Designing Group Security

Designing security groups Designing user rights

Designing Microsoft Windows 2000 Security Groups

Windows 2000 groups Assessing group usage

Windows 2000 Groups

Access to network resources is authorized through inspection of the user SID and any group SIDs for a user account.

Use security groups to allow auditing of security access and to simplify the administration of network resources.

Define the group type and the group scope when creating a custom group.

There are two types of groups: security and distribution.

Security Groups

If a group's purpose is to define security for a resource, the group type must be a security group.

Used in discretionary access control lists (DACLs) and system access control lists (SACLs) to define security and auditing settings for an object.

Membership provides the equivalent rights and permissions assigned to that group.

Security group SIDs are included in the access token.

Distribution Groups

Used primarily for e-mail distribution lists. When an access token is built for a user,

distribution group memberships are ignored. Can be converted into a security group by

using Active Directory Users And Computers. SIDs are automatically assigned to newly

created distribution groups. Identify the SID of a distribution group by

using the Active Directory Administration Tool (Ldp.exe).

Windows 2000 Group Scopes

The scope defines Where the group can be used Where group membership is maintained How the group can be used

Native-mode group scopes available Domain local groups Global groups Universal groups Computer local groups

Domain Local Groups

Used to grant permissions to resources. New groups can be added to existing domain

local groups. Membership is maintained in the domain

where the domain local group exists. Can only be used on domain controllers (DCs)

in a mixed mode environment, much like local groups in Microsoft Windows NT.

Global Groups

Used to combine users and other global groups that have similar business requirements.

Membership is maintained in the domain where the domain local group exists.

Universal Groups

Used to collect similar groups that exist in multiple domains.

Memberships are stored in both the domain where the universal group exists and in the global catalog.

Memberships stored in the global catalog can be verified without contacting a DC.

Any changes to universal group membership will result in modification and replication of the global catalog.

Computer Local Groups

Windows 2000–based computers that are not DCs maintain their own user accounts database.

Define permissions for resources stored at that computer.

Are not shared between computers. Must be defined at each computer where they

exist.

Assessing Group Usage

Determine how permissions will be assigned to resources.

Create custom groups to provide the permissions necessary to protect resources.

Know how group memberships will be set. Define a strategy for assigning permissions:

A-G-DL-P A-G-U-DL-P

Domain Local Group Membership

Mixed mode membership User accounts from any domain Global groups from any domain

Native mode membership User accounts from any domain Global groups from any domain Universal groups from any domain Domain local groups from the same domain

Global Group Membership

Mixed mode membership User accounts from the same domain

Native mode membership User accounts from the same domain Global groups from the same domain

Universal Group Membership

Mixed mode membership None

Native mode membership User accounts from any domain Global groups from any domain Universal groups from any domain

Computer Local Group Membership

Mixed mode membership Local user accounts Domain user accounts from any domain Global groups from any domain

Native mode membership User accounts from any domain Global groups from any domain

A-G-DL-P Strategy

A-G-U-DL-P Strategy

Making the Decision: Designing Custom Security Groups

Determine if an existing group meets requirements.

Define what purpose the group will serve. Determine if additional groups are required. Do not assign excess permissions. Document new groups.

Applying the Decision: Designing Custom Security Groups for Hanson Brothers

Determine existing groups. Determine the number of group scopes

using A-G-DL-P. Determine the number of group scopes

using A-G-U-DL-P. Choose a methodology. Document the newly created groups.

Designing User Rights

Defining user rights with Group Policy User rights within Windows 2000 Assessing where to apply user rights

Defining User Rights with Group Policy

Administrators define user rights to authorize users to perform specific actions:

Who can log on to a computer Methods for logging on to a computer Privileges that have been assigned to a user or group

on that computer It is best to define user rights by using Group

Policy Ensures consistent application of user rights Ensures that local changes will not override settings

applied at the site, domain, or OU level

User Rights Within Windows 2000

Defined within local computer policy. Applied through the Windows 2000 Group

Policy defined at the site, domain, or OU. Always preferable for a centrally administered

network. Take precedence over local computer policy.

Know what privilege a user right provides to any security principals.

Group computers that require like assignments into the same container.

Assessing Where to Apply User Rights

Store DCs within the Domain Controllers OU and apply user rights to the Domain Controllers OU Group Policy.

Collect all Windows 2000 member servers into a common OU structure.

Apply the user rights settings at the domain to affect all computers running Windows 2000 Professional in the domain.

Determining Where to Apply User Rights

Making the Decision: Designing User Rights

Determine what user rights to grant to a security principal.

Determine where to apply user rights. Determine whether to apply user permissions

or user rights.

Applying the Decision: Designing User Rights for Hanson Brothers’ Deployment of Exchange Server Determine a name for the service account. Determine which user rights to assign to the

service account. Determine where to assign the user rights.

Chapter Summary

Designing Windows 2000 security groups Group types Group scopes

Assessing group usage Group memberships A-G-DL-P and A-G-U-DL-P strategies for assigning

permissions Designing user rights Assessing where to apply user rights