Securing the File System

Windows 2003 stores all its data in the file system. User data, application data, and operating system files all live in the file system. To secure Windows 2003, these files need to be secured. Threats from outside the network, accidental deletion of system files, or access from an unauthorized internal group can all result in the loss of data or the compromising of confidential data. Windows 2003 supports many mechanisms to secure the file system.

Locking Down the File System via NTFS

Way back in Windows NT 3.1 Microsoft introduced the NT File System (NTFS). NTFS was a great breakthrough over the FAT file system in many areas. Support for larger drives , support for nonstandard block allocation sizes, and the ability to define security on a file or folder level all gave NTFS a big advantage over FAT. The ability to secure files and folders individually via NTFS permissions is the basis of Windows 2003 as a securable file server.

Windows 2003 has made great strides in the area of default system NTFS permission on the file system. Windows no longer defaults to having the everyone group listed for all resources. Instead, it defaults to allowing authenticated users the ability to read and list files and folders. By default, Windows 2003 will allow authenticated users to bypass traverse checking. This works hand in hand with the upgrades to client operating systems like Windows 2000 Professional and Windows XP Professional that now allow drives to be mapped at a point below the share point. So although a share might exist that looks like \\Server\users$ with departmental directories with hundreds of user directories below them, a user can now be mapped directly to his own directory without having to share the user directory explicitly and without having to grant the user rights to anything other then his own directory. Although the user might not be able to read or list the departmental directories it is unnecessary if the goal is only to give him access to his own home directory. This greatly simplifies the application of NTFS permissions.

Locking Down Group Membership

One of the most important ways to keep a network secured is to ensure that users are not granted membership to groups that provide more rights than they really need. Similarly it is critical not to fall into the trap of simply making all administrators domain administrators just to ensure that they have sufficient rights to perform their daily duties . Windows 2003 has continued to make great strides in the area of granularity when it comes to assigning rights to administrators.

The area of group membership that is often overlooked by administrators is the local administrative groups on member servers and on workstations. Because these groups aren't centrally managed, it is easy to forget that they are out there. Administrators often add user's domain accounts into their local administrator group so that they can work on installing a new software package but often forget to remove that membership after the project is finished. This results in a number of users having elevated rights on their own workstations. This puts them at risk of unwittingly installing spyware or other applications that could put the network at risk.

One way to control membership of these local groups is through the application of Group Policy Objects. By defining the Administrators group as a Restricted Group you can define what accounts are allowed to be present in that group. If a local administrator adds an additional account the change will not be persistent. This enables you to easily control group memberships across the network. This parameter is found in Computer Configuration/Windows Settings/Security Settings/ Restricted Groups. Simply add the group you want to restrict and add the members that are allowed to be present.

Keeping Users Out of Critical File Areas

Operating system files are the lifeblood of the operating system. Corruptions or deletions of these files can quickly cripple a server. Aside from application of security patches, there is no reason for an administrator to need write access to system files. Having the ability to do so only makes the administrator a threat to the stability of the system. Accidental file deletion or renaming through either operator error or malicious scripts can be prevented by locking down access to the system files. Allow the Administrator account to retain Full Control of the files in the %systemroot% directory but don't allow general administrative groups to have rights to these files. Discourage administrators from logging on to systems as Administrator. Instead have them use their normal account and use the "run as" feature if they need to run a program with elevated rights.