P1: GSB/FFX P2: GSB/FFX QC: IML/FFX T1: IML
WL040C-63 WL040/Bidgoli-Vol III-Ch-64 June 23, 2003 16:45 Char Count= 0
GLOSSARY 803Telnet
Windows Installer Service
Worldwide Web Publishing Service (this is needed for
IIS Web servers)Ensure That Rights Are Given Only as
They Are Needed
Check User Rights by going to Administrative Tools, then
either Domain Security Policy or Local Security Policy
(depending on the version of W2K your system runs), then
to Security Settings, then to Local Policies, and finally to
User Rights Assignment. Double click on the User Rights
Assignment container. To assign or revoke a right, double
click on the right of your choice, then add or remove the
right to/from the user or group of your choice. Ensure at
a minimum that the Everyone groupdoes nothave any of
the following rights:Act as part of the operating system
Add workstations to domain
Back up files and directories
Create a pagefile
Create a token object
Debug programs
Enable computer and user accounts to be trusted for
delegation
Force shutdown from a remote system
Increase quotas
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Logon as a batch job
Logon as a service
Log on locally
Manage auditing and security log
Modify firmware environment variables
Replace a process level token
Restore files and directories
Shut down the system
Take ownership of files and other objectsInstall and Run Anti-Virus Software
A Final Caveat
It is important to not onlyestablish,but also have tomain-
tainsuitable levels of W2K security. Security is an ongo-
ing process. You cannot simply set certain parameters in
a W2K or any other type of system and then forget about
security. Good security requires inspecting systems to en-
sure that there are no unexpected changes in permissions,
rights, directories, and files within directories. Anti-virus
software has to be updated constantly if it is to be effective.
Good security requires systematic monitoring of logs to
spot and investigate suspicious activity. Good security also
requires making full and incremental backups as well as
an Emergency Repair Disk at appropriate time intervals.
In short, good security for W2K or any other operating
system is an ongoing process.CONCLUSION
This chapter has provided the foundation for understand-
ing W2K security capabilities, limitations, and solutions.
W2K is a complex operating system. Its potential for se-
curity is higher than its predecessor, NT, yet its out-of-
the-box configuration leaves much to be desired. This
chapter cannot be considered complete coverage of the
topic of W2K security. Entire books on the topic have
been written (see Further Reading), yet even these do
not cover everything pertinent to the complicated subject
of W2K security. Some that are likely to be helpful in
gaining a deeper understanding of W2K security include
books by Bragg (BRAG00), Cox and Sheldon (COX00,
Norberg (NORB00), Schultz (SCHU00), and Scambray
and McClure (SCAM01). The recommendations in this
chapter are designed to provide a baseline level of se-
curity in W2K. Recommendations for achieving higher
levels of security are provided in other, longer documents
(see http://www.cisecurity.org) and books such as the ones
listed below.GLOSSARY
Active directory A directory service that provides an in-
frastructure and related services that enable users and
applications to locate and access objects and services
throughout the network.
Containers Higher level objects that hold other objects.
Delegation Giving organizational unit–related rights to
organizational units.
Distributed File System (DFS) A function that enables
system administrators to create and administer do-
main shares through a centralized function on each
domain controller and also allows administrators to
assign permissions to shares.
Domain Name Service (DNS) A service that resolves
IP addresses to hostnames and vice versa.
Domain A group of servers and (normally) workstations
that are part of one unit of management.
Domain Controllers (DCs) Machines that hold infor-
mation related to policies, authentication, and other
variables.
Domain local groups Groups that can encompass users
or groups from any trusted domain.
Encrypting File System (EFS) A system that provides
encryption of folders and files stored on W2K servers
and workstations.
Forests (As opposed to “trees”) Trust-linked domains
that are characterized by noncontiguous name
spaces.
Global catalog A service that enables users and pro-
grams that run on users’ behalf to discover available
resources within a tree or forest.
Global groups Groups that can allow access to re-
sources in the domain or forest where they exist.
Group Policy Objects (GPOs) A collection of configu-
ration settings related to computer configuration and
user profiles.
HfNetChk A free tool from Microsoft that enables sys-
tem administrators to determine whether W2K hot
fixes have been installed.