Chapter 27 -- Implementing Windows 2000 Security

Chapter 27

This chapter provides an introduction to Microsoft Windows 2000 security. We'll describe basic security concepts, such as permissions, rights, accounts, user accounts, and groups. Then we'll take a tour of Local Users And Groups, the tool that lets system administrators create and modify user accounts.

Some of the material in this chapter is of interest primarily to system administrators. To set up accounts and modify the rights associated with those accounts, for example, you need to be logged on with an administrative account. Even if you aren't an administrator, however, a general understanding of security issues will enhance your ability to use Windows 2000 effectively. In particular, it's valuable to understand the concepts of user accounts, groups, rights, and permissions.

The Windows 2000 approach to security can be described as discretionary. That means that each securable system resource—each printer or file server, for example—has an owner, who has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who created it. If you create a disk file, for example, you are that file's owner under ordinary circumstances. (System administrators, however, can take ownership of resources they don't create.)

SEE ALSO

---

For more information about NTFS, see Chapter 28, "Using NTFS Security."

To exercise full discretionary control over individual files, you must store those files on an NTFS volume. Windows 2000 supports the FAT and FAT32 file systems used by Windows 98, Windows 95, and MS-DOS for the sake of compatibility, but the FAT and FAT32 systems were not designed with security in mind. To enjoy the full benefits of Windows 2000 security, you must use NTFS.