Security

advertisement
Security
Security overview
It is important to keep your computer secure, not only to protect data on the computer
itself, but on the network as well. A good security system has the following features:
a) confirms the identity of the people who are attempting to access the resources
on your computer,
b) protects specific resources from inappropriate access by users,
c) provides a simple, efficient way to set up and maintain security on your
computer.
To help you accomplish these goals, Windows 2000 Professional offers these security
features:
User Accounts
To use a computer that is running Windows 2000, you must have a user account,
which consists of a unique user name and a password. Windows 2000 verifies your
user name and password when you press CTRL+ALT+DEL and then type your user
name and your password. If your user account has been disabled or deleted,
Windows 2000 prevents you from accessing the computer, ensuring that only valid
users have access to the computer. Double-click Users and Passwords in Control
Panel to create or delete users and change user passwords.
Group Accounts
Users must have certain user rights and permissions to perform tasks on a computer
running Windows 2000. Group accounts help you efficiently assign those user rights
and permissions to users. Windows 2000 Professional comes with many built-in
groups based on the tasks users commonly perform, such as the Administrators,
Backup Operators, or Users groups. Assigning users to one or more of the built-in
groups gives most users all of the user rights and permissions they need to perform
their jobs. Double-click Users and Passwords in Control Panel to add or remove
users from existing groups.
Permissions
Windows 2000 only provides NTFS permissions on NTFS formatted partitions. To
secure files and folders on NTFS partitions, you grant NTFS permissions for each
user account or group that needs to access the resources.
NTFS stores an access control list (ACL) for every file and folder on an NTFS
partition. The ACL contains a list of all user accounts, groups and computers that
have been granted access to the files or folder, and the type of access that they have
been given.
File and Folder Permissions (NTFS drives only)
When you set permissions on a file or folder, you specify the groups and users whose
access you want to restrict or allow, and then select the type of access. It is more
efficient to specify group accounts when you assign permissions to objects, so that
you can simply add users to the appropriate group when you need to allow or restrict
access for those users. For example, you can give managers Full Control of a folder
that contains electronic timesheets, and then give employees Write access so that they
can copy timesheets to that folder, but not read the contents of the folder. File and
folder permissions can be set only on NTFS drives.
Shared Folder Permissions
If you are a member of the Administrators or Power Users group, you can share
folders on your local computer so that users on other computers can access those
folders. By assigning shared folder permissions to any NTFS, FAT, or FAT32 shared
folder, you can restrict or allow access to those folders over the network. Use NTFS
folder permissions if the shared folder is located on an NTFS drive. NTFS
permissions are effective on the local computer and over the network.
Printer Permissions
Because shared printers are available to all users on the network, you might want to
limit access for some users by assigning printer permissions. For example, you could
give all nonadministrative users in a department the Print permission and all managers
the Print and Manage Documents permissions. By doing this, all users and managers
can print documents, but managers can change the status of any print job submitted by
any user.
Auditing
You can use auditing to track which user account was used to access files or other
objects, as well as logon attempts, system shutdowns or restarts, and similar events.
Before any auditing takes place, you must use Group Policy to specify the types of
events you want to audit. For example, to audit a folder, you first enable Audit
Object Access in the Auditing policy in Group Policy. Next, you set up auditing like
you do permissions: You choose the object, such as a file or folder, then select the
users and groups whose actions you want to audit. Finally, you choose the actions
you want to audit, such as attempts to open or delete the restricted folder. You can
audit both successful and failed attempts. You track auditing activity by using Event
Viewer to view the Security log.
User Rights
User rights are rules that determine the actions a user can perform on a computer. In
addition, user rights control whether a user can log on to a computer directly (locally)
or over the network, add users to local groups, delete users, and so on. Built-in
groups have sets of user rights already assigned. Administrators usually assign user
rights by adding a user account to one of the built-in groups or by creating a new
group and assigning specific user rights to that group. Users who are subsequently
added to a group are automatically granted all user rights assigned to the group
account. User rights are managed using Group Policy.
Group Policy
Use Group Policy to set a variety of software, computer, and user policies. For
example, you can define the various components of the user's desktop environment,
such as the programs that are available to users, the icons that appear on the user's
desktop, the Start menu options, which users can modify their desktops and which
cannot, and so on. You also use Group Policy set user rights.
Encryption (NTFS drives only)
Encrypting files and folders makes them unreadable to unauthorized users. If a user
attempting to access an encrypted file has the private key to that file (that is, if the
user either encrypted the file personally or is a registered recovery agent), the user
will be able to open the file and work with it transparently as a normal document. A
user without the private key to the file is denied access. Encryption is available only
on NTFS drives.
File Permissions Exercise
Windows 2000 only provides NTFS permissions on NTFS formatted partitions. To
secure files and folders on NTFS partitions, you grant NTFS permissions for each
user account or group that needs access to the resources.
NTFS stores an access control list (ACL) with every file and folder on an NTFS
partition. The ACL contains a list of all user accounts, groups and computers that
have been granted access to the file or folder, and the type of access that they have
been granted.
Create a small text file and save on the C: drive
In Windows Explorer right-click on the file, click Properties, and then click the
Security tab.
In Name add Everyone group if it is not present.
In Permissions tick the Read permission box in the Deny list and click OK.
Click Yes in the security window that appears.
Now try to open the text file.
Click OK to clear the dialog box.
In Windows Explorer right-click on the file, click Properties, and then click the
Security tab.
In Permissions clear the Read permission box in the Deny list and click OK.
In Permissions tick the Write permission box in the Deny list and click OK.
Now try to open the text file.
Make some changes to the text.
Now try to save the changes.
Click OK to clear the dialog box.
In Windows Explorer right-click on the file, click Properties, and then click the
Security tab.
In Permissions clear the Read permission box in the Deny list and click OK.
Auditing Exercise
An important aspect of securing resources is monitoring their use. Monitoring
resource use helps you determine whether unauthorised users are attempting to access
the resources and can also identify other potential security problems. The mechanism
that Windows 2000 provides for monitoring resources is called auditing. Auditing
causes the success or failure of events that you specify to be logged to the security log
on your workstation. You can view the security log through the Event Viewer.
From Administrative Tools open the Local Security Policy console.
In the console tree expand Local Policies and then click on Audit Policy.
The console displays the current Audit policy settings in the details pane.
Select Audit Object Access, and the select Security on the Action menu.
Select both the Success and Failure check boxes and then click OK.
Open the Computer Management console and expand the Event Viewer.
Right-click the Security icon and select Refresh.
After turning on auditing of object access through local policy, you can configure
auditing of specific objects. It’s important to understand that turning on auditing in
the local policy for object access doesn’t actually cause any auditing to take place; it
simply makes it possible. You have to also turn on auditing at the individual objects
you want to monitor. So, it’s a two-step process: Enable auditing globally for specific
types of objects, and then turn on auditing at individual objects.
In Windows Explorer navigate to the text file that you saved on the C: drive.
In the Properties dialog box, on the Security tab, click Advanced.
In the Access Control Settings dialogue box, on the Auditing tab, click Add.
In the Select User or Group dialog box click Everyone, and then click OK.
In the Auditing Entry dialog box, select the Successful and Failed check boxes for
the following event:
-CreateFiles / WriteData
Click OK to close the Audit Entry dialog box and then click OK to close the Access
Control dialog box.
Click OK to close the Properties dialog box.
Open the text file, change the contents and then attempt to save the file.
Open the Event Viewer from the Administative Tools menu.
Review the log. Right-click the Security Log icon and click on View and All Records
From Administrative Tools open the Local Security Policy console.
In the console tree expand Local Policies and then click on Audit Policy.
The console displays the current Audit policy settings in the details pane.
Select Audit Object Access, and the select Security on the Action menu.
Clear both the Success and Failure check boxes and then click OK.
Download