Академический Документы
Профессиональный Документы
Культура Документы
Every user account on a Windows 2000 machine is part of a local user group on
that computer. A user group is a set of users who have a certain amount of
control over the Windows 2000 computer. The four primary user groups are
Administrators, Power Users, Users, and Guests. As tech support representative,
you will have Administrator rights to all computers in your unit. Faculty and staff
accounts are always set to Power Users.
Administrators
Members of the Administrator group have total control over the computer and
everything on it. The user named Administrator is the default account within this
group. The domain account of each faculty or staff member with a Windows 2000
computer is part of the Administrator group on his or her computer.
Administrators Can:
Power Users
The Power User class can perform any task except for those reserved for
Administrators. They are allowed to carry out functions that will not directly affect
the operating system or risk security. All domain accounts are part of the Power
Users group on public Windows 2000 computers.
Users
Users can perform common tasks, but have little power to affect the computer
outside of their own account. The Users group is the most secure environment in
which to run programs, since a User cannot affect the operating system or
program files.
Users Can:
Guests
The Guests group grants limited access to occasional or one-time users. Once a
Guest logs out, all files created by the guest is deleted.
Guests Can:
Guests Cannot:
• Do anything else.
1. Log onto the system where you want to change the password.
2. Press Ctrl-Alt-Del to bring up the Windows Security dialogue box.
3. Click the "Change Password..." button (bottom left in that window).
4. Verify the correct Username in the first field.
5. Verify the account (whether a Domain account, or local computer account)
in the second field.
6. Enter the old (current) password for the account in the third field.
7. Enter in the new password (to use from now on) in the fourth field, and
again in the fifth to help rule out typing errors.
8. Click OK to finish and change the password.
9. Click OK to acknowledge the message that the password was changed.
10. Press the Esc button, or click Cancel to return to the Windows 2000
desktop.
Passwords
Passwords are used to protect computer systems and the data that they contain.
A computer user may use several passwords to protect several different aspects
of his or her computer. Access to a network, e-mail access, Internet access,
database access, and even access to the computer itself may be controlled by a
password. Therefore, it is not surprising that all of these passwords may cause
some confusion.
When a password fails to work, it is important to first be sure that the password
has been entered proper correctly. Passwords are usually, but not always entered
in all lower case letters, and may contain numbers as well. The two most common
causes for password failure are accidental activation of the keyboard’s Caps Lock
(Capital Lock) function and deactivation of the Num Lock (Number Lock) function
for the numeric keypad. Indicator lights on the keyboard, usually in the upper
right corner, indicate the status of these functions. When the light is on, the
function is active. Another common cause of password failure is the use of the
wrong password. More than one password may be used on a computer to protect
multiple applications. It is important to be sure that the password being used is
the right one for the application in question.
Good passwords contain both upper and lower case letters, as well as a special
character (such as # or ; or -), and numbers.
Some simple guidelines that will help you choose better passwords are:
Under Windows 2000, multiple accounts may exist. Each account should have a
password that allows access to the Windows operating system in that account.
File Permission
Introduction
The concept of a network of computers is not new or revolutionary. Servers, typically kept in
locked rooms, store the company resources (folders, files, documents, spreadsheets, etc).
These servers are locked behind closed doors so that the only access that employees have to
the resources is over the network. So, one level of security for protecting the resource is the
physical security that is provided by not allowing employees direct access to the hardware upon
which the resource is located.
In order for employees to access the resources stored on the servers, the server must be
configured to allow the employees to access the resources over the network. For a Windows
environment, this is done through shared folders. When a folder is shared it becomes available
over the network so that all users on the network can see the shared folder name, as shown in
Figure 1.
In order to protect the resources that are made available through shared folders, administrators
must configure “permissions” for the folders and files that are made available over the network.
There are two types of permissions that can be configured on shared folders: share and NTFS.
We are going to focus on the share permissions, discussing some pitfalls that are exposed when
you use them, as well as some recommended methods to successfully configure permissions for
shared folders.
To make sure that I am clear about my description of the permissions available on a shared
folder, I wanted to start off by describing the two different permissions that can be configured
on each shared folder. The two permissions are: share and NTFS.
NTFS Permission
NTFS permissions are an attribute of the folder or file for which they are configured. The NTFS
permissions include both standard and special levels of settings. The standard settings are
combinations of the special permissions, making the configuration more efficient and easier to
establish. These permissions include the following, as shown in Figure 2:
§ Full Control
§ Modify
§ Read & Execute
§ List Folder Contents
§ Read
§ Write
There are 14 special permissions for folders, which include detailed control over creating,
modifying, reading, and deleting subfolders and files contained within the folder where the
permissions are established.
NTFS permissions are associated with the object, so the permissions are always connected with
the object during a rename, move, or archive of the object.
When you check the permissions on an NTFS folder, you see a double set of permissions. The
first set in parentheses refers to the directory itself and the second set of parentheses refer to
the contents of the directory (but not to contents in any subdirectories).
(RX)
List (not specified)
Read and traverse directory
(RX)
(RX)
Read View data files and run applications
Read and traverse directory
in directory
(WX)
(not specified) cannot read or
Add Traverse directory, add files and
change contents
subdirectories to directory
(RWX)
(RX)
Add & Read and traverse directory, add
View data files and run applications
Read files and subdirectories to
in directory
directory
(RWXD) (RWXD)
Change Add, read, execute, modify, and Add, read, execute, modify, and
delete directory delete directory contents
(RWXDPO)
(RWXDPO)
Take ownership, change
Full Take ownership, change
permissions, add, read, execute,
Control permissions, add, read, execute,
modify, and delete directory
modify, and delete directory
contents
() ()
No Access
No access to directory No access to directory conte nts
There is also Special Directory Access and Special File Access. Special Access allows you pick
which combination of Read, Write, Execute, Delete, Change Permission and Take Ownership
NTFS permissions for files include Read, Change, Full Control, Special Access and No Access.
Special access for files includes read, write, execute, delete, change permission and take
ownership.
Share permissions
Share permissions are only associated with the folder that is being shared. For example, if there
are 5 subfolders below the folder that is shared, only the initial shared folder can have share
permissions configured on it. NTFS permissions can be established on every file and folder
within the data storage structure, even if a folder is not shared.
Share permissions are configured on the Sharing tab of the shared folder. On this tab, you will
have a Permissions button, which exposes the share permissions when selected, as shown in
Figure 3.
As you can see, the share permissions standard list of options is not as robust as the NTFS
permissions. The share permissions only provide Full Control, Change, and Read. There are no
special permissions available for share permissions, so the standard permissions are as granular
as you can go for this set of access control.
The share permissions are not part of the folder or file, so when the share name is changed, the
folder is moved, or the folder is backed up, the share permissions are not included. This makes
for a fragile control of the share permissions if the folder is modified.
Microsoft has historically configured all new shared folders with very open share permissions.
The default share permissions for Windows NT, Windows 2000 (Server and Professional), and
Windows XP (pre Service Pack 1) is that the Everyone group has Full Control access.
This might seem insecure with Full Control access, but when the NTFS permissions are
combined with the share permissions, the most secure of the two permissions controls the
access to the resource.
In the past, when share permissions are altered from Everyone having Full Control, it can cause
more problems than it is worth. For example, when a company typically does not use share
permissions, it can take a longer cycle to fix access to resources when they are used. When
share permissions are configured incorrectly on a shared folder, the share permissions are not
the initial configuration to be checked. In most cases, I have found that it can take hours before
the share permissions are investigated. During the troubleshooting procedures, users can be
added to “admin” groups, given elevated user rights, and added directly to the ACL of the
resource. When the share permissions are finally investigated and fixed, it can be hard to
remember all of the other configurations that have been made in an attempt to fix the users
access to the resource. Of course, this leaves the resource and overall network in an insecure
state, all due to share permissions being configured incorrectly.
With all of the confusion that old share permissions could cause, Microsoft decided to change the
rules for default share permissions with the release of Windows XP Service Pack 1. With every
operating system after this service pack release (including Windows Server 2003), the new
default permissions for all new shared folders is Everyone having Read only access, as shown in
Figure 3.
This seems like a good security setting, until you consider how many resources on your network
can actually have “read-only” access for everyone. There are not many, due to the fact that
users need to modify and alter the contents of most resources to be productive.
In almost every instance the share permissions will need to be changed from Read access. This
sets up the administrator to configure detailed share permissions, which can cause the issues
that we discussed before with regard to troubleshooting resource access with the old share
permissions being modified. With the share permissions being changed by default, I have found
that many administrators don’t feel that they need to configure NTFS permissions anymore, as
they rely on the share permissions to protect the resource. This is a gross error and leaves the
network and resources in a very vulnerable state. Share permissions are only valid when the
resource is accessed over the network, but not when it is accessed locally, using Terminal
Services, etc. Also remember that share permissions are not backed up with resource, so all
backed up files are vulnerable as well, without any permissions protecting them.
As a best practice, it is most efficient to configure share permissions with Authenticated Users
having Full Control access. Then, the NTFS permissions should configure each group with
standard permissions. This provides excellent security for local and network access to the
resource. It also provides excellent protection of the resource for when it is backed up and
when the resource name is changed or relocated. As I said earlier, the NTFS permissions will
protect the resource even if the share permissions are set to Full Control access.