECT
All connections to peripheral devices reside within the controlled access facilities. The TOE only addresses security concerns related to the manipulation of the TOE through its authorized access points. Internal communication paths to access points such as terminals are assumed to be adequately protected.
CAPP
A.PEER
Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. The TOE is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain. There are no security requirements that address the need to trust external systems or the communications links to such systems.
CAPP
Personnel Assumptions
It is assumed that the following personnel conditions will exist.
Table 3-4 Personnel Assumptions
Product |
Role |
PP Source |
---|---|---|
A.COOP |
Authorized users possess the necessary authorization to access at least some of the information management by the TOE and are expected to act in a cooperating manner in a benign environment. |
CAPP |
A.MANAGE |
There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. |
CAPP |
A.NO_EVIL_ADM |
The system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the administrator documentation. |
CAPP |
Physical Assumptions
Windows 2000 is intended for application in user areas that have physical control and monitoring. It is assumed that the following physical conditions will exist.
Table 3-5 Physical Assumptions
Product |
Role |
PP Source |
---|---|---|
A.LOCATE |
The processing resources of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. |
CAPP |
A.PROTECT |
The TOE hardware and software critical to security policy enforcement will be protected from unauthorized physical modification. |
CAPP |
A.CONFIG |
The hardware protects the TSF in ensuring that only the TSF can be started. |
Windows 2000 Security Management Interfaces
This subsection provides a brief description of the security management interfaces used to modify and apply security configuration settings, manage user and computer accounts, manage domain resources, and monitor events on Windows 2000 operating environments.
Security Policy Tools
This document discusses several tools that are used to apply and mange security policy settings locally on a computer or across the Domain.
Local Security Policy
A Local Security Policy is used to set the security requirements on the local computer. These settings include the Password policy, Account Lockout policy, Audit policy, IP Security policy, user rights assignments, recovery agents for encrypted data, and other security options. Within an Active Directory managed network the Local Security Policy settings have the least precedence. Therefore, if the computer is a member of a domain, the settings within the Local Security Policy may be overridden by policies received from the domain as shown below in the effective settings.
Domain Security Policy
A Domain Security Policy is used to set and propagate security requirements for all computers in the Domain. The Domain Security Policy overrides Local Security Policy settings for all computers within the Domain.
Domain Controller Security Policy
A Domain Controller Security Policy is used to set and propagate security requirements for Domain Controllers. The Domain Controller Security Policy applies strictly to all Domain Controllers within the applicable Domain and takes precedence over the Domain Security Policy.
Group Policy
The group policy management functions allow an authorized administrator to define accounts, user right assignments, and machine/computer security settings, etc. for a group of Windows 2000 systems or accounts within a domain. The group policies effectively modify the policies (e.g., machine security settings, and user rights policy) defined for the corresponding systems or users.
Account Management Tools
Windows 2000 provides specific tools for managing user, group, and computer accounts depending whether accounts are local to a computer or are defined at the Domain level.
Active Directory Users and Computers
The Active Directory Users and Computers interface is used to create and manage users, groups, computers, and other Active Directory objects for a domain and is only available on Domain Controllers.
Computer Management
The Computer Management interface is available on all Windows 2000 operating systems. It supports management of audit logs, share assignments and permissions, system services, as well as user and groups accounts. On Domain Controllers the user and group accounts are managed from Active Directory Users and Computers interface instead of the Computer Management interface.
Active Directory Management
Active Directory management functions addressed in this document include data replication and administration of trust relationships.
Active Directory Sites and Services
The Active Directory Sites and Services tool is used to administer the replication of directory data. Active Directory Sites and Services can only be used from a computer that has access to a Windows 2000 domain. Active Directory Sites and Services is installed on all Windows 2000 Domain Controllers.
Active Directory Domains and Trust
The Active Directory Domains and Trusts tool is used to administer domain trusts, add user principal name suffixes, and change the domain mode.
System Security Configuration, Maintenance, and Monitoring
A variety of tools are available for configuring and enforcing security on Windows 2000 operating systems. Specific tools addressed within this document are identified in the below.
Windows Explorer
The Windows Explorer interface is used to navigate the folders and directories on the local hard drives, share connections, and network resources. Security management features associated with Windows Explorer include:
Setting NTFS permissions;
Setting audit requirements on objects; and
Setting Encrypting File System (EFS) properties on objects.
Registry Editor
Two Registry editors are available with Windows 2000; Regedit.exe and Regedt32.exe. Of the two, Regedt32.exe is the only one that supports editing of permission and audit settings for Registry key objects. In the Evaluated Configuration, only Regedt32.exe should be used.
Security management features associated with the Registry Editor include:
Setting NTFS permissions on Registry keys;
Setting audit requirements on Registry keys; and
Applying and modifying security configuration settings for system behavior.
System Services
The Services tool is used to manage the services on a Windows 2000 computer, set recovery actions to take place if a service fails, and create custom names and descriptions for services. Services can be accessed from the Computer Management interface, or can be accessed as an individual tool object from the Administrative Tools menu.
Event Viewer
Event Viewer is used to view and manage logs of system, program, and security events on a Windows 2000 computer. Event Viewer gathers and logs information about hardware and software problems, and monitors Windows 2000 security events.
Local Area Connection
The Local Area Connection Properties interface is used in configuring the computer for network communications. It is used to set network addressing information on the computer and specify the protocols and network services that it will support.
Disk Quota
The disk quota management interface allows an authorized administrator to manage disk quotas for NTFS volumes. More specifically, the functions allow an authorized administrator to enable or disable disk quotas, define default disk quotas, and define actions to take when disk quotas are exceeded.
Backup
The Backup utility is used to backup important user information and system configuration files for backup protection. Backup can create a duplicate copy of all of the data on a hard disk and then archive it on another storage device, such as a hard disk or a tape.
Error Checking Tool
The error-checking tool is used to ensure the integrity of the file system by checking for file system errors and bad sectors on the hard disk.
Date/Time Properties
Computer time settings are set during the setup process, but can be changed by the administrator at any time through the Date/Time Properties GUI.
Display Properties
The Display Properties interface is used to protect a computer from unauthorized access by setting a password-protected screensaver that will automatically initiate after a set period of inactivity.
Configuration Wizards
A number of configuration wizards are available in Windows 2000. The configuration wizards provide a simplified step-by-step method for using or setting security features in Windows 2000.
Active Directory Installation Wizard
The Active Directory Installation Wizard is used in converting a Windows 2000 server into a Domain Controller by installing Active Directory services.
Delegation of Control Wizard
The Delegation of Control Wizard allows an authorized administrator to delegate administration of a domain or organizational unit.
IP Security Policy Wizard
The IP Security Policy Wizard can be used to tailor an IPSec policy to suit the particular security needs and requirements of an organization.
Security Rule Wizard
The Security Rule Wizard guides an administrator in defining the security actions that must be activated when network communications meet a specified set of criteria.
Certificate Export and Import Wizards
The Certificate Export and Import Wizards assist the administrator in backing up and restoring user certificates.
Network Identification Wizard
The Network Identification Wizard may be used by an administrator in changing the name of a computer and/or to connecting it to a specific Workgroup or Domain network environment.