Chapter 2. Security Administration
This section provides an overview of administrating Windows 2000 securely by summarizing the following areas:
Windows 2000 Security Functionality
Roles and Privileges
Windows 2000 Evaluated Configuration
This section lays the foundation for understanding the guidance provided in Chapter 3.
Overview of Security Functionality
This subsection provides an overview of the evaluated functions of the Windows 2000 operating system. Additionally, this subsection summarizes the Windows 2000 administrative interfaces available to the administrator to securely manage the system.
The security functions provided by Windows 2000 are summarized below:
Security Audit Windows 2000 provides the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs. Audit information generated by the system includes date and time of the event, user who caused the event to be generated, computer where the event occurred, and other event specific data. Authorized administrators can review audit logs.
Identification and Authentication Windows 2000 requires each user to be identified and authenticated prior to performing any functions. An interactive user invokes a trusted path in order to protect his/her identification and authentication information. Windows 2000 maintains a database of accounts including their identities, authentication information, group associations, and privilege and logon rights associations. Windows 2000 includes a set of account policy functions that provide the ability to define minimum password length, number of failed logon attempts, duration of lockout, and password age.
Security Management Windows 2000 includes a number of functions to manage policy implementation. Policy management is controlled through a combination of access control, membership in administrator groups, and privileges.
User Data Protection Windows 2000 enforces discretionary access control policy and functions; encryption of access control policy and functions; encrypting file system policy; and, object and subject residual information protection. Windows 2000 uses access control methods to allow or deny access to objects, such as files, directory entries, and printers. It authorizes access to these resource objects through the use of security descriptors, which are sets of information identifying users and their specific access to resource objects. Windows 2000 provides additional access control protection for user data through the use of a data encryption mechanisms. These mechanisms only allow authorized users access to encrypted data. Windows 2000 also protects user data by ensuring that resources exported to user-mode processes do not have any residual information.
Protection of Target of Evaluation (TOE) Security Functions Windows 2000 provides a number of features to ensure the protection of TOE security functions. Hardware platforms supported by Windows 2000 include a set of diagnostic tools. These tools allow an authorized administrator to thoroughly test and analyze the hardware platform for correct operation. Tests are designed to ensure that the features most directly relied upon to support security are operating correctly. Windows 2000 protects against unauthorized data disclosure and modification by using a suite of Internet standard protocols including Internet Protocol Security (IPSEC) and Internet Security Association and Key Management Protocol (ISAKMP). Windows 2000 ensures process isolation security for all processes through private virtual address spaces, execution context and security context. The Windows 2000 data structures defining process address space, execution context, and security context are stored in protected kernel-mode memory.
Resource Utilization Windows 2000 can limit the amount of disk space that can be used by an identified user or group on a specific disk volume. Each volume has a set of properties that can be changed only by a member of the administrator group. These properties allow an authorized administrator to enable quota management, specify quota thresholds, and select actions when quotas are exceeded.
Session Locking Windows 2000 provides the ability for a user to lock their session immediately or after a defined interval. It constantly monitors the mouse and keyboard for activity and locks the workstation after a set period of inactivity. Windows 2000 also allows an authorized administrator to configure the system to display a logon banner before the initial logon dialogue.
Roles and Privileges
The notion of roles within the TOE is generally realized by assigning group accounts and privileges to a given user account. Whenever that user account is used to logon, the user will be assuming the role that corresponds with the combination of groups and privileges that it holds. While additional roles could be defined, this ST defines two logical roles: the authorized administrator role and the authorized user role.
Role-Based Security
Roles are categories of users that have been defined for the purpose of determining access permissions and privileges to system and account resources. Roles are defined by assigning privileges to a group, or by using one of the predefined groups in Windows 2000. Users are then assigned to the appropriate groups in order to grant them the predefined roles access. Users must be assigned to the roles that correctly represent their relationship to the data and resources they are authorized to access throughout the network. When a user is no longer authorized the privileges defined by a role, the administrator can remove the user from the group account(s) that grant those privileges.
The security-relevant functions of the authorized administrator role include those that:
Are assigned one of the security-relevant privileges (e.g., Take Ownership privilege) or is made a member of one of the several pre-defined administrative groups (e.g., Administrators and Backup Operators local group).
Define and change the user security characteristics and those of the system security data (e.g., user identifier, user's group identifiers, user/group security restrictions).
Define and change the system's security characteristics.
Ensure the enforcement of the system security policy.
Perform audit functions (e.g., determine what events should be audited, manage the audit trail, analyze the audit trail, and produce audit reports).
Satisfy the life-cycle assurance requirements of correct implementation and operation.
Any user that can successfully logon and is not in an authorized administrator role (as defined above) is considered to be in an authorized user role. Authorized users log on to the network through an account that provides sufficient access to use the resources of the network for business purposes. An authorized user cannot, for example manage network resources, create, modify, or delete accounts, or manage security policies for domain groups. If authorized, a user can assume an administrator role by logging on through a user account that has either been explicitly assigned administrative privileges or belongs to a group that provides the required administrative privileges.
Appendices C and D of the Windows 2000 Security Configuration Guide fully identify all security-related privileges and administrative groups respectively, and provide advice on how and when to assign them to user accounts.
Windows 2000 Security Configuration
The primary focus of this subsection is to describe the concept of an "Evaluated Configuration." This subsection does NOT give instruction of how to install and configure the Windows 2000 operating system to be in conformance with the Evaluated Configuration. Such instruction is provided in the Windows 2000 Security Configuration Guide. This subsection introduces the notion of an "Evaluated Configuration" so the administrator is aware of potential consequences if the system is not in the Evaluated Configuration, and specifies the hardware and software requirements.
Note: In using this document, administrators must ensure that the required Evaluated Configuration security settings defined in the Windows 2000 Security Configuration Guide are not altered as a result of day-to-day maintenance operations.
The TOE includes a homogenous set of Windows 2000 systems that can be connected via their network interfaces and may be organized into domains. A domain is a logical collection of Windows 2000 systems that allows the administration and application of a common security policy and the use of a common accounts database. Windows 2000 supports single and multiple domain configurations. In a multi-domain configuration, the TOE supports implicit and explicit trust relationships between domains. Domains use established trust relationships to share account information and validate the rights and permissions of users. A user with one account in one domain can be granted access to resources on any server or workstation on the network. Domains can have one-way or two-way trust relationships. Each domain must include at least one designated server known as a Domain Controller (DC) to manage the domain.
Each Windows 2000 system, whether it is a DC server, non-DC server, or workstation, is part of the TOE and provides a subset of the TOE Security Functions (TSFs). The TSF for Windows 2000 can consist of the security functions from a single system (in the case of a stand-alone system) or the collection of security functions from an entire network of systems (in the case of domain configurations).
System Requirements
This subsection describes the minimum system requirements for the Evaluated Configuration.
Hardware
Physically, each workstation or server in the evaluation configuration consists of an Intel x86 machine or equivalent processor (including Pentium family) with up to 4 Central Processing Units (CPUs) for a Server product and up to 8 CPUs for the Advanced Server product. A set of devices may be attached and they are listed as follows:
Display Monitor;
Keyboard;
Mouse;
Floppy Disk Drive;
CD-ROM Drive;
Fixed Disk Drives;
Printer;
Audio Adapter and
Network Adapter
The TOE does not include any physical network components between network adapters of a connection. The ST assumes that any network connections, equipment, and cables are appropriately protected in the TOE security environment.
Software
Windows 2000 is an operating system that supports both workstation and server installations. The TOE includes three product variants of Windows 2000: Professional, Server, and Advanced Server. The server products additionally provide Domain controller features including the Active Directory and Kerberos Key Distribution Center. Otherwise, all three variants include the same security features. The primary difference between the variants is the number of users and types of services they are intended to support.
Windows 2000 Professional is suited for business desktops and Note book computers; it is the workstation product. Windows 2000 Server is designed for workgroups and small business environments. Windows 2000 Advanced Server includes availability and scalability features that support higher volumes of users and more complex applications.
The security features addressed by the security target are those provided by Windows 2000 as an operating system. Microsoft provides several Window 2000 software applications that are considered outside the scope of the defined TOE and thus not part of the Evaluated Configuration. Services outside this evaluation include: e-mail services; certificate authority services; web based applications; and firewall functionality.
Evaluated Software Configuration
The Evaluated Configuration of Windows 2000 includes the Windows 2000 Professional, Server, and Advanced Server products configured in any one of the roles shown in the table below and in accordance with the installation and configuration instructions provided in this document. For further information regarding the specific security requirements met by Windows 2000, see the Windows 2000 Security Target.
Product |
Role |
|---|---|
Microsoft Windows 2000 Advanced Server |
Domain Controller Domain Member Server Workgroup Member Server Stand-Alone |
Microsoft Windows 2000 Server |
Domain Controller Domain Member Server Workgroup Member Server Stand-Alone |
Microsoft Windows 2000 Professional |
Domain Member Workgroup Member Stand-Alone |
It is important to understand the difference between a domain and a workgroup environment. The main difference been a domain and a workgroup is that workgroup environments use decentralized administration. This means that every computer must be administrated independently of the others. Domains use centralized administration, in which administrators can create one domain account and assign permissions to all resources within the domain to that one central user or group of users. Centralized administration requires less administration time and provides a more secure environment. In general, workgroup configurations are used in very small environments that do not have security concerns. Larger environments and environments that must have tight security on data should use a domain configuration. Basic definitions are provided below.
Domain. A collection of computers defined by the administrator of a Windows 2000 Server network that share a common directory database. A domain has a unique name and provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain has its own security policies and security relationships with other domains and represents a single security boundary of a Windows 2000 computer network.
Workgroup. A logical grouping of networked computers that share resources, such as files and printers. A workgroup is sometimes referred to as a peer-to-peer network because all computers in the workgroup can share resources as equals, without a dedicated server. Each Windows 2000 Server and Professional computer in a workgroup maintains a local security database, which contains a list of user accounts and resource security information specific to that computer.
Domain Controller. For a Windows 2000 Server domain, the server that authenticates domain logons and maintains the security policy and the security accounts master database for a domain. Domain controllers manage user access to a network, which includes logging on, authentication, and access to the directory and shared resources.
Workgroup Member. A Windows 2000 Server or Professional computer that is a member of a Windows 2000 workgroup, formed as a logical grouping of networked computers for the purpose of sharing resources.
Domain Member. A Windows 2000 Server or Professional computer that is a member of a Windows 2000 domain environment.
Stand-Alone. Standard desktop, such as a Windows 2000 Professional computer, or Server computer that is not connected to any network as either a domain or workgroup member.