P1: GSB/FFX P2: GSB/FFX QC: IML/FFX T1: IML
WL040C-63 WL040/Bidgoli-Vol III-Ch-64 June 23, 2003 16:45 Char Count= 0
HOWW2K WORKS 797the default domain and local groups in DCs and also in
workstations and servers in W2K.
The Everyone group consists of all users on a given sys-
tem, regardless of whether they have been authenticated.
Fortunately, the potentially dangerous Everyone group is
at least not afforded elevated privileges. Groups such as
Interactive Users, Network Users, Dial-up, Batch, and Ter-
minal Server Users are volatile groups. When users are en-
gaged in certain tasks, they are included in these groups.
When they are done with the tasks, they are removed. For
example, someone who performs a local logon into a sys-
tem is included in the Interactive Users Group as long
as that user stays logged on locally. Additionally, some
groups even apply to an entire tree or forest. For example,
Enterprise Controllers consist of every DC in an Active
Directory implementation.Privileges
The previously mentioned default local Administrator ac-
count and default Domain Administrator account have
superuser privileges—full privileges, meaning that while
logged into this account someone can create or delete
accounts and groups (unprivileged and privileged); dis-
able accounts; add new users to groups; set the system
time; make backups; take ownership of every file, folder
and printer; create or delete shares to folders or devices
such as printers; set up and run a scheduled job; un-
lock a locked computer; read and purge the Security Log,
and many other things. Any account that is a member of
the Administrators group on a local system has the same
privileges as the default local Administrator account. The
default domain Administrator account also has Admin-
istrator privileges, but they apply to every server and
workstation within the domain in which this account ex-
ists. Anyone who is a member of Domain Administrators
(of which the default Domain Administrator account is
initially the only member, but others can be added) can
use Administrator privileges on every machine within a
domain.
W2K, like NT, has default groups that have some but
not all Administrator privileges. Account Operators, for
example, can create, disable, and delete any account that
does not have elevated privileges as well as perform other
tasks. Server Operators can perform many server admin-
istration tasks, including setting system time, logging on
locally, and others. Backup Operators can backup sys-
tems as well as others. Print Operators can create and
delete print shares, assign permissions for shares, install
or delete print drivers, and also engage in a few other sys-
tem administration tasks.Organizational Units (OUs)
OUs are an important new feature of W2K Active Direc-
tory. OUs are in the most basic sense groups that are part
of a hierarchical structure, with some groups at a higher
level than others in the structure. The root OU is the up-
permost one in this structure; OUs can exist at other levels
of this structure as well. Any second-tier OUs, OUs imme-
diately below the root OU, will all have the root OU as
their parent OU. OUs are not unique to W2K, however;
other network operating systems that adhere to X.500 orLDAP standards such as Novell Netware 4.X and up have
OUs, for instance.
OUs can be used very advantageously. In W2K, any
OU can be assigned conventional privileges or “rights”
(also see the next section, which covers privileges)
and/or “delegated rights,” the capability to administer
that OU by engaging in tasks such as adding users to
the OU. Default children OUs inherit the policy set-
tings of their parent. However, policy settings can be
blocked for any OU, allowing different policies to be as-
signed to children than to their parent OU. Additionally,
when it comes to delegated rights, a child OU can never
have more delegated rights than its parent. These proper-
ties and features can help guard against rights prolifera-
tion in which too many users have too many privileges,
which translates to a security catastrophe waiting to hap-
pen.Access Permissions
NT featured version 4 of the NT File System (NTFS). W2K
features version 5, or NTFS-5, which offers many more
permissions than does NTFS-4, allowing precise control
over levels of access to resources. There are 14 “base”
or individual permissions and 5 combined permissions,
each of which includes a number of base permissions.
Each permission includes both an Allow and Deny set-
ting. So, for example, one user could be allowed to Read
Folder/Read Data in a certain folder, and another user
could be assigned the deny setting for the identical per-
mission for the same folder, preventing the second user
from being able to read the folder and the data therein.
The FAT32 file system is also available, but this alterna-
tive file system has nothing to offer as far as security goes.
There are, for example, no access permissions in FAT32.
FAT32 features attributes such as read-only, but these at-
tributes are easy for an everyday user to change. NTFS-5
also has some nice built-in reliability- and performance-
related features.
Inheritance also applies to NTFS permissions and own-
erships in W2K. Suppose that a subfolder or file is cre-
ated below a parent folder. By default, a newly created
child folder or file will inherit the permissions of the par-
ent folder. It is also possible to block inheritance for any
child folder or file. When an access request occurs, the
Security Reference Monitor (SRM), an important subsys-
tem within W2K, obtains information about the request-
ing user’s security identifier (SID), groups to which the
user belongs, and ownership of resources. The SRM next
obtains the access control entries (ACEs) for the resource
in question and evaluates them in a defined order. The
SRM evaluates any Deny Non-inherited ACEs first, and
then if there are no such ACEs evaluates any Allow Non-
inherited ACEs. If there are no Allow Non-inherited ACEs
for that resource, the SRM next evaluates any Deny Inher-
ited ACEs, and if there are none, finally any Allow Inher-
ited ACEs. If there is more than one ACE for one type of
ACEs, e.g., Deny Non-inherited, the most recently created
one is applied.Kerberos
Kerberos provides strong network authentication both by
authenticating users in a manner that keeps passwords