Security Security overview It is important to keep your computer secure, not only to protect data on the computer itself, but on the network as well. A good security system has the following features: a) confirms the identity of the people who are attempting to access the resources on your computer, b) protects specific resources from inappropriate access by users, c) provides a simple, efficient way to set up and maintain security on your computer. To help you accomplish these goals, Windows 2000 Professional offers these security features: User Accounts To use a computer that is running Windows 2000, you must have a user account, which consists of a unique user name and a password. Windows 2000 verifies your user name and password when you press CTRL+ALT+DEL and then type your user name and your password. If your user account has been disabled or deleted, Windows 2000 prevents you from accessing the computer, ensuring that only valid users have access to the computer. Double-click Users and Passwords in Control Panel to create or delete users and change user passwords. Group Accounts Users must have certain user rights and permissions to perform tasks on a computer running Windows 2000. Group accounts help you efficiently assign those user rights and permissions to users. Windows 2000 Professional comes with many built-in groups based on the tasks users commonly perform, such as the Administrators, Backup Operators, or Users groups. Assigning users to one or more of the built-in groups gives most users all of the user rights and permissions they need to perform their jobs. Double-click Users and Passwords in Control Panel to add or remove users from existing groups. Permissions Windows 2000 only provides NTFS permissions on NTFS formatted partitions. To secure files and folders on NTFS partitions, you grant NTFS permissions for each user account or group that needs to access the resources. NTFS stores an access control list (ACL) for every file and folder on an NTFS partition. The ACL contains a list of all user accounts, groups and computers that have been granted access to the files or folder, and the type of access that they have been given. File and Folder Permissions (NTFS drives only) When you set permissions on a file or folder, you specify the groups and users whose access you want to restrict or allow, and then select the type of access. It is more efficient to specify group accounts when you assign permissions to objects, so that you can simply add users to the appropriate group when you need to allow or restrict access for those users. For example, you can give managers Full Control of a folder that contains electronic timesheets, and then give employees Write access so that they can copy timesheets to that folder, but not read the contents of the folder. File and folder permissions can be set only on NTFS drives. Shared Folder Permissions If you are a member of the Administrators or Power Users group, you can share folders on your local computer so that users on other computers can access those folders. By assigning shared folder permissions to any NTFS, FAT, or FAT32 shared folder, you can restrict or allow access to those folders over the network. Use NTFS folder permissions if the shared folder is located on an NTFS drive. NTFS permissions are effective on the local computer and over the network. Printer Permissions Because shared printers are available to all users on the network, you might want to limit access for some users by assigning printer permissions. For example, you could give all nonadministrative users in a department the Print permission and all managers the Print and Manage Documents permissions. By doing this, all users and managers can print documents, but managers can change the status of any print job submitted by any user. Auditing You can use auditing to track which user account was used to access files or other objects, as well as logon attempts, system shutdowns or restarts, and similar events. Before any auditing takes place, you must use Group Policy to specify the types of events you want to audit. For example, to audit a folder, you first enable Audit Object Access in the Auditing policy in Group Policy. Next, you set up auditing like you do permissions: You choose the object, such as a file or folder, then select the users and groups whose actions you want to audit. Finally, you choose the actions you want to audit, such as attempts to open or delete the restricted folder. You can audit both successful and failed attempts. You track auditing activity by using Event Viewer to view the Security log. User Rights User rights are rules that determine the actions a user can perform on a computer. In addition, user rights control whether a user can log on to a computer directly (locally) or over the network, add users to local groups, delete users, and so on. Built-in groups have sets of user rights already assigned. Administrators usually assign user rights by adding a user account to one of the built-in groups or by creating a new group and assigning specific user rights to that group. Users who are subsequently added to a group are automatically granted all user rights assigned to the group account. User rights are managed using Group Policy. Group Policy Use Group Policy to set a variety of software, computer, and user policies. For example, you can define the various components of the user's desktop environment, such as the programs that are available to users, the icons that appear on the user's desktop, the Start menu options, which users can modify their desktops and which cannot, and so on. You also use Group Policy set user rights. Encryption (NTFS drives only) Encrypting files and folders makes them unreadable to unauthorized users. If a user attempting to access an encrypted file has the private key to that file (that is, if the user either encrypted the file personally or is a registered recovery agent), the user will be able to open the file and work with it transparently as a normal document. A user without the private key to the file is denied access. Encryption is available only on NTFS drives. File Permissions Exercise Windows 2000 only provides NTFS permissions on NTFS formatted partitions. To secure files and folders on NTFS partitions, you grant NTFS permissions for each user account or group that needs access to the resources. NTFS stores an access control list (ACL) with every file and folder on an NTFS partition. The ACL contains a list of all user accounts, groups and computers that have been granted access to the file or folder, and the type of access that they have been granted. Create a small text file and save on the C: drive In Windows Explorer right-click on the file, click Properties, and then click the Security tab. In Name add Everyone group if it is not present. In Permissions tick the Read permission box in the Deny list and click OK. Click Yes in the security window that appears. Now try to open the text file. Click OK to clear the dialog box. In Windows Explorer right-click on the file, click Properties, and then click the Security tab. In Permissions clear the Read permission box in the Deny list and click OK. In Permissions tick the Write permission box in the Deny list and click OK. Now try to open the text file. Make some changes to the text. Now try to save the changes. Click OK to clear the dialog box. In Windows Explorer right-click on the file, click Properties, and then click the Security tab. In Permissions clear the Read permission box in the Deny list and click OK. Auditing Exercise An important aspect of securing resources is monitoring their use. Monitoring resource use helps you determine whether unauthorised users are attempting to access the resources and can also identify other potential security problems. The mechanism that Windows 2000 provides for monitoring resources is called auditing. Auditing causes the success or failure of events that you specify to be logged to the security log on your workstation. You can view the security log through the Event Viewer. From Administrative Tools open the Local Security Policy console. In the console tree expand Local Policies and then click on Audit Policy. The console displays the current Audit policy settings in the details pane. Select Audit Object Access, and the select Security on the Action menu. Select both the Success and Failure check boxes and then click OK. Open the Computer Management console and expand the Event Viewer. Right-click the Security icon and select Refresh. After turning on auditing of object access through local policy, you can configure auditing of specific objects. It’s important to understand that turning on auditing in the local policy for object access doesn’t actually cause any auditing to take place; it simply makes it possible. You have to also turn on auditing at the individual objects you want to monitor. So, it’s a two-step process: Enable auditing globally for specific types of objects, and then turn on auditing at individual objects. In Windows Explorer navigate to the text file that you saved on the C: drive. In the Properties dialog box, on the Security tab, click Advanced. In the Access Control Settings dialogue box, on the Auditing tab, click Add. In the Select User or Group dialog box click Everyone, and then click OK. In the Auditing Entry dialog box, select the Successful and Failed check boxes for the following event: -CreateFiles / WriteData Click OK to close the Audit Entry dialog box and then click OK to close the Access Control dialog box. Click OK to close the Properties dialog box. Open the text file, change the contents and then attempt to save the file. Open the Event Viewer from the Administative Tools menu. Review the log. Right-click the Security Log icon and click on View and All Records From Administrative Tools open the Local Security Policy console. In the console tree expand Local Policies and then click on Audit Policy. The console displays the current Audit policy settings in the details pane. Select Audit Object Access, and the select Security on the Action menu. Clear both the Success and Failure check boxes and then click OK.