Chapter 5, Designing Group Security

|1| Chapter Overview

Designing Microsoft Windows 2000 Security Groups

Designing User Rights

Chapter 5, Lesson 1

|2| Designing Microsoft Windows 2000 Security Groups

1. Introduction

A. Deploy groups to assist in providing access to network resources.

B. Security group type and scope determine network security and manageability.

C. Understand how security groups interact with each other to effectively design Windows 2000 security group memberships.

Question: What is used to allow users or groups access to network resources?

|3| 2. Windows 2000 Groups

A. Introduction

1. Access to network resources is authorized through inspection of the user SID and any group SIDs for a user account.

2. Use security groups to allow auditing of security access and to simplify the administration of network resources.

3. Define the group type and the group scope when creating a custom scope.

4. There are two types of groups: security and distribution.

B. Windows 2000 group types

Question: What security is included in the access token?

|4| 1. Security groups

a. If a group’s purpose is to define security for a resource, ensure that the group type is a security group.

b. Security groups are used in discretionary access control lists (DACLs) and system access control lists (SACLs) to define security and auditing settings for an object.

c. Membership provides the equivalent rights and permissions assigned to that group.

d. Security group SIDs are included in the access token.

Questions: What are distribution groups used for? Do distribution groups contain SIDs? Can a distribution group be converted into a security group?

|5| 2. Distribution groups

a. Used primarily for e-mail distribution lists

b. When an access token is built for a user, distribution group memberships are ignored.

c. Can be converted into a security group by using Microsoft Active Directory Users And Computers

d. SIDs are automatically assigned to newly created distribution groups.

e. Identify the SID of a distribution group by using the Active Directory Administration Tool (Ldp.exe).

|6| C. Windows 2000 group scopes

Question: What does the group scope define?

1. Introduction

a. The scope for the group must be set after the group type has been selected.

b. The scope defines

(1) Where the group can be used

(2) Where group membership is maintained

(3) How the group can be used

c. Four group scopes are available in native mode:

(1) Domain local groups

(2) Global groups

(3) Universal groups

(4) Computer local groups

Note You need to understand that by implementing native mode in a Windows 2000 domain, you can increase the options for setting security group scopes. Mixed mode domains might contain Microsoft Windows NT backup domain controllers (BDCs) that limit the types of groups that can be created, because the BDCs do not recognize the newer Windows 2000 domain local and universal groups or the new functionality, such as nesting global groups within other global groups.

Question: Where is membership maintained for a domain local group?

|7| 2. Domain local groups

a. Used to grant permissions to resources

b. New groups can be added to existing domain local groups.

c. Membership is maintained in the domain where the domain local group exists.

d. Can only be used on domain controllers (DCs) in a mixed mode environment, much like local groups in Windows NT

Questions: What can be a member of a global group? When do you create a global group?

|8| 3. Global groups

a. Used to combine users and other global groups that have similar business requirements

b. Membership is maintained in the domain where the domain local group exists.

Question: Where are memberships of universal groups stored?

|9| 4. Universal groups

a. Used to collect similar groups that exist in multiple domains

b. Memberships are stored in both the domain where the universal group exists and in the global catalog.

c. Memberships stored in the global catalog can be verified without contacting a DC.

d. Any changes to universal group membership will result in modification and replication of the global catalog.

Note To reduce the replication traffic associated with changes in universal group membership, global groups should be assigned only as members of the universal group. Membership can be modified within the composite global groups without adding or removing global groups from within the universal group.

Question: Where are computer local groups defined?

|10| 5. Computer local groups

a. Windows 2000–based computers that are not DCs maintain their own user accounts database.

b. Define permissions for resources stored at that computer

c. Are not shared between computers

d. Must be defined at each computer where they exist

|11| 3. Assessing Group Usage

A. Introduction

1. Determine how permissions will be assigned to resources.

2. Create custom groups to provide the permissions necessary to protect resources.

3. Know how group memberships will be set.

B. Group Memberships in a Windows 2000 Domain

|12| 1. Domain local group

a. Mixed mode membership

(1) User accounts from any domain

(2) Global groups from any domain

b. Native mode membership

(1) User accounts from any domain

(2) Global groups from any domain

(3) Universal groups from any domain

(4) Domain local groups from the same domain

|13| 2. Global group

a. Mixed mode membership

(1) User accounts from the same domain

b. Native mode membership

(1) User accounts from the same domain

(2) Global groups from the same domain

Question: In a mixed mode domain, who can be a member of a universal group?

|14| 3. Universal group

a. Mixed mode membership

(1) None

b. Native mode membership

(1) User accounts from any domain

(2) Global groups from any domain

(3) Universal groups from any domain

Question: In a mixed mode domain, who can be a member of a computer local group?

|15| 4. Computer local group

a. Mixed mode membership

(1) Local user accounts

(2) Domain user accounts from any domain

(3) Global groups from any domain

b. Native mode membership

(1) User accounts from any domain

(2) Global groups from any domain

Note Although user accounts can be put into each of the four group types described above, it is often not desirable because doing so can lead to difficulties in determining the correct group membership.

|16| C. Strategies for assessing group usage

1. A-G-DL-P strategy

a. Accounts are placed only into global groups.

b. In native mode, global groups may also have other global groups.

c. The global groups are then made members of a domain local group.

d. Permissions are assigned to the domain local group.

e. Simplifies the troubleshooting of permissions.

f. Only domain local groups should populate Access Control Entries (ACEs).

g. Most often used in a forest that has a single domain.

(1) Do not use universal groups if the forest has only a single domain.

|17| 2. A-G-U-DL-P strategy

a. Accounts are assigned only to global groups, which can be made members of other global groups.

b. Global groups from multiple domains can be collected into a single universal group.

c. The universal group is then added as a member of a domain local group.

d. The domain local group is then assigned permissions to the object.

e. Membership should only include global groups and other universal groups.

f. Changes to group membership of the universal group and changes to the global catalog are minimized.

g. Replication traffic related to the global catalog is reduced.

h. If a resource requires multiple levels of access, create or use multiple groups.

i. Universal groups are integrated into the permission assignments, and user accounts are not placed directly into the universal groups.

|18| 4. Making the Decision: Designing Custom Security Groups

Question: Where will new groups be created in Windows 2000?

A. Determine if an existing group meets requirements.

1. New custom groups will be created within the Windows 2000 forest.

2. Do not create groups that duplicate functionality.

B. Define what purpose the group will serve.

1. The purpose of the group determines the group type and group scope.

(1) Use a security group if the group will be used to assign permissions to a resource.

(2) If the group must cross domain boundaries, then the group scope cannot be set to domain local.

C. Determine if additional groups are required.

1. If the A-G-DL-P or A-G-U-DL-P method is to be used, more than one group will have to be created.

2. Determine all required groups to optimize network traffic.

3. Follow the permission assignment strategy.

D. Do not assign excess permissions.

1. Never assign permissions that would allow users to intentionally or accidentally perform more than the required tasks.

E. Document new groups.

1. Name of the group

2. Initial group membership

3. Memberships in other groups

4. What purpose the group serves

|19| 5. Applying the Decision: Designing Custom Security Groups for Hanson Brothers

A. Determine existing groups.

1. Create custom security groups for the deployment of the Outlook 2000 client software.

B. Determine the number of group scopes using A-G-DL-P.

1. Global groups

a. Group name: Corporate\OutlookUsers

(1) Membership: All users who will require the Outlook 2000 software at the Warroad, Calgary, and Boise offices

b. Group name: Quebec\OutlookUsers

(1) Membership: All users who will require the Outlook 2000 software at the Hull office

c. Group name: Coporate\OutlookAdmins

(1) Membership: All Outlook administrators who need to configure the Outlook 2000 client software

2. Domain local groups

a. Group name: Corporate\OutlookRead

(1) Membership: Corporate\OutlookUsers

(2) Membership: Quebec\OutlookUsers

b. Group name: Corporate\OutlookWrite

(1) Membership: Corporate\OutlookAdmins

C. Determine the number of group scopes using A-G-U-DL-P.

1. Global groups

a. Group name: Corporate\OutlookUsers

(1) Membership: All users who will require the Outlook 2000 software at the Warroad, Calgary, and Boise offices

b. Group name: Quebec\OutlookUsers

(1) Membership: All users who will require the Outlook 2000 software at the Hull office

c. Group name: Corporate\OutlookAdmins

(1) Membership: All Outlook administrators who need to configure the Outlook 2000 client software

2. Domain local groups

a. Group name: Corporate\OutlookRead

(1) Membership: Corporate\Outlook

b. Group name: Corporate\OutlookWrite

(1) Membership: Corporate\OutlookAdmins

3. Universal group

a. Group name: Corporate\Outlook

(1) Membership: Corporate\OutlookUsers

(2) Membership: Quebec\OutlookUsers

D. Choose a methodology.

1. Either methodology will work to deploy Outlook 2000 software.

2. If future growth is not expected, A-G-DL-P will meet the security needs and not require additional security groups to be created.

3. If the Outlook 2000 universal group will be used for additional security assignments, A-G-U-DL-P will be best.

E. Document the newly created groups.

1. The purpose of the group

2. The initial membership of the group

3. Any permission assigned directly to the groups

Chapter 5, Lesson 2

|20| Designing User Rights

|21| 1. Defining User Rights with Group Policy

A. Administrators define user rights to authorize users to perform specific actions.

1. Who can log on to a computer

2. Methods for logging on to a computer

3. Privileges assigned to a user or group on that computer

B. It is best to define user rights by using Group Policy.

1. Ensures consistent application of user rights.

2. Ensures that local changes will not override settings applied at the site, domain, or organizational unit (OU) level.

|22| 2. User Rights Within Windows 2000

A. Defined within local computer policy

B. Applied through Windows 2000 Group Policy defined at the site, domain, or OU

1. Always preferable for a centrally administered network

2. Take precedence over local computer policy

C. Know what privilege a user right provides to any security principals.

D. Group computers that require like assignments into the same container.

|23| 3. Assessing Where to Apply User Rights

A. Store DCs within the Domain Controllers OU and apply user rights to the Domain Controllers OU Group Policy.

|24| B. Collect all Windows 2000 member servers into a common OU structure.

1. If user rights are consistent between member servers

a. Apply the user rights Group Policy at the parent OU

2. If specific user rights assignments are required, based on the type of information stored at the member server

a. Apply the user rights Group Policy settings at the individual OUs

C. Apply the user rights settings at the domain to affect all computers running Windows 2000 Professional in the domain.

|25| 4. Making the Decision: Designing User Rights

Question: Where should user rights be assigned?

A. Determine what user rights to grant to a security principal.

1. Assign user rights to a group rather than to individual user accounts.

2. Assigning the user right to a group ensures that only the group’s membership is modified.

B. Determine where to apply user rights.

1. User rights can be applied to the local computer policy or by using Group Policy at the site, domain, or OU level.

2. User rights for DCs should always be applied to the DC’s OU.

C. Determine whether to apply user permissions or user rights.

1. User rights always take precedence over permissions on objects.

2. User rights take precedence over the permissions assigned at the file and folder level.

|26| 5. Applying the Decision: Designing User Rights for Hanson Brothers’ Deployment of Exchange Server

A. Determine a name for the service account.

1. The service account name itself should not reveal its purpose.

B. Determine which user rights to assign to the service account.

1. The Exchange service account will require three user rights:

a. Act As Part Of The Operating System

b. Log On As A Service

c. Restore Files And Directories

C. Determine where to assign the user rights.

1. If Exchange Servers are installed as member servers in the domain

a. A separate OU should be created in both the Corporate and Quebec domains to contain the servers

b. A Group Policy must be defined at the OU that assigns the three user rights to the Exchange service account

c. User rights assignments must be performed in both the Corporate and Quebec domains

2. If the Exchange Servers are installed as DCs

a. A Group Policy should be defined at the DC’s OU

b. User rights assignments must be performed in both the Corporate and Quebec domains