W2KPresentationFINAL

advertisement
Introduction to
Windows 2000 Server Components
Ryan Larson
David Greer
September 18, 2002
Win2K Components
Overview
•
•
•
•
Monitoring Components
User and Group Management
Group Security Policies
Windows 2000 Security Services
September 18, 2002
Monitoring Components
• Computer Management
– Click Start, Settings, Control Panel,
Administrative Tools, Computer Management
•
•
•
•
Event Viewer
Performance Log
Shared Folders
Services
September 18, 2002
Computer Management
September 18, 2002
Event Viewer
• The Event Viewer gathers information
about hardware, software, and system
problems and monitor Windows 2000
security events
• Application Log
– Events logged by applications or programs.
• Security Log
– Records security events such as valid and invalid logon
attempts, as well as events related to resource use, such
as creating, opening, or deleting files.
• System Log
– Events logged by the Windows 2000 system components.
September 18, 2002
Performance Log
• Performance Logs and Alerts contains
features for logging counter and event trace
data and for generating performance alerts.
• Can record data about hardware usage and
the activity of system services from local or
remote computers.
• Logging can occur manually on demand, or
automatically based on a user-defined
schedule
September 18, 2002
Shared Folders
• Create, view, and set permissions for shares,
including shares on computers running
Windows NT 4.0.
• View a list of all users who are connected to the
computer over a network and disconnect one or all
of them.
• View a list of files opened by remote users and
close one or all of the open files.
• Configure Services for Macintosh. This enables
personal computer users and Macintosh users to
share files and other resources, such as printing
devices, through a computer running
September 18, 2002
Windows 2000 Server.
Services
• Using Services, you can start, stop, pause, or
resume services on remote and local computers,
and configure startup and recovery options. You
can also enable or disable services for a particular
hardware profile.
• With Services, you can:
– Manage services on local and remote computers, including
remote computers running Windows NT 4.0.
– Set up recovery actions to take place if a service fails,
such as restarting the service automatically or restarting
the computer (on computers running Windows 2000 only).
– Create custom names and descriptions for services so that
you can easily identify them (on computers running
Windows 2000 only).
September 18, 2002
Users and Groups
Overview
•Administrator Account
•Guest Account
•Managing User Accounts
•Group Types
•Managing Groups
September 18, 2002
Administrator Account
Admins can do the following:
• Access any file or directory
• Create and delete users and groups
• Establish trust relationships
• Manage printers and print sharing
• Assign operators
• Create and modify logon scripts
• Set default account policies
• Set and change passwords
• Manage auditing and security logs
• Not be deleted
September 18, 2002
Administrator Account (cont.)
Admins are by default in the following
groups:
• Administrators
• Domain Admins
• Domain Users
• Enterprise Admins
• Group Policy Admins
• Schema Admins
September 18, 2002
Guest Account
• Guest account is disabled by default
• Enable the Guest account only in low-security
networks
• Always assign a password
• Can rename Guest account, but cannot delete it
• Should only have low privileges
September 18, 2002
Managing User Properties
The New User Dialog Box Buttons
Description
Tab
This tab captures tombstone data for the user, for example, name,
General
description, office, telephone numbers, email address, home page
URL, and other Web pages.
Use this tab to document street address, P.O. Box, city, state or
Address
province, zip or postal code, and country or region.
This tab documents the user’s account options.
Account
Use this tab to set a profile path, login script, home directory, and
Profile
shared document folder.
Use this tab to document home, pager, mobile, fax, and IP phone
Telephones/Notes
numbers and any comments you might have regarding these
numbers.
This tab documents the user’s title, department, company,
Organization
manager, and any direct reports.
Use this tab to document the groups where the user belongs.
Member Of
Use this tab to document the dial-in properties for the user.
Dial-in
September 18, 2002
Manage User Options
Account Options
Options
User Must Change
Password at Next Logon
User Cannot Change
Password
Password Never Expires
Default
OFF
OFF
OFF
Save Password as
Encrypted Clear Text
OFF
Account Disabled
OFF
User Must Log On Using
a Smart Card
Account Is Trusted for
Delegation
OFF
Account Is Sensitive and
Can Not Be Delegated
Uses DES Encryption
Types For This Account
Don’t Require Kerberos
Authentication
OFF
September 18, 2002
OFF
OFF
OFF
Description
Selected when you created the account, but you
can change it here.
Selected when you created the account, but you
can change it here.
Selected when you created the account, but you
can change it here.
Selecting this option allows your Macintosh
clients to log on, which is the only password the
Macintosh computers can send.
Selected when you created the account, but you
can change it here.
Selecting this option forces your users to use
smart cards, which require additional hardware.
Selecting this option allows administration of
this account to be delegated to , for instance, a
departmental manager.
See above.
Sets the encryption algorithm for use with, say,
Kerberos.
Selecting this means the user doesn’t use
Kerberos for authentication.
Managing User Accounts
Managing User Accounts
• Click Start, Settings, Control Panel, Administrative Tools,
Computer Management
• Expand System, Local Users and Groups
Creating User Accounts
• Right-Click Users, and then click New User
• Fill in the appropriate fields
Managing User Properties
• Right-Click on a User, and then click Properties
• Modify the appropriate fields
September 18, 2002
Group Types
• Domain Local Group
– Open membership: members can come from any domain
– Members can access resources only in the local domain
• Global Group
– Limited membership: members only come from local
domain
– Members can access resources in any domain
• Universal Group
– Open membership: members can come from ay domain
– Members can access resources in any domain
September 18, 2002
Groups Types (cont.)
Points to keep in mind…
• Local groups on domain controllers have rights only on the
domain where they were created.
• Local groups on Windows 2000 Workstation computers and
member servers (non-Domain Controllers) have rights on the
computer where they were created.
• Local groups cannot contain other local groups; they can
contain only user accounts or global groups from the same
domain or other domains.
• Global groups contain user accounts from only one domain.
They cannot contain local groups or other global groups.
• Universal groups contain user accounts from any domain.
They can contain universal accounts, global groups, local
groups, and user accounts.
September 18, 2002
Predefined Groups
Predefined Local Groups
Administrators
Members can fully administer the local computer and any domain
resources. This group is the most powerful. Within the
Administrators group is a built-in account that you cannot delete.
Account Operators
Members can use User Manager for Domains to manage domain
user and group accounts. An Account Operator cannot change or
delete the Domain Admins, Account Operators, Backup
Operators, Print Operators, or Server Operators groups. Also, an
Account Operator cannot change or delete administrator
users accounts or administer security policies.
Backup Operators
Members can perform backups and restores, and can bypass the
security restrictions on directories and files to back them up.
Guests
Members can access the server from the network but cannot log
on locally. In other words, Guests have limited access to the
domain. In effect, these users can log on if they know the Guest
account and password, but they cannot change any settings on the
local computer. This group is for the occasional or one-time user
to log on. The built-in Guest account is automatically a member
of the Guest group.
September 18, 2002
Predefined Group (cont.)
Power Users
Print Operators
Replicators
Server Operators
Users
September 18, 2002
Member can do everything that members of the User group can
do. In addition, these members can create user accounts, modify
the user accounts that they created, put any user accounts on the
computer into the Power Users, Users, and Guest built-in groups,
share and stop sharing files and directories and printers located at
the computer, and set the computer’s internal clock.
Members can administer the domain printers. They can create,
manage, and delete printer shares for an NTS server.
Members can manage replication services. They are granted the
appropriate privileges to replicate files in the domain. Use this
group only to support the Directory Replication service.
Members can manage the servers in the domain. Tasks include
logging on locally, restarting the server, and shutting down the
server.
Members can access the server from the network but cannot log
on locally. They are normal users of the domain and have limited
access to the domain and their computers. They can make some
configuration changes to their environment but have limited
functionality. They cannot create new shared directories, for
example, or stop and start services.
Special Groups
Special Groups
Group
Anonymous Users
Authenticated Users
Batch
Creator Owner
Dialup
Everyone
Interactive
Network
Service
System
September 18, 2002
Description
Any unauthenticated user on the computer.
This group consists of users who provided a valid username and
password at some point.
Any batch process accessing a resource on the computer.
A user who creates or takes ownership of a resource, such as
subdirectories, files, and print jobs.
Any user who has access to resources on the computer using dialup networking.
All users who access a computer, whether locally or remotely.
This group includes both interactive and network users.
Users who log on to the local computer. Interactive users access
resources on the machine at which they are sitting.
Users who log on to a network or remote computer using their
account or an enabled Guest account.
Any service.
The operating system.
Managing Groups
Managing Groups
• Click Start, Settings, Control Panel, Administrative Tools,
Computer Management
• Expand System, Local Users and Groups
Creating Groups
• Right-Click Groups, and then click New Group
• Fill in the appropriate fields
Add Members to Group
• Right-Click on a Group, and then click Add to Group
• Click Add, Select User(s), Click Add, Click OK
September 18, 2002
Security Policy
•
•
•
•
•
•
•
•
•
Password Policy
Account Lockout Policy
Audit Policy
User Rights Assignment
Security Options
Encrypting File System Properties
Kerberos Properties
IPSec Properties
Configuring and Analyzing by Templates
September 18, 2002
Opening MMC Snap-Ins
To open Microsoft Management Console Snapins
• Click start, run
• Type “mmc” and hit enter
• Under the “Console” menu, click “Add/Remove
Snap-in”
• Click “Add”, select Snap-in, click “Add”
• Opt: Fill any options, click “ok”
• Click “close”, click “ok”
September 18, 2002
Security Policy
• It is important to notice:
• Almost all of these settings can be enforced at
the local level, or at the domain level, if the
computer is on a domain (in which case the
domain settings would be taken from Active
Directory)
• Settings at higher levels of the Active
Directory Tree override those at lower levels
September 18, 2002
Password Policy
• Open “Group Policy” snap-in
• Under Computer Configuration/Windows
Settings/Security Settings/Account Policies
• Controls the formation and changing of user
passwords
• Age, Length, History, Complexity
September 18, 2002
Account Lockout Policy
• Open “Group Policy” snap-in
• Under Computer Configuration/Windows
Settings/Security Settings/Account Policies
• Controls the lockout settings for incorrect
passwords
September 18, 2002
Audit Policy
• Open “Group Policy” snap-in
• Under Computer Configuration/Windows
Settings/Security Settings/Local Policies
• Controls which system events are recorded in
the Event Log, to be viewed in the
Eventviewer later
• For all events, successes and/or failures may
be logged
• Must be careful not to audit too much
September 18, 2002
Audit Policy (Example)
• By double clicking on Audit Account Logon
Events and checking “success” and “failure”,
you can log to the Event Log every attempt at
access to the computer
September 18, 2002
User Rights Assignment
• Open “Group Policy” snap-in
• Under Computer Configuration/Windows
Settings/Security Settings/Local Policies
• Controls which users and groups have access
to special system-level commands, such as
shutting down the computer
September 18, 2002
Security Options
• Open “Group Policy” snap-in
• Under Computer Configuration/Windows
Settings/Security Settings/Local Policies
• Controls miscellaneous other security options,
especially the permissions of remotely
connected users.
September 18, 2002
Security Options
September 18, 2002
Security Options (Examples)
• Using “Rename Administrator Account”, you
can change the admin name and create a
dummy “Administrator” account with no
privileges, that is heavily logged
• Set “Clear memory pagefile when system
shuts down” to prevent the swap file from
being recovered (easily)
September 18, 2002
Encrypting File System
Properties
• Open “Group Policy” snap-in
• Under Computer Configuration/Windows
Settings/Security Settings/Public Key Policies
• Or open “Certificates” Snap-in
• Controls the certificates (public keys) of
Encrypted Data Recovery Agents
• Whenever a file is encrypted by a user, there
must be a recovery agent
September 18, 2002
Encrypting File System
(Examples)
• Under certificates for a File Recovery Agent
(default Admin), Personal/Certificates, Right
click on the file recovery certificate and click
All Tasks, export.
• You can export and delete the recovery agent
private key, and store it in a secure location
for later recovery
• Thus, one cannot get the recovery agent key,
even by breaking the account password
September 18, 2002
Kerberos in W2K
• Windows 2000 uses Kerberos V for
authenticating computers and users between
domains
• The domain controller acts as the KDC (a
trusted third party) in mutually
authenticating clients to servers in inter- and
intra domain communication
• Secret-key tickets are given to communicating
parties
September 18, 2002
Kerberos Settings
• Open “Group Policy” snap-in
• Under Computer Configuration/Windows
Settings/Security Settings/Account
Policies/Kerberos Policy
• Only for computers on Domains
• Controls the details of Kerberos tickets and
authentication
• Microsoft says, and NSA agrees, the default
settings are OK
September 18, 2002
IPSec Settings
• Open “Group Policy” snap-in
• Computer Configuration/Windows Settings/
Security Settings/IP Security Policy
• Controls the policies for secure communication
via IPSec and its cryptographic settings
• Allows filtering of packets of various protocols
without authentication and IPSec
• Can require that all communication be Secured
(Secure Server)
September 18, 2002
Configuring and Analyzing Security
Properties by Templates
• Open “Security Configuration and Analysis”
snap-in
• Right click “Security Configuration and
Analysis” and click “open database”, make a
new database file, click “open”, and select a
template, such as “hisecws.inf” (high secure
workstation/server) and click open
• Right click “Security Configuration and
Analysis” again and choose to configure (set
your settings to template) or to analyze
(compare your settings to template
September 18, 2002
Any Questions?
September 18, 2002
Download