Default Access Control Settings • Chapter 2 47 www.syngress.com Access this computer from network Act as part of the operating system Add worksta- tions to domain Back up files and directories Bypass traverse checking Change system time Create a pagefile Create a token object Create perma- nent shared objects Debug programs Deny access to this computer from network Deny log on as a batch job Administrators, Authenticated Users, Everyone Defined with an empty membership list Authenticated Users Administrators, Backup Operators, Server Operators Administrators, Authenticated Users, Everyone Administrators, Server Operators Administrators Defined with an empty membership list Defined with an empty membership list Administrators Defined with an empty membership list Defined with an empty membership list Administrators, Backup Operators, Power Users, Users, Everyone Defined with an empty membership list Defined with an empty membership list Administrators, Backup Operators Administrators, Backup Operators, Power Users, Users, Everyone Administrators, Power Users Administrators Defined with an empty membership list Defined with an empty membership list Administrators Defined with an empty membership list Defined with an empty membership list Administrators, Backup Operators, Power Users, Users, Everyone — — Administrators, Backup Operators Administrators, Backup Operators, Power Users, Users, Everyone Administrators, Power Users Administrators Defined with an empty membership list Defined with an empty membership list Administrators Defined with an empty membership list Defined with an empty membership list Table 2.4 Default User Rights for Windows 2000 Default for Default for Member Server/ Default for User Right Professional Standalone Server Domain Controller Continued 181_SerSec2e_02 9/5/01 1:45 PM Page 47 48 Chapter 2 • Default Access Control Settings www.syngress.com Deny log on as a service Deny log on locally Enable com- puter and user accounts to be trusted for delegation Force shut- down from a remote system Generate secu- rity audits Increase quotas Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as a batch job Log on as a service Defined with an empty membership list Defined with an empty membership list Administrators Administrators, Server Operators Defined with an empty membership list Administrators Administrators Administrators Defined with an empty membership list IUSR_ Computername, IWAM_ Computername, DomainName\IUSR_ Computername Defined with an empty membership list Defined with an empty membership list Defined with an empty membership list Defined with an empty membership list Administrators Defined with an empty membership list Administrators Administrators Administrators Defined with an empty membership list System, IUSR_ Computername, IWAM_ Computername Defined with an empty membership list Defined with an empty membership list Defined with an empty membership list Defined with an empty membership list Administrators Defined with an empty membership list Administrators Administrators Administrators Defined with an empty membership list Defined with an empty membership list Defined with an empty membership list Table 2.4 Continued Default for Default for Member Server/ Default for User Right Professional Standalone Server Domain Controller Continued 181_SerSec2e_02 9/5/01 1:45 PM Page 48 Default Access Control Settings • Chapter 2 49 www.syngress.com Log on locally Manage auditing and security log Modify firmware envi- ronment values Profile single process Profile system performance Remove com- puter from docking station Replace a process level token Restore files and directories Shut down the system Synchronize directory service data Take ownership of files or other objects Account Operators, Administrators, Backup Operators, Print Operators, Server Operators Administrators Administrators Administrators Administrators Administrators Defined with an empty membership list Administrators, Backup Operators, Server Operators Administrators, Backup Operators, Account Operators, Server Operators, Print Operators Defined with an empty membership list Administrators Administrators, Backup Operators, Power Users, Users, Guest (if Guest is enabled) Administrators Administrators Administrators, Power Users Administrators Administrators, Power Users, Users Defined with an empty membership list Administrators, Backup Operators Administrators, Backup Operators, Power Users Defined with an empty membership list Administrators Administrators, Backup Operators, Power Users, Users, Guest (if Guest is enabled) Administrators Administrators Administrators, Power Users Administrators Administrators, Power Users, Users Defined with an empty membership list Administrators, Backup Operators Administrators, Backup Operators, Power Users, Users Defined with an empty membership list Administrators Table 2.4 Continued Default for Default for Member Server/ Default for User Right Professional Standalone Server Domain Controller 181_SerSec2e_02 9/5/01 1:45 PM Page 49 50 Chapter 2 • Default Access Control Settings Checking or changing the default user rights in Windows 2000 is not a straightforward process, because it is not a choice on the Administrative Tools menu. Exercise 2.1 shows you how to check the user rights on your Windows 2000 Server. Exercise 2.1 Checking User Rights through the Microsoft Management Console 1. Click Start and choose Run. 2. Type MMC in the dialog box and click OK.This will give you the Console Root window shown in Figure 2.8. 3. Select Add/Remove Snap-in from the Console menu.You will see the Add/Remove Snap-in Window shown in Figure 2.9. 4. Click Add. 5. In the Add Standalone Snap-in window, move the scrollbar down and highlight Group Policy, as shown in Figure 2.10. www.syngress.com Figure 2.8 The Console Root Window 181_SerSec2e_02 9/5/01 1:45 PM Page 50 Default Access Control Settings • Chapter 2 51 6. Click Add.This choice will display the Select Group Policy Object window shown in Figure 2.11. www.syngress.com Figure 2.9 The Add/Remove Snap-In Window Figure 2.10 Select Group Policy from the Add Standalone Snap-In Window 181_SerSec2e_02 9/5/01 1:45 PM Page 51 52 Chapter 2 • Default Access Control Settings 7. Click Finish to select the local computer as the Group Policy object. This is the default choice; other choices are available by clicking the Browse button (if the Windows 2000 Server is a domain controller), as shown in Figure 2.12. www.syngress.com Figure 2.11 The Select Group Policy Object Window Figure 2.12 Group Policy Objects Available to Windows 2000 Server Domain Controllers 181_SerSec2e_02 9/5/01 1:45 PM Page 52 Default Access Control Settings • Chapter 2 53 8. Click Close to close the Add Standalone Snap-in window (refer back to Figure 2.10). 9. Click OK to close the Add/Remove Snap-in window (refer back to Figure 2.9). 10. Double-click Local Computer Policy. 11. Double-click Computer Configuration. 12. Double-click Windows Settings. 13. Double-click Security Settings. 14. Double-click Local Policies. 15. Click User Rights Assignment.The default user rights are located in the right pane, as shown in Figure 2.13. NOTE The Account Policies, Local Policies, IP Security Policies, and Public Key Policies can also be configured from the Local Security Settings console. To open the Local Security Settings console, click Start and go to Programs | Administrative Tools | Local Security Settings. Sometimes this method is quicker than creating a custom MMC, as described above. www.syngress.com Figure 2.13 Default User Rights for the Local Computer Policy 181_SerSec2e_02 9/5/01 1:45 PM Page 53 54 Chapter 2 • Default Access Control Settings Additional users have rights on various items shown in Figure 2.13 because additional components are installed on the Windows 2000 Server system shown in the figure. Double-clicking any of the user rights brings up a window that dis- plays the users who have those rights, as well as an Add button to add more users to the right. Figure 2.14 shows the Back Up Files and Directories user rights, accessed by double-clicking a user right.After you click Add, you can add users and/or groups to the user rights by clicking the Browse button to open the Select Users and Groups window shown in Figure 2.15. www.syngress.com Figure 2.14 The Back Up Files and Directories User Rights Figure 2.15 Adding Users or Groups to the Back Up Files and Directories User Rights 181_SerSec2e_02 9/5/01 1:45 PM Page 54 Default Access Control Settings • Chapter 2 55 Default Group Membership The default security settings in Windows 2000 and Windows NT 4.0 differ in the assignment of access control settings.Windows NT 4.0 depends on the Everyone group as the default group for file system access control lists, user rights, and Registry access control lists.All users are automatically members of the Everyone group, and they cannot be removed by the system’s Administrator.This restriction causes problems when more granular control is desired; the Everyone group might need to be removed and other groups added for better, more strict control. Windows 2000 operates differently from Windows NT 4.0.The Everyone group is no longer used to assign permissions, except for maintaining backward compatibility with applications that require anonymous read access. In this case, the Everyone group is used to grant read access to some file system and Registry objects.Assignment of permissions is accomplished using groups in which the administrator can control the membership.Table 2.5 lists the members of the three user groups. Table 2.5 Default Members for Local Groups Local Group Default Default Professional Standalone Default Domain Members Server Members Controller Members Administrators Administrator Administrator Administrator, Domain Admins, Enterprise Admins Power Users Interactive Users N/A N/A Users Authenticated Authenticated Authenticated Users, Users Users Domain Users Table 2.5 lists the Authenticated Users group.Windows 2000 automatically creates this group during clean installations.The Authenticated Users group is similar to the Everyone group in that the operating system, not the administrator, controls the group members.The difference between the two groups is that the Authenticated Users group does not contain anonymous users, as the Everyone group does. Members are added to or deleted from these three local groups (Administra- tors, Power Users, and Users) in two ways, depending on whether the Windows 2000 Server is standalone or a domain controller. For standalone servers, use the Computer Management selection from the Administrative Tools menu. For www.syngress.com 181_SerSec2e_02 9/5/01 1:45 PM Page 55 56 Chapter 2 • Default Access Control Settings domain controllers, use the Active Directory Users and Computers selection from Administrative Tools.The windows in the two systems look different from each other after you have drilled down to a particular group. Figure 2.16 shows the General tab for the Administrators group from a Windows 2000 standalone server. It is the only tab available. Figure 2.17 shows the Members tab for the Administrators group from a Windows 2000 domain controller. It is one of four available tabs. www.syngress.com Figure 2.16 The General Tab for the Administrators Group Properties on a Standalone Server Figure 2.17 The Members Tab for the Administrators Group Properties on a Domain Controller 181_SerSec2e_02 9/5/01 1:45 PM Page 56 [...]... for Server 2 5 Client sends the proxy ticket to Server 1 Server 1 6 Server 1 uses the proxy ticket to access Server 2 on behalf of the Client Server 2 If the client does not know the name of Server 2, it cannot request a proxy ticket.This is where forwarded tickets are used Forwarded tickets operate on the principle that the client gives Server 1 a TGT that it can use to request tickets for other servers... ticket to Server 1, which uses the ticket to access Server 2 on behalf of the client Figure 3.5 shows the process for proxy tickets www.syngress.com 81 181_SerSec2e_03 82 9/5/01 3:58 PM Page 82 Chapter 3 • Kerberos Server Authentication Figure 3.5 The Steps Used for Proxy Tickets 1 User logs in Realm 2 KDC sends TGT with proxiable flag set Client 3 Client requests proxy ticket for Server 2 via Server. .. Windows 20 00, how will my existing server- based applications function? A: It might be necessary to change the environment in which the server- based application runs if it operated as a User in Windows NT 4.0 In Windows 20 00, you will need to run the server- based application as a Power User.You www.syngress.com 181_SerSec2e_ 02 9/5/01 1:45 PM Page 61 Default Access Control Settings • Chapter 2 might... logons to Windows 20 00 standalone computers www.syngress.com 181_SerSec2e_03 9/5/01 3:58 PM Page 65 Kerberos Server Authentication • Chapter 3 Kerberos is the default network authentication for Windows 20 00 Kerberos is a widely used authentication protocol based on an open standard All Windows 20 00 computers use Kerberos v5 in the network environment, except in these situations: s Windows 20 00 computers... KDC.The KDC detects that the TGT is forwardable, so it creates a forwarded ticket for Server 2 and sends the ticket to Server 1 Server 1 can then use that ticket to access Server 2 on the client’s behalf Figure 3.6 shows the steps for forwarded tickets Kerberos and Windows 20 00 The Kerberos implementation in Windows 20 00 is called Microsoft Kerberos because Microsoft added its own extensions Microsoft... Client Requesting a Ticket to Communicate with the Server 1 Client wants to communicate with the Server 2 KDC sends the Client copy of the session key and the Server copy of the session key to the Client Client KDC Server Figure 3 .2 The Client Sending Credentials to the Server Client 3 Client sends session ticket and authenticator to the Server KDC Server This is one of the differences between Kerberos...181_SerSec2e_ 02 9/5/01 1:45 PM Page 57 Default Access Control Settings • Chapter 2 Pre-Windows 20 00 Security As mentioned earlier, user security in Windows NT 4.0 was much more relaxed than user security in Windows 20 00. This is a good thing, since security is one of the main reasons companies are adopting Windows 20 00 Unfortunately, if you are running applications... www.syngress.com 61 181_SerSec2e_ 02 9/5/01 1:45 PM Page 62 181_SerSec2e_03 9/5/01 3:58 PM Page 63 Chapter 3 Kerberos Server Authentication Solutions in this chapter: s Overview of the Kerberos Protocol s Kerberos and Windows 20 00 s Authorization Data s Kerberos Tools Summary Solutions Fast Track Frequently Asked Questions 63 181_SerSec2e_03 64 9/5/01 3:58 PM Page 64 Chapter 3 • Kerberos Server Authentication... Pre-Windows 20 00 Compatible Access group Solutions Fast Track Configuring Security during Windows 20 00 Setup Default templates are applied to fresh installs of Window 20 00 and upgrade installs from Windows 9x machines The default templates include defltdc.inf (domain controller), defltsv.inf (member or standalone server) , and defltwk.inf (Professional machine) www.syngress.com 181_SerSec2e_ 02 9/5/01 1:45... 20 00 mode By doing so, we allow anonymous read access for all group attributes and anonymous read access for all the user attributes that existed in NT 4.0 A special group is used to run our domain in Pre-Windows 20 00 mode It is a built-in local group called PreWindows 20 00 Compatible Access It is located in the Builtin container within Active Directory Users and Computers (refer back to Figure 2. 2).This . Windows 20 00 Server is a domain controller), as shown in Figure 2. 12. www.syngress.com Figure 2. 11 The Select Group Policy Object Window Figure 2. 12 Group Policy Objects Available to Windows 20 00 Server Domain. privileges. www.syngress.com 181_SerSec2e_ 02 9/5/01 1:45 PM Page 61 181_SerSec2e_ 02 9/5/01 1:45 PM Page 62 Kerberos Server Authentication Solutions in this chapter: ■ Overview of the Kerberos Protocol ■ Kerberos and Windows 20 00 ■ Authorization. membership list Table 2. 4 Default User Rights for Windows 20 00 Default for Default for Member Server/ Default for User Right Professional Standalone Server Domain Controller Continued 181_SerSec2e_ 02 9/5/01