When designing your network's security, consider how you must deploy groups to assist in providing access to network resources. Your choice of security group type and scope will determine your network's security and manageability levels.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
In a Windows 2000 network, access to network resources is authorized through the inspection of the user Security Identifier (SID) and any group SIDs for the user account. To allow auditing of security access and to simplify the administration of network resources, use groups when you design security assignments.
When you create a custom group, you must define the group type and the group scope for the custom group, as shown in Figure 5.2.
Figure 5.2 Configuring the group scope and group type for a new group
NOTE
While it's critical to select the proper group scope and group type for a newly created group, you may change these properties once a group has been created. Of course, this is subject to the rules of membership for the group scope.
You can define two different types of Windows 2000 groups: security groups and distribution groups. Use security groups for entries in discretionary access control lists (DACLs) and system access control lists (SACLs) to define security and auditing settings for an object. Membership in a security group provides the equivalent rights and permissions assigned to that group. Use distribution groups for such applications as e-mail distribution lists. When an access token is built for a user, security group SIDs are included in the access token but distribution group memberships are ignored. If a group's purpose is to define security for a resources, always make sure that you define the group type to be security.
Do Distribution Groups Have SIDs?
Yes. Even though you can't assign a distribution group permissions to an object, you can still convert the distribution group into a security group in Active Directory Users And Computers. Because you can convert group types, SIDs are automatically assigned to newly created distribution groups in case they are converted to security groups.
You can identify the SID of a distribution group by using the Active Directory Administration Tool (Ldp.exe) that's included with the Windows 2000 Support Tools. This tool allows you to bind to Active Directory and query objects in Active Directory by issuing Lightweight Directory Access Protocol (LDAP) commands. Figure 5.3 shows the details of the Distribution Group named OfficeMail.
Figure 5.3 Distribution groups with SIDs
Note that the OfficeMail distribution group has been assigned the SID S-15-1C6DFF84-64D5D18F-8078A22-46D.
Once you've selected the group type, you must set the scope for the group. The scope defines where the group can be used, where the membership of the group is maintained, and how the group can be used.
NOTE
By implementing native mode in a Windows 2000 domain, you increase your options for setting security group scopes. Mixed-mode domains may contain Windows NT backup domain controllers (BDCs) that limit the types of groups you can create because they don't recognize the newer Windows 2000 scopes (domain local and universal groups) and don't recognize new functionality, such as nesting global groups within other global groups. (Unless otherwise noted, "Windows NT" refers to versions 3.51 and 4.0.)
When Windows 2000 Active Directory is configured to run in native mode, you can select four group scopes for a Windows 2000 group. These are
NOTE
In a mixed-mode environment, domain local groups can only be used on domain controllers (DCs), much like local groups in a Windows NT environment.
TIP
To reduce the replication traffic associated with changes in universal group membership, assign global groups as members of the universal group instead of as user accounts. This way, you can modify the membership within the composite global groups without adding or removing global groups from within the universal group.
When designing your network's security, consider how you will assign permissions to resources. This process includes the creation of custom groups to provide the permissions to protect these resources.
To create the necessary groups, you must understand the way you can set group memberships. Table 5.1 outlines the memberships that are allowed within groups.
Table 5.1 Group Membership in a Windows 2000 Domain
Group Scope | Mixed Mode Membership | Native Mode Membership |
---|---|---|
Domain Local | User accounts from any domain Global groups from any domain | User accounts from any domain Global groups from any domain Universal groups from any domain Domain local groups from the same domain |
Global | User accounts from the same domain | User accounts from the same domain Global groups from the same domain |
Universal | N/A | User accounts from any domain Global groups from any domain Universal groups from any domain |
Computer Local | Local user accounts Domain user accounts from any domain Global groups from any domain | User accounts from any domain Global groups from any domain |
The next step is to design a methodology of using groups to provide access to resources on the network. As Table 5.1 shows, it's possible to place user accounts into each of the four group types. While it's possible, however, it's often not desirable because doing so can lead to difficulties in determining the correct group membership.
One of the more common strategies, known as A-G-DL-P, is shown in Figure 5.4.
Figure 5.4 Assigning permissions by using A-G-DL-P
In this strategy you place accounts only into global groups to simplify administration. In native mode, global groups may also have other global groups as members. You then make these global groups members of a domain local group, which may be a member of additional domain local groups. You assign permissions to the domain local group. The permissions assigned affect all members of the domain local group.
TIP
You most often use A-G-DL-P in a forest that has a single domain. You don't need to use universal groups if the forest has only a single domain.
The A-G-DL-P strategy simplifies the troubleshooting of permissions because you only have to inspect domain local groups. Within any listing of Access Control Entries (ACEs), there should only be domain local groups.
Another strategy you can use in a Windows 2000 native domain is to integrate universal groups into the assignment of permissions, as shown in Figure 5.5.
Figure 5.5 Assigning permissions by using A-G-U-DL-P
As in the previous strategy, you assign users only to global groups, which can be made members of other global groups. The difference with this methodology is that you can collect global groups from multiple domains into a single universal group. You then add the universal group as a member of a domain local group. Finally, you assign the domain local group permissions to the object to which it requires access.
The key to this strategy is to have only global groups and other universal groups as the membership of a universal group. By not placing user accounts directly into the universal group, you can minimize changes to group membership of the universal group and subsequent changes to the global catalog. By reducing the changes in membership of the universal group, you then reduce replication traffic related to global catalog replication.
You must determine the appropriate methodology for protecting each resource. When a resource requires multiple levels of access, the result is the creation or usage of multiple groups.
When you design custom groups to provide access to Windows 2000 resources, consider the following criteria:
NOTE
For additional information on assigning permissions to file resources, see Chapter 6, "Securing File Resources."
Based on the scenario, Hanson Brothers needs to make the following decisions for the deployment of Exchange Server and the creation of custom security groups:
Table 5.2 Groups Required to Deploy Outlook 2000 Using A-G-DL-P
Group Name | Group Scope | Membership |
---|---|---|
Corporate\OutlookUsers | Global Group | All users who require the Outlook 2000 software at the Warroad, Calgary, or Boise offices |
Quebec\OutlookUsers | Global Group | All users who require the Outlook 2000 software at the Hull office |
Corporate\OutlookAdmins | Global Group | All Outlook administrators who need to configure the Outlook 2000 client software |
Corporate\OutlookRead | Domain Local Group | Corporate\OutlookUsers Quebec\OutlookUsers |
Corporate\OutlookWrite | Domain Local Group | Corporate\OutlookAdmins |
Table 5.3 Groups Required to Deploy Outlook 2000 Using A-G-U-DL-P
Group Name | Group Scope | Membership |
---|---|---|
Corporate\OutlookUsers | Global Group | All users who require the Outlook 2000 software at the Warroad, Calgary, or Boise offices |
Quebec\OutlookUsers | Global Group | All users who require the Outlook 2000 software at the Hull office |
Corporate\Outlook | Universal Group | Corporate\OutlookUsers Quebec\OutlookUsers |
Corporate\OutlookAdmins | Global Group | All Outlook administrators who need to configure the Outlook 2000 client software |
Corporate\OutlookRead | Domain Local Group | Corporate\Outlook |
Corporate\OutlookWrite | Domain Local Group | Corporate\OutlookAdmins |
To design Windows 2000 security group memberships, you must know how security groups can interact with each other. When designing security group memberships, determine the methodology that your organization will use for assigning permissions to resources. Typically, the decision comes down to A-G-DL-P or A-G-U-DL-P. You'll make that decision based on the number of domains in your organization, whether the domains are in native mode, and the amount of replication traffic related to universal group membership changes.