Chapter 3. Administering Windows 2000 Security

This section describes how to operate Windows 2000 according to the TOE security policy in an IT environment that is consistent with the one described in the Security Target. It describes effective security practices for administering the Windows 2000 in a secure manner. This includes properly setting up user accounts, reviewing audit records, security awareness training, enforcing periodic password changes, etc.

Operating Environment

The security environment of the Evaluated Configuration of Windows 2000 is described in the Windows 2000 ST and identifies the threats to be countered by Windows 2000, the organizational security policies, and the usage assumptions as they relate to Windows 2000. The assumptions and policies are primarily derived from the Controlled Access Protection Profile (CAPP), while the threats were introduced in the Windows 2000 ST to better represent specific threats addressed by Windows 2000. The administrator should ensure that the environment meets the organizational policies and assumptions. They are repeated below from the Security Target.

Organizational Security Policies

Table 3-1 describes organizational security policies that are addressed by Windows 2000.

Table 3-1 Organizational Security Policies

Product

Role

PP Source

P.ACCOUNTABILITY

The users of the system shall be held accountable for their actions within the system.

CAPP

P.AUTHORIZED_USERS

Only those users who have been authorized access to information within the system may access the system.

CAPP

P.NEED_TO_KNOW

The system must limit the access to, modification of, and destruction of the information in protected resources to those authorized users which have a "need to know" for that information.

CAPP

P.AUTHORIZATION

The system must have the ability to limit the extent of each user's authorizations.

 

P-ADD-IPSEC

THE SYSTEM MUST HAVE THE ABILITY TO PROTECT SYSTEM DATA IN TRANSMISSION BETWEEN DISTRIBUTED PARTS OF THE PROTECTED SYSTEM

 

P.WARN

The system must have the ability to warn users regarding the unauthorized use of the system.

 

Secure Usage Assumptions

This subsection describes the security aspects of the environment in which the Windows 2000 operating system is to be used. This includes assumptions about the connectivity, personnel, and physical aspects of the environment.

Windows 2000 is assured to provide effective security measures in the defined environment only if it is installed, managed, and used correctly. The operational environment must be managed in accordance with the user and administrator guidance.

Connectivity Assumptions

Windows 2000 is a distributed system connected via network media. It is assumed that the following connectivity conditions will exist.

Table 3-3 Connectivity Assumptions

Assumption

Description

PP Source

A.CONNECT

All connections to peripheral devices reside within the controlled access facilities. The TOE only addresses security concerns related to the manipulation of the TOE through its authorized access points. Internal communication paths to access points such as terminals are assumed to be adequately protected.

CAPP

A.PEER

Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. The TOE is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain. There are no security requirements that address the need to trust external systems or the communications links to such systems.

CAPP

Personnel Assumptions

It is assumed that the following personnel conditions will exist.

Table 3-4 Personnel Assumptions

Product

Role

PP Source

A.COOP

Authorized users possess the necessary authorization to access at least some of the information management by the TOE and are expected to act in a cooperating manner in a benign environment.

CAPP

A.MANAGE

There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains.

CAPP

A.NO_EVIL_ADM

The system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the administrator documentation.

CAPP

Physical Assumptions

Windows 2000 is intended for application in user areas that have physical control and monitoring. It is assumed that the following physical conditions will exist.

Table 3-5 Physical Assumptions

Product

Role

PP Source

A.LOCATE

The processing resources of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access.

CAPP

A.PROTECT

The TOE hardware and software critical to security policy enforcement will be protected from unauthorized physical modification.

CAPP

A.CONFIG

The hardware protects the TSF in ensuring that only the TSF can be started.

 

Windows 2000 Security Management Interfaces

This subsection provides a brief description of the security management interfaces used to modify and apply security configuration settings, manage user and computer accounts, manage domain resources, and monitor events on Windows 2000 operating environments.

Security Policy Tools

This document discusses several tools that are used to apply and mange security policy settings locally on a computer or across the Domain.

Local Security Policy

A Local Security Policy is used to set the security requirements on the local computer. These settings include the Password policy, Account Lockout policy, Audit policy, IP Security policy, user rights assignments, recovery agents for encrypted data, and other security options. Within an Active Directory managed network the Local Security Policy settings have the least precedence. Therefore, if the computer is a member of a domain, the settings within the Local Security Policy may be overridden by policies received from the domain as shown below in the effective settings.

w2ka1a1

Domain Security Policy

A Domain Security Policy is used to set and propagate security requirements for all computers in the Domain. The Domain Security Policy overrides Local Security Policy settings for all computers within the Domain.

w2ka1a01

Domain Controller Security Policy

A Domain Controller Security Policy is used to set and propagate security requirements for Domain Controllers. The Domain Controller Security Policy applies strictly to all Domain Controllers within the applicable Domain and takes precedence over the Domain Security Policy.

w2ka1a02

Group Policy

The group policy management functions allow an authorized administrator to define accounts, user right assignments, and machine/computer security settings, etc. for a group of Windows 2000 systems or accounts within a domain. The group policies effectively modify the policies (e.g., machine security settings, and user rights policy) defined for the corresponding systems or users.

w2ka1a03

Account Management Tools

Windows 2000 provides specific tools for managing user, group, and computer accounts depending whether accounts are local to a computer or are defined at the Domain level.

Active Directory Users and Computers

The Active Directory Users and Computers interface is used to create and manage users, groups, computers, and other Active Directory objects for a domain and is only available on Domain Controllers.

w2ka1a04

Computer Management

The Computer Management interface is available on all Windows 2000 operating systems. It supports management of audit logs, share assignments and permissions, system services, as well as user and groups accounts. On Domain Controllers the user and group accounts are managed from Active Directory Users and Computers interface instead of the Computer Management interface.

w2ka1a05

Active Directory Management

Active Directory management functions addressed in this document include data replication and administration of trust relationships.

Active Directory Sites and Services

The Active Directory Sites and Services tool is used to administer the replication of directory data. Active Directory Sites and Services can only be used from a computer that has access to a Windows 2000 domain. Active Directory Sites and Services is installed on all Windows 2000 Domain Controllers.

w2ka1a06

Active Directory Domains and Trust

The Active Directory Domains and Trusts tool is used to administer domain trusts, add user principal name suffixes, and change the domain mode.

w2ka1a07

System Security Configuration, Maintenance, and Monitoring

A variety of tools are available for configuring and enforcing security on Windows 2000 operating systems. Specific tools addressed within this document are identified in the below.

Windows Explorer

The Windows Explorer interface is used to navigate the folders and directories on the local hard drives, share connections, and network resources. Security management features associated with Windows Explorer include:

Setting NTFS permissions;

Setting audit requirements on objects; and

Setting Encrypting File System (EFS) properties on objects.

w2ka1a08

Registry Editor

Two Registry editors are available with Windows 2000; Regedit.exe and Regedt32.exe. Of the two, Regedt32.exe is the only one that supports editing of permission and audit settings for Registry key objects. In the Evaluated Configuration, only Regedt32.exe should be used.

Security management features associated with the Registry Editor include:

Setting NTFS permissions on Registry keys;

Setting audit requirements on Registry keys; and

Applying and modifying security configuration settings for system behavior.

w2ka1a09

System Services

The Services tool is used to manage the services on a Windows 2000 computer, set recovery actions to take place if a service fails, and create custom names and descriptions for services. Services can be accessed from the Computer Management interface, or can be accessed as an individual tool object from the Administrative Tools menu.

w2ka1a10

Event Viewer

Event Viewer is used to view and manage logs of system, program, and security events on a Windows 2000 computer. Event Viewer gathers and logs information about hardware and software problems, and monitors Windows 2000 security events.

w2ka1a11

Local Area Connection

The Local Area Connection Properties interface is used in configuring the computer for network communications. It is used to set network addressing information on the computer and specify the protocols and network services that it will support.

w2ka1a12

Disk Quota

The disk quota management interface allows an authorized administrator to manage disk quotas for NTFS volumes. More specifically, the functions allow an authorized administrator to enable or disable disk quotas, define default disk quotas, and define actions to take when disk quotas are exceeded.

w2ka1a13

Backup

The Backup utility is used to backup important user information and system configuration files for backup protection. Backup can create a duplicate copy of all of the data on a hard disk and then archive it on another storage device, such as a hard disk or a tape.

w2ka1a14

Error Checking Tool

The error-checking tool is used to ensure the integrity of the file system by checking for file system errors and bad sectors on the hard disk.

w2ka1a15

Date/Time Properties

Computer time settings are set during the setup process, but can be changed by the administrator at any time through the Date/Time Properties GUI.

w2ka1a16

Display Properties

The Display Properties interface is used to protect a computer from unauthorized access by setting a password-protected screensaver that will automatically initiate after a set period of inactivity.

w2ka1a17

Configuration Wizards

A number of configuration wizards are available in Windows 2000. The configuration wizards provide a simplified step-by-step method for using or setting security features in Windows 2000.

Active Directory Installation Wizard

The Active Directory Installation Wizard is used in converting a Windows 2000 server into a Domain Controller by installing Active Directory services.

w2ka1a18

Delegation of Control Wizard

The Delegation of Control Wizard allows an authorized administrator to delegate administration of a domain or organizational unit.

w2ka1a19

IP Security Policy Wizard

The IP Security Policy Wizard can be used to tailor an IPSec policy to suit the particular security needs and requirements of an organization.

w2ka1a20

Security Rule Wizard

The Security Rule Wizard guides an administrator in defining the security actions that must be activated when network communications meet a specified set of criteria.

w2ka1a21

Certificate Export and Import Wizards

The Certificate Export and Import Wizards assist the administrator in backing up and restoring user certificates.

w2ka1a22

Network Identification Wizard

The Network Identification Wizard may be used by an administrator in changing the name of a computer and/or to connecting it to a specific Workgroup or Domain network environment.

w2ka1a23