1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Windows 2000
As we begin to focus on Windows 2000 for the rest of this section, the three primary differences
from Windows NT are: Active Directory, Group Policy, and templates. We will first introduce the
Active Directory.
Years ago, a standards organization called the CCITT (now International Telecommunication Union,
or ITU) created a recommendation for a standard for a world wide directory service that was ratified
by the International Organization for Standards (ISO). Please visit www.ISO.ch
for further
information. The standard was known as X.500 The ISO looked like they would supplant the
TCP/IP protocol suite with their own Open Systems Interconnect (OSI) based model, but bad
standards and engineering caused that effort to crash. The Internet’s reigning standards body is
called the Internet Engineering Task Force (IETF) and it is well worth your time to visit
www.ietf.org
and www.normos.org web sites. The IETF produced an alternate directory service to
X.500 called LDAP.
CREDIT: If you are taking this for academic credit, develop a two page paper on Lightweight
Directory Access Protocol, LDAP, its history and its workings.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
Active Directory
• DNS Domain: collection of related hosts, the
database is called a zone table “sans.org”
• NT 4.0 Domain: hosts that share an
authentication database, the SAM and
Security Hives in the Registry

• Windows 2000 domain: collection of hosts
with both a common DNS domain and
security trustmodel. The database is the
Active Directory
LDAP is of course the basis for Active Directory. Computers have been linked before, through NFS
or NetBIOS shares. These file structures have been primitive and localized. LDAP or Active
Directory scales to global proportions.
Recall that you learned in “Information Security: The Big Picture” that DNS uses a large number of
DNS servers, each authoritative for its own autonomous domain. This is exactly what Active
Directory does. The data objects are stored as records in the Directory Database, NTDS.DIT.
Almost everything is referred to in this system by its Common Name (cn), such as cn=Northcutt.
Other designators include Domain Components (dc). These tie Active Directory to DNS. The
LDAP name for an Active Directory domain for sans.org would be: dc=sans, dc=org.
One last designator is the Organizational Unit (OU). Since GIAC is a division in SANS, you might
have dc=sans, ou=giac. Printers, computers, files, policies, groups and users are all stored in the
Active Directory. Every entry in the database belongs to and is affected by policies set at the
Common Name, Domain Component and Organization Unit levels, but since Organization Unit (or
OU) is applied last it is the most powerful place to implement policy.
3
3
Secure System Administration - SANS GIAC
© 2000, 2001
Win 2000 Users and Groups
•Administrator
• Power Users
• Users
• Back-up Operators
•Special Groups
Local Users and Groups are not available on domain
controllers. Use Active Directory Users and

Computers to manage global users and groups.
In Windows 2000, you can limit the ability of users and groups to perform certain actions by
assigning them rights and permissions. A right authorizes a user to perform certain actions on a
computer, such as backing up files and folders, or shutting down a computer. A permission is a rule
associated with an object (usually a file, folder, or printer), and it regulates which users can have
access to the object and in what manner.
When you create new user accounts and assign them to groups, there are important security issues
since the groups have different security rights and permissions. To create a new user you can use
NET USER:
NET USER snorthc * /add /fullname:Stephen Northcutt
Now, what is wrong with this picture? We really should be adding snorthc into one of those OU /
organization units we discussed earlier or we will have a mess of a directory and will have no hope
of managing it past 25 or so users. In Windows 2000, just like with every operating system, there is
more than one way to do almost anything. However, if you want to be able to manage the system
over the long run, use Windows’ Management Consoles for system administration tasks. This
applies to security as well. If there is no security policy for the rights and permissions we give users,
directories and files, it makes it really hard to find problems.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
Users and Power Users
To secure a Windows 2000 system, an administrator
should:
• Make sure that end users are members of the
Users group only.
• Deploy programs, such as certified Windows 2000
programs, that members of the Users group can run
successfully.
Users cannot modify system-wide registry settings, operating system files, or program files. Users

can shut down workstations, but not servers. Users can create local groups, but can manage only the
local groups that they created. They can run certified Windows 2000 programs that have been
installed or deployed by administrators. This is actually called a restricted user by the system.
Users have full control over all of their own data files and their own portion of the registry
(HKEY_CURRENT_USER).
Power Users - The default Windows 2000 security settings for Power Users are very similar to the
default security settings for Users in Windows NT 4.0. Any program that a User can run in
Windows NT 4.0, a Power User can run in Windows 2000. Power Users do not have access to the
data of other users on an NTFS volume, unless those users grant them permission. According to all
the Windows documentation I have seen, Power Users can install or modify programs. In practice
this does not appear to be so true, several installation wizards require the user to be Administrator.
This is unfortunate since the whole point of Power Users was to have a privileged user class that did
not operate at the Administrator level.
5
5
Secure System Administration - SANS GIAC
© 2000, 2001
Backup Operators
NTBackup is vastly improved over Windows 98 and Windows NT and is worth a close look. Start
→ Programs → Accessories → NTBackup. (Editor’s note: The NTBackup program is located at
Start
→
Programs
→
Accessories
→
System Tools
→
Backup. It can also be accessed via Start
→

Run
→
ntbackup.exe. – JEK)
The non-Adminstrator group that can backup and restore all files is the group Backup Operators.
This group is the same as in NT 4.0. Members of the Backup Operators group can back up and
restore files on the computer, regardless of any permissions that protect those files. They can also
log on to the computer and shut it down, but they cannot change security settings.
Backing up and restoring data files and system files requires permissions to read and write those
files. The same default permissions granted to Backup Operators that allow them to back up and
restore files also makes it possible for them to use the group's permissions for other purposes, such as
reading another user's files or installing Trojan Horse programs. Group Policy settings SHOULD be
used to create an environment in which Backup Operators only can run a backup program. (Editor’s
note: Backup Operators are able to back up and restore files through two explicit Windows
permissions: “Back up files and directories”, and “Restore files and directories”. The Backup
Operators group (and the Administrator’s group) has both of these permissions by default. For
security purposes, you may wish to remove the “Restore files and directories” permission from the
Backup Operators group, and create a separate Restore Operators group that has only the
“Restore” permission. – JEK)
6
6
Secure System Administration - SANS GIAC
© 2000, 2001
There are several additional groups are automatically created by Windows 2000.
• Interactive. This group contains any user that is logged on locally to the computer. During an
upgrade to Windows 2000, members of the Interactive group will also be added to the Power Users
group, so that legacy applications will continue to function as they did before the upgrade. (At least
that was the plan, in our testing, the Power User group doesn’t seem to have much difference than a
“normal” User.)
• Network. This group contains all users who are currently accessing the system over the network.
• Terminal Server User. When Terminal Servers are installed in application serving mode, this

group contains any users who are currently logged on to the system using Terminal Server. Any
program that a user can run in Windows NT 4.0 will run for a Terminal Server User in Windows
2000. The default permissions assigned to the group were chosen to enable a Terminal Server User
to run most legacy programs.
• Replicator. Members of this group are able to replicate folders across networked systems
These default groups give us some management control already, but we can extend this with Group
Policy.
Groups is a powerful concept for security, on this slide we show a special group that I have created
so that snorthc (Stephen) and knorthc, (Kathy) can set our laptops up to replicate the MyDocuments
folder we use on our laptop to each other’s laptop every time the system systems are connected. I
can even do this when I am on travel and connected to a hotel’s LAN or a terminal room. Kathy can
see my replicated files on her computer. For this to work we are both members of the Replicator
group. If I give someone else a login on my computer, they are not a member of the group and
cannot see the replicated folders.
7
7
Secure System Administration - SANS GIAC
© 2000, 2001
Group Policy
• Local Policies
\\%systemroot%
\System32\GroupPolicy
• Active Directory Policies
\\%systemroot%
\Sysvol\Sysvol\YourDomainName
•Container Classes:
–Domain-DNS
–Site
–Container
– Organizational Unit (OU)

Group Policies are stored in a container. The container classes are shown on the slide. The Active
Directory is an object-oriented database and some of its objects contain other objects, some don’t.
Container objects can hold other objects, and some directory objects hold other objects; however file
objects do not. Each of the classes on the slide has restrictions that keep them from being useful to
structure directories. For instance, there can only be one Domain-DNS instance in any given
domain, which makes sense (sans.org != xyz.int). But it means you can’t use that as an
organizational tool. OU is ideal for use as a general purpose container for directory structure.
The OU, Domain, and Site containers can be linked to Group Policy and then all user and computer
objects under that container inherit the policy. Policy is applied first to Sites, then Domains and
finally to OUs.
[Editor’s note, you may see a reference to \\winnt\System32\GroupPolicy, in Windows
documentation. The reference on your slide is better practice. Not everyone uses \winnt as the
install directory. Additionally, you should *never* have Active Directory on the same partition as
the system drive (C:). One important reason is that the system drive has IIS installed, whether you
want this to be or not. IIS has about as much security integrity as a screen door on a submarine. You
don't want Active Directory, the "central nervous system" of W2K, anywhere near IIS. System stuff
should go on C:, Active Directory stuff should go on D:, and everything else should go on E:]
8
8
Secure System Administration - SANS GIAC
© 2000, 2001
Start → Run → GPEDIT.MSC will launch the Group Policy Editor console.
Templates are the recommended way to implement security for Windows 2000. Each policy has a
name and and can be configured or not.
[Editor’s note Templates are by default stored in \%systemroot%\security\templates, and they are
usually invoked via the secedit command. ]
For instance, have you ever really taken a look at the security settings for Internet Explorer? It
matters! There have been a number of serious security problems with Internet Explorer. You can
limit your risk on your copy of Internet Explorer by Tools → Internet Options → Advanced, and
move down to the Security section. For instance, the SSL V.2 is vulnerable to man-in-the-middle

cryptographic attacks. You could choose to uncheck it and find out which web servers haven’t
bothered to upgrade. If you do a significant amount of purchasing over the Internet that might be a
recommended thing to do. But that only changes your personal setting.
It is possible to configure all users’ settings with Group Policy. For instance, suppose you have a
proxy (a proxy is a security measure to keep users from directly connecting with web servers since
some of these are hostile) firewall for outbound World Wide Web Access. If the proxy port is 8000,
you could either set every browser individually or you could run Group Policy Editor
(GPEDIT.MSC → Internet Explorer Maintenance → Connections → Proxy) and configure all users
to use the proxy port.