Chapter 9: Managing Groups, Folders, Files, and Object Security

1
Chapter 9Managing Groups, Folders, Files, and
Object Security
2
User Accounts

• Domain user accounts
• Local user accounts
• Built-in user accounts

3
Security Identifier

• S-1-5-21-D1-D2-D3-RID
• S-1-5-21-1659-0045-0319-356569785424453981002

4
Domain User Accounts

• Allow users to log on to the domain and gain
  access to resources anywhere on the network
• Created in an OU in the Active Directory store
• Replicated to all domain controllers

5
Local User Accounts

• Allow users to log on to and gain access to
  resources on the computer where they log in
• Created in the computers security database
• Not replicated to domain controllers

6
Built-In User Accounts

• Administrator
• Guest

7
Naming Conventions

• The naming convention establishes how users are
  identified in the domain.
• Several considerations should be taken into
  account when determining naming conventions.

8
Names

• Full Name
• Kenneth Grenier
• LDAP Name
• cnKenneth Grenier,cnUsers,dccontoso,dcc
  na
• UPN
• kgrenier_at_contoso.cna
• NT4 logon name
• contoso\kgrenier

9
Password Requirements

• Always assign a password for the Administrator
  account.
• Determine whether the administrator or the users
  will control passwords.
• Use passwords that are hard to guess.
• Passwords can be up to 128 characters a minimum
  length of eight characters is recommended.
• Use both uppercase and lowercase letters,
  numerals, and valid nonalphanumeric characters.

10
Account Options

• Logon hours
• Computer from which users can log on
• Account expiration

11
Creating Domain User Accounts
12
Creating Local User Accounts
13
Overview of Modifying Properties

• A set of default properties is associated with
  each user account.
• Properties defined for a domain user account can
  be used to search for users in the Active
  Directory store.
• Several properties should be configured for each
  domain user account.
• You can use the Active Directory Users And
  Computers snap-in to modify a domain user
  account.
• You can use the Local Users And Groups snap-in to
  modify a local user account.

14
The Properties Dialog Box

• Personal properties tabs contact information
• General
• Account tab
• Profile tab
• Member Of
• Remote Control
• Dial-In
• Terminal Services profile
• COM

15
Administering User Accounts

• Managing user profiles
• Modifying user accounts
• Creating home folders
• Logon hours
• Logon workstation

16
Managing User Profiles

• A user profile is a collection of folders and
  data that stores your current desktop environment
  and application settings as well as personal
  data.
• Microsoft Windows 2000 creates a local user
  profile the first time you log on at a computer.
• User profiles operate in a specific manner.

17
Assigning a Customized Roaming User Profile
18
Creating Home Folders
19
Introduction to Groups

• A group is a collection of user accounts.
• Groups simplify administration of user
  permissions.
• Users can be members of more than one group.
• When you assign permissions, you give users the
  capability to gain access to specific resources.
• You can add user accounts, contacts, computers,
  and other groups to groups.

20
Types of Groups

• Security groups
• Distribution groups

21
Group Scopes
22
Introduction to Group Membership

• The group scope determines the membership of the
  group.
• Membership rules define which members a group can
  contain.
• Domain local groups and global groups can be
  converted to universal groups.

23
Group Nesting

• You can add groups to other groups to reduce the
  number of times permissions need to be assigned.
• You should create a hierarchy of groups based on
  business needs.
• Try to minimize the levels of nesting.
• Nesting reduces the number of times you assign
  permissions however, tracking permissions
  becomes more complex.
• Document group membership to keep track of
  permission assignments.
• Effective nesting in a multiple domain
  environment will reduce network traffic between
  domains and simplify administration.
• Consider the domain operation mode when nesting
  groups.

24
Group Strategies
25
Introduction to Groups

• Determine the required group scope based on how
  you want to use the group.
• Avoid adding users to universal groups.
• Determine whether you have the necessary
  permissions to create a group in the appropriate
  domain.
• Determine the name of the group.

26
Administering Groups
27
Overview of Group Implementation

• A local group can contain user accounts on a
  computer and can be assigned to resources on that
  computer.
• There are two types of local groups domain and
  non-domain.
• Try to follow specific guidelines when using
  local groups.
• Non-domain local groups can contain local user
  accounts from the computer on which you create
  the local groups.

28
Creating Local Groups
29
Built-In Global Groups

• Windows 2000 creates built-in global groups to
  group common types of user accounts.
• The groups are created in the Active Directory
  store.
• The Users OU contains the built-in global groups.
• Windows 2000 includes a number of commonly used
  built-in global groups.

30
Built-In Domain Local Groups

• Built-in domain local groups provide users with
  user rights and permissions to perform tasks on
  domain controllers and in the Active Directory
  store.
• Built-in domain local groups give predefined
  rights to user accounts when you add user
  accounts or global groups as members.
• Windows 2000 includes a number of commonly used
  built-in domain local groups.

31
Built-In Local Groups

• Built-in local groups give rights to perform
  system tasks on a single computer.
• Built-in local groups are located in the Groups
  folder of the Computer Management snap-in.
• Windows 2000 includes a number of commonly used
  built-in local groups.

32
Built-In System Groups

• Built-in system groups exist on all computers
  running Windows 2000.
• You do not see system groups when you administer
  groups, but they are available for use when you
  assign rights to resources.
• Windows 2000 includes a number of commonly used
  built-in system groups.

33
Types/Scope of Security Groups

• Local Used on standalone servers that are not
  part of a domain
• Domain local Used in a single domain or to
  manage resources in a domain so that global and
  universal groups can access those resources

34
Types of Security Groups (continued)

• Global Used to manage accounts from the same
  domain and to access resources in the same and
  other domains
• Universal Used to provide access to resources in
  any domain within a forest

35
Local Security Group

• Use local groups on a standalone server (Active
  Directory not implemented), such as to manage
  multiple accounts in a small office

36
Domain Local Security Group

• Typically a domain local security group is on the
  ACLs of resources such as folders, shared
  folders, printers, and other resources. Global
  security groups in the same or in a different
  domain gain access to those resources by becoming
  members of the domain local group.
• Domain local groups can contain accounts, but
  usually that is not the best approach.

37
Implementing Global Groups

• Use global groups to contain accounts for
  accessing resources in the same and in other
  domains via domain local groups

38
Global Group Example
Figure 9-2 Managing security through domain local
and global groups
39
Implementing Universal Groups

• Use universal groups to provide access to
  forest-wide resources (to be included on the ACLs
  of resources such as servers, shared folders, and
  printers)
• Universal groups enable the scope of influence to
  span domains and trees

40
Guidelines for Using Groups

• Use global groups to hold accounts as members.
  Give accounts access by joining them to a global
  group and then placing that global group into a
  domain local or universal group or both.
• Use domain local groups to provide access to
  resources in a specific domain by adding them to
  the ACLs of those resources.

41
Guidelines for Using Groups (continued)

• Use universal groups to provide extensive access
  to resources, such as when the Active Directory
  contains trees and forests. Make universal groups
  members of ACLs for objects in any domain, tree,
  or forest. Manage user account access by placing
  accounts in global groups and joining those
  global groups to domain local or universal groups.

42
Domain Functional Levels
Domain Functionality Enabled Features Supported DCs in Domain
Windows 2000 Mixed Universal Groups (non-security only) Windows NT 4.0 Windows 2000 Windows2003
Windows 2000 Native All mixed mode, plus Group nesting Universal groups SIDHistory Group conversions Windows 2000 Windows 2003
Windows 2003 Server Interim Mixed / Native Same as Windows 2000 Mixed / Native mode depends on whether domain is Mixed or Native mode Windows NT 4.0 Windows 2003
43
Group Scope

• Mixed Mode
• Local
• Users, computers, Domain Local, Global, and
  Universal accounts same domain
• Domain Local
• Users, computers, Global Groups same domain
• Global
• User and computer accounts same domain
• Universal
• Only available as Distribution Group

• Native Mode
• Local
• No Change
• Domain Local
• Users, computers, Global Groups, Universal
  Groups from any domain and Domain Local from same
  domain
• Global
• Same plus other Global groups from same domain
• Universal
• Completely open membership except Domain Local

44
Group Scope Change

• Global Group to Universal Group
• Only if Global group is not a member of another
  Global Group
• Domain Local to Universal Group
• Only if the group being converted does not
  contain other Domain Local groups

45
Predefined Domain Local Security Groups - 15
1The group scope cannot be changed
Predefined Security Groups
46
Built-In System Groups

• Everyone
• Authenticated Users
• Interactive
• Network
• System
• Creator Owner
• Authenticated Users
• Anonymous Logon
• Batch
• Service
• Dialup

47
Configuring Rights

• To configure rights in a domain
• Open the Active Directory Users and Computers
  tool
• Right-click a domain or OU, for example
• Click Properties, click the Group Policy tab,
  click the group policy, and click Edit
• Double-click (if necessary) Computer
  Configuration,Windows Settings, Security
  Settings, and Local Policies
• Double-click User Rights Assignment
• Double-click any policies to configure them

48
Configuring Rights (continued)
Figure 9-6 Configuring user rights as part of
group policy
49
Inherited Rights

• Inherited rights User rights that are assigned
  to a group and that automatically apply to all
  members of that group

50
FAT Attributes
Figure 9-7 Attributes of a folder on a
FAT-formatted disk
51
NTFS Attributes
Figure 9-8 Attributes of a folder on an
NTFS-formatted disk
52
Encrypting File System

• The encrypt attribute uses Microsoft Encrypting
  File System (EFS) that sets a unique private
  encryption key that is associated with the user
  account that encrypted the file or folder. Only
  that account has access to the encrypted file or
  folder contents.

53
Permissions and Active Directory Objects

• Permissions can be assigned to perform tasks at
  the object level (access control)
• When assigning permissions, consider who should
  have access to files, and what they should be
  able to do
• Each object has a security descriptor
• Allows users or groups to be assigned specific
  permiisions

54
Ask ?

• Who should have permission?
• What should they be able to do?

55
Permissions and Active Directory Objects

• Standard permissions
• Full Control
• Read
• Write
• Create all Child Objects
• Delete All child Objects
• Using special permissions increases
  administrative overhead
• Different Objects have different permissions

56
Configuring Permissions

• Assigning permissions - can be done in several
  places, depending on the type of objects each
  tool lists

Configuring permissions by groups and users
57
Inherited Permissions

• Inherited permissions Permissions of a parent
  object that also apply to child objects of the
  parent, such as to subfolders within a folder
• this option can be overridden
• doing so will present administrative headaches,
  and security issues

58
Configuring Inherited Permissions
Figure 9-11 Configuring inherited permissions
59
Special Permissions

• You can customize permissions to meet particular
  security needs by using special permissions

60
Configuring Special Permissions
Figure 9-12 Configuring special permissions
61
Example Guidelines for Setting Permissions

• Protect the Winnt folder by allowing limited
  access, such as Read Execute
• Protect server utility folders, such as folders
  containing backup software, with access for
  Administrators only
• Protect software application folders with access
  such as Read Execute (and Write if necessary
  for temporary or configuration files)

62
Example Guidelines for Setting Permissions
(continued)

• Set up publicly used folders with Modify for
  broad user access
• Give users Full Control of their own home folders
• Remove groups such as Everyone and Users from
  confidential folders

63
Making Resources Available

• Making data available for viewing
• Some resources are published automatically, while
  others must be published manually
• Until a resource is published, it will remain
  invisible on the network
• Network services can be published

64
Making Resources Available

• Not all network services should be published
• Publish the following kinds of data
• Data that is stable
• Properties with a small amount of data
• Useful information
• that is, data with widespread significance

65
Security Options
Figure 9-9 Configuring security options
66
Auditing

• Auditing Tracking the success or failure of
  events associated with an object, such as writing
  to a file, and recording the audited events in an
  event log of a server or workstation

67
Configuring Auditing

• Start by configuring a group policy for auditing
• Configure auditing on an as needed basis for
  particular objects, such as a folder or file

68
Folder Auditing
Figure 9-13 Configuring folder auditing
69
Setting an Audit Policy
Figure 9-14 Configuring audit policy as part of
the default domain policy
70
Ownership

• Guidelines for ownership
• The account that creates an object is the initial
  owner
• Ownership is changed by first having permission
  to take ownership and then by taking ownership
• Full Control permissions are required to take
  ownership (or the special permission, Take
  Ownership)

71
Share Permissions

• Share permissions Limited permissions that apply
  to a particular shared object, such as a shared
  folder or printer

72
Configuring Share Permissions
Figure 9-15 Configuring a shared folder
73
Share Permissions for a Folder

• Read Permits groups or users to read and execute
  files
• Change Enables users to read, add, modify,
  execute, and delete files
• Full Control Permits full access to the folder,
  including the ability to take ownership control
  or change permissions

74
Moving and Copying Files and Folders

• A newly created file inherits the permissions
  already set up in a folder
• A file copied from one folder to another on the
  same volume inherits the permissions of the
  folder to which it is copied
• A folder that is moved from one folder to another
  on the same volume takes with it the permissions
  it had in the original folder

75
Moving and Copying Files and Folders (continued)

• A file or folder that is moved or copied to a
  folder on a different volume inherits the
  permissions of the folder to which it is moved or
  copied
• A file or folder that is moved or copied from an
  NTFS volume to a shared FAT folder inherits the
  share permissions of the FAT folder
• A file or folder moved from a FAT to an NTFS
  folder inherits the NTFS permissions of that
  folder

76
Scripting

• Logon
• Logoff
• Start UP
• Shut Down
• Languages
• Command Shell
• WSH
• Perl
• KiXtart
• Etc.

• Logon
• Assigned thru user properties
• Run Synchronously
• Assigned through Group Policy - 2K OS
• Run Asynchronously

http//www.microsoft.com/scripting