For more information about using MMC snap-ins, see Chapter 30, "Using the Active Directory."
In Figure 39.1, you can see the MMC with the snap-in for managing domain users and computers loaded. Although the User Manager or User Manager for Domains was used by Windows NT 4.0 computers, the MMC snap-in is used with Windows 2000 and Server 2003 to manage users and computers in the domain. After you've created a domain controller in a Windows 2000 or Server 2003 network, this utility is already set up. The example used in this section is based on Windows Server 2003. For Windows 2000 computers, the MMC is pretty much the same for the tasks that are described in the text that
If you are not logged in to an account that grants administrator privileges, you can simply hold down the Shift key and then right-click on the desktop. Select Run As and a dialog box will pop up and enable you to enter another username and password for an account that does have the necessary rights to run Administrative Tool utilities.
To begin, click Start, All Programs, Administrative Tools, and then Active Directory Users and Computers. In Figure 39.1 you can see the MMC with the Users folder selected. The Users folder has been expanded in the left pane, and in the right pane you can see user groups and users for the domain.
You still can use the MMC snap-in for managing users and computers to manage other domains. In Windows NT 4.0, you needed to have a trust relationship set up with other domains you wanted to manage from a central location. The Active Directory automatically creates transitive (two-way) trust relationships between all domains that are in the same domain tree. You can simply use the first entry in the left pane shown in Figure 39.1 (Active Directory Users and Computers), and then select Connect to Domain from the Action menu to connect the utility to another domain whose users or computers you want to manage. Essentially, you can use this MMC snap-in to manage all the users and computers throughout the domain tree. See Chapter 30 for more information about the Active Directory tree structure (as well as the concept of a forest of trees).
Windows NT defined certain basic rights you could grant to a user account, as well as a set of rights that were granular. The basic rights were simply combinations of these granular rights. In Windows Server 2003, rights have been divided into two categories. These are logon rights and privileges. Logon rights are few in number, and can
The Administrators user account cannot be deleted or removed from the Administrators group. However, because many hackers know that this account exists on Windows servers, you can, and should, rename it. You can also disable this account, while giving other accounts the same rights and privileges. Think about this in a
These logon rights are listed here:
Allow log on through Terminal Services Enables a user of a computer to log on using Microsoft Terminal Services. Essentially, a Terminal Services client runs programs on a server designated to supply this service, and the Terminal Server client computer displays the GUI interface for the application. This enables you to use older computers with fewer resources (such as memory or processor speed) to be used in your network.
Allow log on locally Enables a user to log on locally at a workstation or server; that is, to log on sitting at the workstation or computer, not using a network connection. Generally, administrators are the only users who can log on locally at a server.
Access this computer from a network Enables a user to log on to the computer from the network. In other words, this gives the capability to make a network connection, such as to access a file share on the computer.
Log on as a batch job Allows a user to submit a batch job (using the task scheduler) that will run under the user's account. Unless you deny this right, the default allows users to submit batch jobs to run in the background. Batch jobs are used to perform specific functions at a certain time, unlike services that run in the background and respond to certain system or user events.
Log on as a service This right allows the user to start a service using his or her account. A service is a process that runs in the background continuously.
Deny log on as a batch job Prevents an account from running a batch job on the computer.
Deny log on as a service Prevents an account from being used to run a service (a background process that runs without a GUI interface).
Deny log on locally
Deny access to this computer from network Is the opposite of the Access this computer from the network right. This right overrides the Access this computer from a network right.
Deny log on through Terminal Services Is the opposite of the Allow log on through Terminal Services right.
If you are familiar with the complete list of rights used by Windows NT, you'll see that the privileges that Windows Server 2003 uses are similar to those, with a few additions. These are the privileges you can use with Windows Server 2003:
Act as part of the operating system This right is usually granted to subsystems of the operating system, and for running services. It allows the holder to act as a secure, trusted part of the operating system. This is not a right you would normally need to grant to a user. The LocalSystem account possesses this privilege by default. You won't see this account, however, when you list user accounts in the Active Directory.
Add workstations to a domain Users or groups granted this privilege and logged in at a domain controller can add client computers (but not domain controller computers) to the domain. This privilege is granted by default to users that are authenticated and are logged in to a domain controller, in which case the user holding this privilege can add up to 10 other computers to the domain.
Adjust memory quotas for a process If an account is granted this privilege, the user can make changes for the amount of memory a process can use.
Bypass traverse checking
The user holding this right can read through a directory tree, even though she might not have access to all directories in the tree. Thus the user can be granted access to a file that exists in a directory (or subdirectory) for which the user is
Create a pagefile This right is usually granted to just the Administrators group. It allows the user to create additional page files using the System applet in the Control Panel. By creating page files on disks other than those used for the operating system or for applications, you can usually increase performance on the system. Note that a partition of a disk is not the same thing as a separate disk. Using separate partitions on the same disk will not give you the increased performance.
Create a token object This is the right to create a user logon token and is usually not granted to an individual user, but instead only to the local security authority (LSA) on the Windows computer.
Create permanent shared objects This is the right to create special resource structures, such as a directory, that are used internally by the operating system. Again, this is not a right generally needed by, or granted to, users.
This right allows a programmer to do low-level debugging. It is helpful for applications developers and administrators. However, as in most networks, this right should be granted
only on laboratory or development systems
, and not on a
. It is not a good idea to allow application development to be performed on the same computer that is a production server that network users make use of. The reason for this is obvious. The application being
Enable computer and user accounts to be trusted for delegation The Trusted for Delegation right for a user or computer can be performed by accounts that hold this right. The holder of this right can access resources on another computerunless that computer has the Account Cannot Be Delegated control flag set. The account holding this right can use the authentication credentials of the client computer.
Force shutdown from a remote source
This is a right you should grant sparingly. It allows a user to shut down another computer on the same network. If a computer or user's account becomes compromised because of security problems, this right can be used to shut down other computers, and thus be used to deny other computers access to those computers, resulting in a denial-of-service attack. A denial-of-service attack is an attack that attempts to overwhelm a computer by overloading it with resource
Increase scheduling priorities This gives the capability to boost the scheduling priority of a process. Administrators have this right by default. However, increasing the priority of one process can potentially allow a process that is making heavy use of system resources to dramatically slow down or lock out other processes. To use this right, the Task Manager utility is used. Do not give this right to typical users who do not understand that raising the priority for their session can potentially severely impact other users of the computer. For all practical purposes, Windows server operating systems can adjust priorities as needed. The administrator can also use the System Applet in the Control panel to grant priorities to foreground (applications) or network services, without having to modify process priorities on a process-by-process basis.
Load and unload device drivers This gives the capability to load and unload device drivers (as well as other kernel mode code). Because kernel processes are the heart of the operating system, you should not grant this right to ordinary users. This right, instead, is granted to Administrators by default.
Lock pages in memory This right gives the capability to lock pages into physical memory so that users do not get swapped out to the pagefile during normal virtual memory operations. This is useful for a process running a real-time application, but this right is not generally given to ordinary users.
Manage auditing and security log This right lets the user determine those objects and resources that will be recorded in the security log file, and view the events produced by the auditing.
Modify firmware environment
Profile a single process
This allows the user to set the collection information about a nonsystem process, used for measuring performance. The user who has this right can use the Performance Monitor to view the performance of
Profile system performance
Similar to the
Remove computer from docking station This right enables a user account to gracefully remove a computer from a docking station without having to first log on to the computer. By default, this right is not granted to any user.
Replace a process-level token This right is usually restricted to the operating system, which gives the user the capability to modify a process's security access token.
Restore files and directories
A user with this right can traverse directories and restore files and directories, or similar objects. This means that the user can restore files or entire directories, whether or not the user has permissions to access those files or directories when performing
Shut down the system Users holding this right can shut down the system. The user must be logged on to the system locally to perform this function.
Synchronize directory service data This gives the capability to synchronize all directory services. There is no account that possesses this right by default.
Take ownership of files or other objects
Creators of files, directories, and other objects are in most cases the
Each of the previous privileges can be enabled for specific user accounts or groups. Some of these rights, however, are granted to groups by default. For example, the Backup Operators group can use the backup utility to back up files to offline storage, despite the
The Active Directory can be used to delegate management for selected objects that are contained in the directory.
The MMC interface for Windows XP is much the same as that for Windows 2003. To view the rights you can assign on a client Windows XP Professional computer, use the Local Security Settings. Click on Start, Control Panel (and then switch to Classic View), Administrative Tools, and then Local Security Policy (see Figure 39.2). Under the Security Settings tree shown in Figure 39.2, click on Local Policies and then User Rights Assignment.
In the right pane of this window, you will then see the rights that can be granted to users, as well as the current assignments to existing users or groups. Most of the rights you will see in the right pane are the same as or similar to those described earlier in this chapter. Because Windows XP is a client operating system, many of the rights listed here can be pre-empted by the Default Domain Controller Group Policy object (GPO) if the XP computer is part of a domain. However, if not restricted by the GPO, or if your Windows XP computer is not part of a domain, you can make changes to the rights granted to a user. Note that the rights and privileges for the Windows XP computer are similar to those described earlier for Windows 2003.
This chapter uses several examples to
However, here it's time to look at other security settings that you can use to control user access to a computer. For example, under Account Policies, you can see (in Figure 39.3) that the Password Policy and Account Lockout Policy can be found.
Although this example uses Windows XP Professional, the same password policies are
Password policies enable the user of the Windows XP computer to enforce several aspects that relate to the use of passwords on this computer. For example:
Enforce password history
You can set a value here that controls the length of time a password is stored in a history file to prevent the same password from being used within this time frame. This is a very useful password policy, because you can use this to ensure that the user chooses a different password when the current one
Maximum password age This policy defines the length of time a password can be used before the user is required to change the password. A dialog box similar to that shown in Figure 39.4 is used. However, this dialog box allows you to set the number of days a password can be used. In combination with the Enforce password history entry, you can further enhance security as it applies to user passwords.
Minimum password age This entry enables you to set the minimum number of days that a password must be used before it can be changed. Although it may seem that the default of zero days is a good one, consider that if someone other than the user gains access to the account, he can change the password easily (and thus lock out the original user). Because of this, it's a good idea to set this to another value to keep an intruder from changing the password. The value you set here should be less than or equal to the Maximum password age value.
Minimum password length
This value is obviousyou can set the minimum number of characters (both alpha and numeric) that the user needs to choose for a password. Short passwords are much easier to discover using many password cracker programs available on the Internet. A recommended value for this field is 10
Password must meet complexity requirements
This policy is a very important one. Although setting the minimum and maximum password policies are important, this still
The Password must meet complexity requirements option should be used on networks that contain a large number of computers (an Enterprise network, for example) as well as for simple SOHO network LANs. Both types of networks are vulnerable to password attacks. As described in Chapter 42, "Basic Security Measures Every Network Administrator Needs to Know," and Chapter 44, "Security Issues for Wide Area Networks," one of the main attacks used by malicious persons is based on many single computers. By planting programs on a large number of computers that have been hacked, a Distributed Denial-of-Service attack can be launched from all the computers that the user has
Store password using reversible encryption for all users in the domain If this is enabled, Administrator as well as other accounts that hold administrative privileges can recover the encrypted password. This is not necessary if an Administrator account possesses the right to take ownership of another user's files. Yet it can be useful if a user forgets his password.
As you can see from the previous password policies, you can set policies that can help protect your network from compromise for both internal and external users. Don't think that all security breaches are from external users. Can you be certain that all users inside your LAN are happy users? If so, why is it necessary to let some users go? And remember that when someone is let go, it can take some time for the human resources department to deactivate user accounts (or another entity in your business).
If a Windows XP computer is part of a domain, you can manage user accounts on a domain controller so that the user can be granted access to other computers in the domain instead of just the local workstation. The rights on a Windows XP Professional computer in a domain setting are controlled by a Group Policy Object (GPO), which can be used to set a large number of security and other settings for computers in the network. For a SOHO network, you probably won't need to assign rights to any user account, but can instead add the user account to a user group that possesses the rights needed to perform the tasks necessary.
To learn about how you grant rights to a user or group, see Chapter 37, "Windows 2000 and Windows Server 2003 User and Computer Management Utilities."