designing group security designing security groups designing user rights
TRANSCRIPT
Designing Group Security
Designing security groups Designing user rights
Designing Microsoft Windows 2000 Security Groups
Windows 2000 groups Assessing group usage
Windows 2000 Groups
Access to network resources is authorized through inspection of the user SID and any group SIDs for a user account.
Use security groups to allow auditing of security access and to simplify the administration of network resources.
Define the group type and the group scope when creating a custom group.
There are two types of groups: security and distribution.
Security Groups
If a group's purpose is to define security for a resource, the group type must be a security group.
Used in discretionary access control lists (DACLs) and system access control lists (SACLs) to define security and auditing settings for an object.
Membership provides the equivalent rights and permissions assigned to that group.
Security group SIDs are included in the access token.
Distribution Groups
Used primarily for e-mail distribution lists. When an access token is built for a user,
distribution group memberships are ignored. Can be converted into a security group by
using Active Directory Users And Computers. SIDs are automatically assigned to newly
created distribution groups. Identify the SID of a distribution group by
using the Active Directory Administration Tool (Ldp.exe).
Windows 2000 Group Scopes
The scope defines Where the group can be used Where group membership is maintained How the group can be used
Native-mode group scopes available Domain local groups Global groups Universal groups Computer local groups
Domain Local Groups
Used to grant permissions to resources. New groups can be added to existing domain
local groups. Membership is maintained in the domain
where the domain local group exists. Can only be used on domain controllers (DCs)
in a mixed mode environment, much like local groups in Microsoft Windows NT.
Global Groups
Used to combine users and other global groups that have similar business requirements.
Membership is maintained in the domain where the domain local group exists.
Universal Groups
Used to collect similar groups that exist in multiple domains.
Memberships are stored in both the domain where the universal group exists and in the global catalog.
Memberships stored in the global catalog can be verified without contacting a DC.
Any changes to universal group membership will result in modification and replication of the global catalog.
Computer Local Groups
Windows 2000–based computers that are not DCs maintain their own user accounts database.
Define permissions for resources stored at that computer.
Are not shared between computers. Must be defined at each computer where they
exist.
Assessing Group Usage
Determine how permissions will be assigned to resources.
Create custom groups to provide the permissions necessary to protect resources.
Know how group memberships will be set. Define a strategy for assigning permissions:
A-G-DL-P A-G-U-DL-P
Domain Local Group Membership
Mixed mode membership User accounts from any domain Global groups from any domain
Native mode membership User accounts from any domain Global groups from any domain Universal groups from any domain Domain local groups from the same domain
Global Group Membership
Mixed mode membership User accounts from the same domain
Native mode membership User accounts from the same domain Global groups from the same domain
Universal Group Membership
Mixed mode membership None
Native mode membership User accounts from any domain Global groups from any domain Universal groups from any domain
Computer Local Group Membership
Mixed mode membership Local user accounts Domain user accounts from any domain Global groups from any domain
Native mode membership User accounts from any domain Global groups from any domain
A-G-DL-P Strategy
A-G-U-DL-P Strategy
Making the Decision: Designing Custom Security Groups
Determine if an existing group meets requirements.
Define what purpose the group will serve. Determine if additional groups are required. Do not assign excess permissions. Document new groups.
Applying the Decision: Designing Custom Security Groups for Hanson Brothers
Determine existing groups. Determine the number of group scopes
using A-G-DL-P. Determine the number of group scopes
using A-G-U-DL-P. Choose a methodology. Document the newly created groups.
Designing User Rights
Defining user rights with Group Policy User rights within Windows 2000 Assessing where to apply user rights
Defining User Rights with Group Policy
Administrators define user rights to authorize users to perform specific actions:
Who can log on to a computer Methods for logging on to a computer Privileges that have been assigned to a user or group
on that computer It is best to define user rights by using Group
Policy Ensures consistent application of user rights Ensures that local changes will not override settings
applied at the site, domain, or OU level
User Rights Within Windows 2000
Defined within local computer policy. Applied through the Windows 2000 Group
Policy defined at the site, domain, or OU. Always preferable for a centrally administered
network. Take precedence over local computer policy.
Know what privilege a user right provides to any security principals.
Group computers that require like assignments into the same container.
Assessing Where to Apply User Rights
Store DCs within the Domain Controllers OU and apply user rights to the Domain Controllers OU Group Policy.
Collect all Windows 2000 member servers into a common OU structure.
Apply the user rights settings at the domain to affect all computers running Windows 2000 Professional in the domain.
Determining Where to Apply User Rights
Making the Decision: Designing User Rights
Determine what user rights to grant to a security principal.
Determine where to apply user rights. Determine whether to apply user permissions
or user rights.
Applying the Decision: Designing User Rights for Hanson Brothers’ Deployment of Exchange Server Determine a name for the service account. Determine which user rights to assign to the
service account. Determine where to assign the user rights.
Chapter Summary
Designing Windows 2000 security groups Group types Group scopes
Assessing group usage Group memberships A-G-DL-P and A-G-U-DL-P strategies for assigning
permissions Designing user rights Assessing where to apply user rights