When designing security for your network, you must consider the membership requirements for Windows 2000 administrative groups. Administrators are able to perform tasks that could change your network's security design. You must carefully consider the criteria for membership in these groups (and their component groups) to ensure that security can't be weakened on the network.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Windows 2000 contains several predefined administrative groups. When designing security for your Windows 2000 network, you must determine appropriate membership in each group. By understanding the capabilities of each group and assigning the correct memberships, you can ensure that users aren't assigned excess privileges on the Windows 2000 network.
Several default groups exist within Active Directory and are assigned rights on the network. Understanding the rights each group is assigned can assist you in determining the appropriate administrative group memberships within your Active Directory.
Table 4.2 identifies the default administrative groups that exist in a Windows 2000 network.
Table 4.2 The Default Windows 2000 Administrative Groups
Group Name | Group Type | Purpose |
---|---|---|
Enterprise Admins | Universal | Exists only within the forest root domain. Has forest-wide administrative scope. Members of this group are allowed to modify Enterprise-wide configuration. Membership must be monitored at all times. |
Schema Admins | Universal | Exists only within the forest root domain. Members can make changes to the forest schema, including the modification of existing attributes and classes or the addition of new attributes or classes. |
Domain Admins | Global | A member of the Administrators group within each domain of the forest. When a member server or workstation joins the domain, the Domain Admins group is added as a member of the local Administrators group. Members can administer the domain in which they are defined. Additionally, members of the Domain Admins group in the forest root domain are permitted to modify membership of the Enterprise Admins or Schema Admins groups as they exist in the forest root domain. |
Group Policy Creator Owners | Global | Members are allowed to create new Group Policy objects in Active Directory. |
Administrators | Domain Local | Members are allowed to fully manage the domain in which the group exists, including management of services and accounts within Active Directory. |
Power Users | Local Group | Exists only on nondomain controllers. Members are allowed to manage users and groups in the local SAM database, modify or delete accounts that they created, and manage membership in the Users, Guests, and Power Users groups. Power Users also can install most applications; create, manage, and delete local printers; and create and delete file shares. |
Account Operators | Domain Local | Members of this group can create, modify, or delete accounts for users, groups, and computers in any container within the domain where the Account Operators group exists. The only exceptions are the Builtin container and the Domain Controllers OU. The only groups that Account Operators are prohibited from managing are the Administrators and Domain Admins groups. In the forest root domain, members can't modify the properties of the Enterprise Admins or Schema Admins groups. |
Server Operators | Domain Local | Members are allowed to log on locally at a server, manage network shares, stop and start services, back up and restore data, format hard disk drives, and shut down the computer. |
Print Operators | Domain Local | Members can manage printers and printer queues, including managing print jobs that weren't submitted by the member. |
Backup Operators | Local | Members are allowed to back up and restore all files on the computer. Members aren't subject to permissions on files when performing the backup. Members also can log on locally and shut down the computer. |
Replicators | Domain Local | In Windows NT domains, it's a built-in group used by the File Replication service on DCs. |
DHCP Administrators | Domain Local | Members can administer DHCP services within the domain where the group exists. This group is created automatically when the DHCP service is installed. |
DNS Admins | Domain Local | Members can administer DNS services in the domain where the group is defined. This group has members in any domain where the DNS service is installed. |
WINS Admins | Domain Local | Members can administer the Windows Internet Naming Service (WINS) service within the domain where the group is defined. This group is not created automatically when the WINS service is installed in a domain. |
DNSUpdate Proxy | Global | Members can create DNS resource records without taking ownership of the DNS resource records. Generally, DHCP servers are made members of this group to ensure that a client workstation using Windows 95, Windows 98, or Windows NT can take ownership of the resource record after the computers are upgraded to Windows 2000. |
Pre–Windows 2000 Compatible Access | Domain Local | Members can query Active Directory using a NULL session. During the DCPROMO process, which installs and configures Active Directory to promote a server to a DC, if the option to enable pre–Windows 2000 compatible access for remote access is enabled, the Everyone group is added as a member to this group. |
NOTE
Unless otherwise noted, Windows NT refers to versions 3.51 and 4.0.
Poor administrative group design can hurt your network security. If you don't control administrative group membership, your network security can be severely compromised.
In a Windows 2000 network you can use two common strategies to control the membership of Windows 2000 administrative groups. The two methods are
Auditing Group Membership
You can use Windows 2000 auditing and periodic manual audits to ensure that group membership is as it should be in your Windows 2000 network. Your network must determine which groups must be periodically audited.
The audit must ensure that both users directly configured as members of the administrative group and the membership of any composite groups are verified against documented membership. You can do this either by performing regularly scheduled manual inspection of the administrative groups or by using third-party products that report group memberships to precustomized reports.
Using Third-Party Tools to Determine Group Membership
You can use several alternatives to report on group memberships in a Windows 2000 network. Common methods used in the industry include the following:
- SomarSoft's Dumpevt. The Dumpevt utility (formerly known as DumpACL) is commonly used to report on the configured discretionary access control lists (DACLs) that are defined for file and share resources. In addition, this software reports on group memberships for all groups within Active Directory. You can download this utility for free at http://www.somarsoft.com/.
- Windows Scripting Host. You can use the Windows Scripting Host (WSH) to generate scripts that report on group membership. Many example scripts are available at cwashington.netreach.net/.
Whatever method you choose, ensuring that the reports are run at regular intervals and are examined to verify that no anomalies exist in the administrative group memberships will prevent excess rights from being applied to unauthorized user accounts.
You must determine which group meets your needs. Consider that the Account Operators and Server Operators are assigned only a subset of the privileges of the Administrators group. If a user is only required to perform user and group management, then assign her membership only in Account Operators.
Using Restricted Groups to Maintain Group Memberships
If you want to limit membership within a specific group, you can use the Restricted Groups option within Group Policy to predefine membership within the groups. This Group Policy ensures that membership matches the defined membership. If members are added or deleted, the Group Policy will ensure that the desired membership is reestablished.
You can apply Restricted Groups policy at the site, domain, or OU level. When applied, the Restricted Groups policy setting provides two forms of protection for a defined group, as shown in Figure 4.2.
Figure 4.2 Defining both the membership within the group and the groups that the group can be a member of for a restricted group
NOTE
Group Policy will be automatically applied to DCs every 5 minutes. Windows 2000 Professional workstations and Windows 2000 member servers that are members of the domain will apply the computer policies every 90 minutes by default. You can force the application of the security policy by running the following command from the command prompt at the target workstation: SECEDIT/REFRESHPOLICY MACHINE_POLICY/ENFORCE.
When making your decision on administrative group design, you must do the following:
The decisions that Hanson Brothers faces include determining membership in the administrative groups for the Central IT team and ensuring that membership is guarded and audited for enterprise-level administrative groups.
Based on the role definitions provided in the chapter scenario, you must define the administrative group membership for Hanson Brothers, shown in Table 4.3.
Table 4.3 Administrative Group Memberships for Hanson Brothers
Group | Membership |
---|---|
Enterprise Admins | Only the default administration account. The account must be restricted further to be used at only specific locations on the network. |
DNSAdmins | Derek Graham |
DHCP Administrators | Derek Graham |
Account Operators | Steve Masters |
Schema Admins | Yvonne Schleger |
Server Operators | Eric Miller |
Group Policy Creator Owners | Stephanie Conroy |
Note that in the table no members are assigned to the Backup Operators group. This is because Hanson Brothers requires that the Backup and Restore privileges be divided between Stephanie Conroy and Kim Hightower. Membership in the Backup Operators group would be an excess assignment of user rights.
The other requirement you must manage is the membership of the Domain Admins, Enterprise Admins, Schema Admins, and Administrators groups. You can manage these groups by
For restricted groups, you can set the properties for Hanson Brothers as shown in Table 4.4 to ensure that group membership isn't changed from the desired membership. To ensure that the group memberships are maintained on the domain, the Restricted Groups policy must be deployed at the Domain Controllers OU for Hanson Brothers.
Table 4.4 Restricted Group Definitions for Hanson Brothers
Group | Members | Member of |
---|---|---|
Domain Admins | Administrator | Administrators Enterprise Admins |
Enterprise Admins | Administrator | None |
Schema Admins | Administrator Yvonne Schleger | None |
Administrators | Domain Admins Enterprise Admins Administrators | None |
Sometimes you will require a group to have only a subset of the rights that an administrative group is assigned. For example, your security policy may require that the backup and restore privileges are separated. In Windows 2000 the Backup Operators group provides both privileges.
By creating two custom groups and assigning one group the right to back up files and the other group to restore files, as illustrated in Figure 4.3, you can reduce the risk associated with a single user account having the rights to back up and restore files from the network.
Figure 4.3 Splitting backup rights between a custom Backup and custom Restore group
NOTE
The main concern that network administrators have with the mixing of the rights to back up and restore files is that an account with the right to back up files can back up all files on the network. This includes files that the account may not have access to on the network.
The key to creating custom administrative groups is to determine exactly which rights a specific account requires. One group that has a large number of rights on a network is the Enterprise Admins universal group in the forest root domain. An organization will often create custom groups to delegate only specific rights to an account, rather than make the account a member of the Enterprise Admins group and provide the account with excess privileges.
To carry this example further, membership in the Enterprise Admins group is required to perform the following security tasks in a Windows 2000 forest:
NOTE
The Enterprise Admins must create the domains and servers in advance by using the domain management set of commands in Ntdsutil. Within this menu, they can create the domain cross-reference object by using the following command: PRECREATE %1 %2, where %1 is the name of the domain to create and %2 is the name of the DC that will be added to the domain.
You should base your decision on whether to create custom security groups for the purpose of administration in your Active Directory on the following guidelines:
Hanson Brothers must create custom administration groups to meet the following requirements outlined in this chapter's case scenario:
Figure 4.4 OU structure necessary to delegate administration to the remote offices
Figure 4.5 Assigning a Custom Local group the Backup Files And Directories right
When designing the administrative group structure for your forest, you must make sure that membership is designed not to grant excess rights on the network. You do this by only assigning security principals to an administrative group that provides the required rights on the network. Don't just add the security principal to the Administrator or Domain Admins group because it "works."
By using the restricted groups in Group Policy and performing regular audits of administrative groups, you can verify that only authorized users are members of administrative groups.