Assigning User Rights for Windows 2000, Server 2003, and XP

Assigning User Rights for Windows 2000, Server 2003, and XP

Users who are logged in to a Windows 2000/Server 2003/XP computer can be granted rights by the administrator of the computer. If the user logs in to a domain account instead of the local computer, a domain administrator can manage these rights. Rights granted to an account that resides on an individual Windows 2000/Server 2003/XP computer protect access to resources on that computer only. The security information for the computer is stored locally , in the Security Accounts Manager (SAM) database, and applies only to resources on that local system.

Accounts that are created on a domain controller can be used when assigning user rights to resources on computers throughout the domain. And, by placing users into groups, you can easily manage a number of users who need the same access to resources or the same rights. This is done by granting the rights to the group, instead of individual users. If a user needs access to resources that are not granted by the group membership, you can place the user in more than one group . Because groups enable you to simplify granting rights to users, the following discussion will concentrate on those rights. User groups are discussed later in this chapter.

Starting with Windows 2000, most Administrative Tools are snap-ins for the Microsoft Management Console (MMC). By using the MMC to create management tools, you'll find it easy to switch from one MMC console to the next , without having to relearn the mechanics of the particular utility. For example, when using MMC you'll find two panes on the screen. The left pane contains a tree of objects that can be managed. An Action menu presents you with functions you can perform. The right pane is used to display different kinds of information, based on the particular utility and the actions you take. The MMC allows you to create new utilities by installing a snap-in that is appropriate for the functions you need to perform. However, most of the tasks you will use to manage the computer or domain have already been set up as an MMC application. Other snap-ins, which are used for more sensitive operations, such as altering the Active Directory schema, must be created by installing the snap-in.

In Figure 43.1, you can see the MMC with the snap-in for managing domain users and computers loaded. Although the User Manager or User Manager for Domains was used by Windows NT 4.0 computers, the MMC snap-in is used with Windows 2000 and 2003 to manage users and computers in the domain. After you've created a domain controller in a Windows 2000 or 2003 network, this utility is already set up. The example used in this section is based on Windows 2003. For Windows 2000 computers, the MMC is pretty much the same for the tasks that are described in the text that follows .

To begin, click Start, All Programs, Administrative Tools, and then Active Directory Users and Computers. In Figure 43.1 you can see the MMC with the Users folder selected. The Users folder has been expanded in the left pane, and in the right pane you can see user groups and users for the domain.

Windows NT defined certain basic rights you could grant to a user account, as well as a set of rights that were granular. The basic rights were simply combinations of these granular rights. In Windows 2003, rights have been divided into two categories. These are logon rights and privileges. Logon rights are few in number, and can generally be used to manage most users or groups.

These logon rights are listed here:

• Allow log on through Terminal Services ” Enables a user of a computer to log on using Microsoft Terminal Services. Essentially, a Terminal Services client runs programs on a server designated to supply this service, and the Terminal Server client computer displays the GUI interface for the application. This enables you to use older computers with fewer resources (such as memory or processor speed) to be used in your network.

• Allow log on locally ” Enables a user to log on locally at a workstation or server; that is, to log on sitting at the workstation or computer, not using a network connection. Generally, administrators are the only users who can log on locally at a server.

• Access this computer from a network ” Enables a user to log on to the computer from the network. In other words, this gives the capability to make a network connection, such as to access a file share on the computer.

• Log on as a batch job ” Allows a user to submit a batch job (using the task scheduler) that will run under the user's account. Unless you deny this right, the default allows users to submit batch jobs to run in the background. Batch jobs are used to perform specific functions at a certain time, unlike services that run in the background and respond to certain system or user events.

• Log on as a service ” This right allows the user to start a service using his or her account. A service is a process that runs in the background continuously.

• Deny log on as a batch job ” Prevents an account from running a batch job on the computer.

• Deny log on as a service ” Prevents an account from being used to run a service (a background process that runs without a GUI interface).

• Deny log on locally ” Is the opposite of the Allow log on locally right. This right overrides the Allow log on locally right.

• Deny access to this computer from network ” Is the opposite of the Access this computer from the network right. This right overrides the Access this computer from a network right.

• Deny log on through Terminal Services ” Is the opposite of the Allow log on through Terminal Services right.

If you are familiar with the complete list of rights used by Windows NT, you'll see that the privileges that Windows 2003 uses are similar to those, with a few additions. These are the privileges you can use with Windows 2003:

• Act as part of the operating system ” This right is usually granted to subsystems of the operating system, and for running services. It allows the holder to act as a secure, trusted part of the operating system. This is not a right you would normally need to grant to a user. The LocalSystem account possesses this privilege by default. You won't see this account, however, when you list user accounts in the Active Directory.

• Add workstations to a domain ” Users or groups granted this privilege and logged in at a domain controller can add client computers (but not domain controller computers) to the domain. This privilege is granted by default to users that are authenticated and are logged in to a domain controller, in which case the user holding this privilege can add up to 10 other computers to the domain.

• Adjust memory quotas for a process ” If an account is granted this privilege, the user can make changes for the amount of memory a process can use.

• Bypass traverse checking ” The user holding this right can read through a directory tree, even though she might not have access to all directories in the tree. Thus the user can be granted access to a file that exists in a directory (or subdirectory) for which the user is denied access. The user account granted this privilege, however, cannot list (view) the contents of directories that are bypassed to get to the file or directory for which access is granted.

• Create a pagefile ” This right is usually granted to just the Administrators group. It allows the user to create additional page files using the System applet in the Control Panel. By creating page files on disks other than those used for the operating system or for applications, you can usually increase performance on the system. Note that a partition of a disk is not the same thing as a separate disk. Using separate partitions on the same disk will not give you the increased performance.

• Create a token object ” This is the right to create a user logon token and is usually not granted to an individual user, but instead only to the local security authority (LSA) on the Windows computer.

• Create permanent shared objects ” This is the right to create special resource structures, such as a directory, that are used internally by the operating system. Again, this is not a right generally needed by, or granted to, users.

• Debug programs ” This right allows a programmer to do low-level debugging. It is helpful for applications developers and administrators. However, as in most networks, this right should be granted only on laboratory or development systems , and not on a production server . It is not a good idea to allow application development to be performed on the same computer that is a production server that network users make use of. The reason for this is obvious. The application being tested or created on a development system can potentially cause the server to crash, or corrupt data.

• Enable computer and user accounts to be trusted for delegation ” The Trusted for Delegation right for a user or computer can be performed by accounts that hold this right. The holder of this right can access resources on another computer ”unless that computer has the Account Cannot Be Delegated control flag set. The account holding this right can use the authentication credentials of the client computer.

• Force shutdown from a remote source ” This is a right you should grant sparingly. It allows a user to shut down another computer on the same network. If a computer or user's account becomes compromised because of security problems, this right can be used to shut down other computers, and thus be used to deny other computers access to those computers, resulting in a denial-of-service attack. A denial-of-service attack is an attack that attempts to overwhelm a computer by overloading it with resource requests . For example, a continuous stream of TCP connection attempts can quickly use up the memory data structures a computer can offer. By shutting down a computer that is undergoing a denial-of-service attack, you can begin to protect your network, especially if more than one computer is experiencing this type of attack.

• Generate security audits ” This right is needed to create security audit log entries. This right generally is assigned not to a user, but instead to the operating system or applications.

• Increase scheduling priorities ” This gives the capability to boost the scheduling priority of a process. Administrators have this right by default. However, increasing the priority of one process can potentially allow a process that is making heavy use of system resources to dramatically slow down or lock out other processes. To use this right, the Task Manager utility is used. Do not give this right to typical users who do not understand that raising the priority for their session can potentially severely impact other users of the computer. For all practical purposes, Windows server operating systems can adjust priorities as needed. The administrator can also use the System Applet in the Control panel to grant priorities to foreground (applications) or network services, without having to modify process priorities on a process-by-process basis.

• Load and unload device drivers ” This gives the capability to load and unload device drivers (as well as other kernel mode code). Because kernel processes are the heart of the operating system, you should not grant this right to ordinary users. This right, instead, is granted to Administrators by default.

• Lock pages in memory ” This right gives the capability to lock pages into physical memory so that users do not get swapped out to the pagefile during normal virtual memory operations. This is useful for a process running a real-time application, but this right is not generally given to ordinary users.

• Manage auditing and security log ” This right lets the user determine those objects and resources that will be recorded in the security log file, and view the events produced by the auditing.

• Modify firmware environment variables ” A user granted this right can modify firmware values stored in nonvolatile RAM of computers that are non-X86 computers (such as Intel or AMD). For example, on X86 computers, the user holding this right can modify only the Last Known Good Configuration setting. For Itanium computers, users granted this right can run the bootcfg.exe application and manage the Startup and Recovery properties for the computer.

• Profile a single process ” This allows the user to set the collection information about a non-system process, used for measuring performance. The user who has this right can use the Performance Monitor to view the performance of non-system processes running on the computer. Administrators have this right by default.

• Profile system performance ” Similar to the preceding right, users who hold this right can perform the same functions, including the right to set or view system processes.

• Remove computer from docking station ” This right enables a user account to gracefully remove a computer from a docking station without having to first log on to the computer. By default, this right is not granted to any user.

• Replace a process-level token ” This right is usually restricted to the operating system, which gives the user the capability to modify a process's security access token.

• Restore files and directories ” A user with this right can traverse directories and restore files and directories, or similar objects. This means that the user can restore files or entire directories, whether or not the user has permissions to access those files or directories when performing duties other than backup or restore functions. The user holding this right cannot access files or directories using this right to examine or change the contents of those files or directories. This right applies only to the restoring files or directories.

• Shut down the system ” Users holding this right can shut down the system. The user must be logged on to the system locally to perform this function.

• Synchronize directory service data ” This gives the capability to synchronize all directory services. There is no account that possesses this right by default.

• Take ownership of files or other objects ” Creators of files, directories, and other objects are in most cases the owners of these objects. Users holding this right can take ownership from the owner. This is useful when a user has left the company, and access is needed to the files, directories, or other objects.

Each of the previous privileges can be enabled for specific user accounts or groups. Some of these rights, however, are granted to groups by default. For example, the Backup Operators group can use the backup utility to back up files to offline storage, despite the protections that are in place for these files. This does not, however, give the Backup Operators group the capability of viewing or modifying files. Members of this group can just use the backup utility to save files to another media, such as a tape.

The Active Directory can be used to delegate management for selected objects that are contained in the directory.

The MMC interface for Windows XP is much the same as that for Windows 2003. To view the rights you can assign on a client Windows XP Professional computer, use the Local Security Settings. Click on Start, Control Panel (and then switch to Classic View), Administrative Tools, and then Local Security Policy (see Figure 43.2). Under the Security Settings tree shown in Figure 43.2, click on Local Policies and then User Rights Assignment.

In the right pane of this window, you will then see the rights that can be granted to users, as well as the current assignments to existing users or groups. Most of the rights you will see in the right pane are the same as or similar to those described earlier in this chapter. Because Windows XP is a client operating system, many of the rights listed here can be pre-empted by the Default Domain Controller Group Policy object (GPO) if the XP computer is part of a domain. However, if not restricted by the GPO, or if your Windows XP computer is not part of a domain, you can make changes to the rights granted to a user. Note that the rights and privileges for the Windows XP computer are similar to those described earlier for Windows 2003.

Managing User Password Policies

This chapter uses several examples to demonstrate the protections you can use to secure your network. In the preceding section you learned about the rights and privileges you can grant a user (or a group). In this section you will find that these user rights are similar for Windows XP Professional, which you can use as a client in a large network, or as a computer in a SOHO network where a computer using a server operating system is needed.

However, here it's time to look at other security settings that you can use to control user access to a computer. For example, under Account Policies, you can see (in Figure 43.3) that the Password Policy and Account Lockout Policy can be found.

Password policies enable the user of the Windows XP computer to enforce several aspects that relate to the use of passwords on this computer. For example:

• Enforce password history ” You can set a value here that controls the length of time a password is stored in a history file to prevent the same password from being used within this time frame. This is a very useful password policy, because you can use this to ensure that the user chooses a different password when the current one expires . I suggest that you set the value for this item to a number larger than the default. Preventing a user from using the same password over and over again will likely make your system more vulnerable than if the user is required to choose a password that has not been used frequently. If you double-click on the Enforce Password History entry, you will see the dialog box that enables you to set the number of passwords that will be remembered (see Figure 43.4).

  Figure 43.4. You can set the number of passwords that will be remembered by Windows XP.

  

• Maximum password age ” This policy defines the length of time a password can be used before the user is required to change the password. A dialog box similar to that shown in Figure 43.4 is used. However, this dialog box allows you to set the number of days a password can be used. In combination with the Enforce password history entry, you can further enhance security as it applies to user passwords.

• Minimum password age ” This entry enables you to set the minimum number of days that a password must be used before it can be changed. Although it may seem that the default of zero days is a good one, consider that if someone other than the user gains access to the account, he can change the password easily (and thus lock out the original user). Because of this, it's a good idea to set this to another value to keep an intruder from changing the password. The value you set here should be less than or equal to the Maximum password age value.

• Minimum password length ” This value is obvious ”you can set the minimum number of characters (both alpha and numeric) that the user needs to choose for a password. Short passwords are much easier to discover using many password cracker programs available on the Internet. A recommended value for this field is 10 characters . The next item is also useful to prevent an outsider from guessing a password.

• Password must meet complexity requirements ” This policy is a very important one. Although setting the minimum and maximum password policies are important, this still leaves your user accounts open to a dictionary attack. This sort of attack simply uses a dictionary of ordinary words to attempt to break into your system after a user account name is known. This type of attack is generally used against the Administrator account, because it is a known account for Windows systems. This policy requires that passwords meet certain requirements, such as including numeric as well as alphabetic characters.

  Note The Password must meet complexity requirements option should be used on networks that contain a large number of computers (an Enterprise network, for example) as well as for simple SOHO network LANs. Both types of networks are vulnerable to password attacks. As described in Chapter 46, "Basic Security Measures Every Network Administrator Needs to Know," and Chapter 48, "Security Issues for Wide Area Networks," one of the main attacks used by malicious persons is based on many single computers. By planting programs on a large number of computers that have been hacked, a Distributed Denial-of-Service attack can be launched from all the computers that the user has gained entry to. Thus, when a signal is sent to the many hundreds (or even thousands) of computers, a large volume of network traffic can be simultaneously directed to a targeted computer. This means that your local computer can participate in an attack without your knowledge.

• Store password using reversible encryption for all users in the domain ” If this is enabled, Administrator as well as other accounts that hold administrative privileges can recover the encrypted password. This is not necessary if an Administrator account possesses the right to take ownership of another user's files. Yet it can be useful if a user forgets his password.

As you can see from the previous password policies, you can set policies that can help protect your network from compromise for both internal and external users. Don't think that all security breaches are from external users. Can you be certain that all users inside your LAN are happy users? If so, why is it necessary to let some users go? And remember that when someone is let go, it can take some time for the human resources department to deactivate user accounts (or another entity in your business).

If a Windows XP computer is part of a domain, you can manage user accounts on a domain controller so that the user can be granted access to other computers in the domain instead of just the local workstation. The rights on a Windows XP Professional computer in a domain setting are controlled by a Group Policy Object (GPO), which can be used to set a large number of security and other settings for computers in the network. For a SOHO network, you probably won't need to assign rights to any user account, but can instead add the user account to a user group that possesses the rights needed to perform the tasks necessary.