Security Tools in Windows 2000 | Programming Server-Side Applications for Microsoft Windows 2000 (Microsoft Programming)

[Previous] [Next]

To effectively write software that is security aware, it is necessary to have an understanding of how security is administered in Windows 2000 and familiarity with some useful tools.

First, you will need administrative rights (or, in the case of a domain system, account operators' rights) to a Windows 2000 system. If necessary, create a clean installation of Windows 2000 for which you are the administrator.

Now you should become familiar with the Microsoft Management Console (MMC) if you aren't already. This application is installed with the system and resides in MMC.exe. The MMC allows you to perform administrative tasks, from configuring the hard drives on your system to monitoring the event log, including the security administration. Each function of the MMC is implemented as a snap-in that must be loaded. For more details on using the MMC, see the topic "Using the Microsoft Management Console" in Windows 2000 Help.

The Local Users and Groups snap-in for the MMC allows you to create users and groups, as well as to add members to groups. This snap-in also allows you to change the password of a user and to set some of the rules that apply to a trustee. Ideally the samples from this book should be run by a user who is a member of the Administrators group (although you will find it educational to create less powerful users and groups so that you can experience life as one of the less privileged).

The Group Policy snap-in allows you to adjust the privileges assigned to a trustee. This snap-in is somewhat more complex than the Local Users and Groups snap-in because of the vast functionality of Group Policy on Windows. Go directly to the privileges functionality of the Group Policy snap-in by expanding the following path: Local Computer Policy\Computer Configuration\ Windows Settings\Security Settings\Local Policies\User Rights Assignment. Figure 9-1 shows how the resultant screen should look.

click to view at full size.

Figure 9-1. Privileges shown in the Group Policy snap-in

NOTE
It is important to understand that the MMC snap-in interface to privileges in Windows 2000 is realized through a logical layer called Group Policy. Group Policy is a complex topic and could fill several chapters on its own. This approach to assigning privileges is a step away from the approach taken by the User Manager tool in Microsoft Windows NT 4.0, which assigns privileges directly to trustees. Direct privilege manipulation is still possible through calls to system functions; however, the user interface provided with Windows 2000 uses only Group Policy.
Using the MMC snap-ins, you might experience latency for the assignment of user rights. In addition, the assignment of user rights might be overridden completely by domain group policies. You can work around these potential problems by using a tool that manages privileges directly.

Finally, before moving on to programmatically administering trustees, I should mention that the TrusteeMan sample application described later in this chapter can also be used as a tool to create and delete user and group accounts, as well as assign privileges to trustee accounts. Although this sample is included as an instructional tool, it also provides a simple alternative to the MMC snap-ins included with Windows 2000.