Domains and Basic Security 01-1. What are the components of NT security? 01-2. How does the authentication of a user actually work? 01-3. What is "standalone" vs. "workgroup" vs. "domain"? 01-4. What is a Service Pack? 01-5. What's with "C2 certification"? 01-6. Are there are interesting default groups to be aware of? 01-7. What are the default directory permissions? 01-8. Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager?
01-1. What are the components of NT security?
There are several different components. Each has a role within the overall NT security model. Because of the amount and complexity of components in the security model, not only should the individual components be explored, but how they work together should be explored.
Local Security Authority (LSA) ------------------------------
This is also known as the Security Subsystem. It is the central component of NT security. It handles local security policy and user authentication. LSA also handles generating and logging audit messages.
Security Account Manager (SAM) ------------------------------
SAM handles user and group accounts, and provides user authentication for LSA.
Security Reference Monitor (SRM) --------------------------------
SRM enforces access validation and auditing for LSA. It checks user accounts as the user tries to access various files, directories, etc, and either allows or denies access. Auditing messages are generated as a result. The SRM contains a copy of the access validation code to ensure that resources are protected uniformly throughout the system, regardless of resource type.
User Interface (UI) -------------------
An important part of the security model, the UI is mainly all that the end user sees, and is how most of the administration can be performed.
01-2. How does the authentication of a user actually work?
First, a user logs on. When this happens, NT creates a token object that represents that user. Each process the user runs is associated with this token (or a copy of it). The token-process combination is refered to as a subject. As subjects access objects such as files and directories, NT checks the subject's token with the Access Control List (ACL) of the object and determines whether to allow the access or not. This may also generate an audit message.
01-3. What is "standalone" vs. "workgroup" vs. "domain"?
Each NT workstation participates in either a workgroup or a domain. Most companies will have NT workstations participate in a domain for management of the resource by the administrator.
A domain is one or more servers running NT server with all of the servers functioning as a single system. The domain not only contains servers, but NT workstations, Windows for Workgroups machines, and even LAN Manager 2.x machines. The user and group database covers ALL of the resources of a domain.
Domains can be linked together via trusted domains. The advantage of trusted domains is that a user only needs one user account and password to get to resources across multiple domains, and administrators can centrally manage the resources.
A workgroup is simply a grouping of workstations that do not belong to a domain. A standalone NT workstation is a special case workgroup.
User and group accounts are handled differently between domain and workgroup situations. User accounts can be defined on a local or domain level. A local user account can only logon to that local computer, while a domain account can logon from any workstation in the domain.
Global group accounts are defined at a domain level. A global group account is an easy way to grant access to a subset of users in a domain to, say, a single directory or file located on a particular server within the domain. Local group accounts are defined on each computer. A local group account can have global group accounts and user accounts as members.
In a domain, the user and group database is "shared" by the servers. NT workstations in the domain DO NOT have a copy of the user and group database, but can access the database. In a workgroup, each computer in the workgroup has its own database, and does not share this information.
01-4. What is a Service Pack?
Microsoft maintains a large online database of fixes for operating systems and applications. These fixes are refered to as Service Packs. NT has its share, and typically the latest Service Pack has the latest fixes, including security patches.
Installing a Service Pack is NOT something to be taken lightly -- to turn on or off some features involves some Registry editing. Installation can in some circumstances disable or cause conflicts. Often after a new product has been loaded, even a Microsoft product, you must reinstall the Service Pack. For this reason, LAN administrators often neglect the timely installation of Service Packs. For the hacker, this is a decided advantage -- especially if the site has numerous NT servers and workstations in need of patching. One day maybe Microsoft will make Service Pack installation a little less painless, but until then you will find MANY locations will be either under-patched or not patched at all.
Typically Service Packs are fairly well tested, although this is no guarantee everything is "fixed". Admins should not place 100% of their faith in them, but then hackers should not underestimate their value in closing holes.
Service Pack locations are listed in Section 10-6.
01-5. What is a Hot Fix?
A Hot Fix is what is released between Service Pack releases. A Hot Fix is generally released to address a specific problem or condition. Some Hot Fixes may have a prerequisite of a certain Service Pack, and are typically included in the next Service Pack.
Once again, some of the Hot Fixes are downright dangerous to monkey around with, and many LAN folks will simply neglect installation especially at large NT shops. And once again this is good news for the hacker.
Hot Fixes are not as well tested as the Service Packs are -- often they are released after headline-grabbing security flaws are announced, so they are often rushed to press.
Hot Fix locations are listed in Section 10-6.
01-6. What's with "C2 certification"?
I'm not going to get into a bunch of detail on this. There are far better places to go for the info, but I will state this -- running the c2config utility to "lock down" your system will not protect you if you want to run third party software, use the floppy drive, or connect to the network. It is simply a marketing tactic used by Microsoft. The C2 tested configuration had no network access and no floppy drive. Who wants to use that?
I can see some value in running the c2config utility and "opening up" the system as needed to make it useable, but this is a lot of work and beyond the scope of what I'm discussing here.
01-7. Are there are interesting default groups to be aware of?
There are a number of built-in local groups can do various functions, some which would be better off being left to the Administrator. Administrators can do everything, but the following groups' members can do a few extra items (I only verified this on 4.0):
Also members of these groups can login at the console. As you explore this FAQ and possibly someone else's server, remember these permissions. Gaining a Server Operator account and placing a trojan that activates after a remote shutdown could get you Administrator.
01-8. What are the default directory permissions?
Like 01-7, I only verified these on 4.0. And remember, Administrators are deities. Otherwise, if it isn't here, the group doesn't have access.
\(root), \SYSTEM32, \WIN32APP - Server Operators and Everyone can read
and execute files, display permissions on files, and do some changing on
\SYSTEM32\CONFIG - Everyone can list filenames in this directory.
\SYSTEM32\DRIVERS, \SYSTEM\REPL - Server Operators have full access,
Everyone has read access.
\SYSTEM32\SPOOL - Server Operators and Print Operator have full access,
Everyone has read access.
\SYSTEM32\REPL\EXPORT - Server Operators can read and execute files,
display permissions on files, and do some changing on file attributes.
Replicator has read access.
\SYSTEM32\REPL\IMPORT - Server Operators and Replicator can read and
execute files, display permissions on files, and do some changing on file
attributes. Everyone has read access.
\USERS - Account Operators can read, write, delete, and execute. Everyone
can list filenames in this directory.
\USERS\DEFAULT - Everyone has read, write, and execute.
01-9. Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager?
The following tools have the following default group restrictions in 4.0:
Disk Administrator - Must be a member of the Administrators group.
Event Log - Anyone can run Event Viewer, but only members of the
Administrators group can clear logs or view the Security Log.
Backup - Anyone can backup a file they have normal access to, but only the
Administrators and Backup Operators can over override normal access.
User Manager - Users and Power Users can create and manage local groups.
User Manager for Domains - Users and Power Users can create and manage
local groups if logged on at the server console, otherwise it is restricted
to Administrators and Account Operators.
Server Manager - Only Administrators, Domain Admins, and Server Operators
can use this on domains they have an account on. Account Operators can only
add new accounts to the domain. Some features in Server Manager can only be
used by the Administrators and Domain Admins.
[ Return to TOC | Return to FAQ Page ]