User Accounts Overview Every user account on a Windows 2000 machine is part of a local user group on that computer. A user group is a set of users who have a certain amount of control over the Windows 2000 computer. The four primary user groups are Administrators, Power Users, Users, and Guests. As tech support representative, you will have Administrator rights to all computers in your unit. Faculty and staff accounts are always set to Power Users. Administrators Members of the Administrator group have total control over the computer and everything on it. The user named Administrator is the default account within this group. The domain account of each faculty or staff member with a Windows 2000 computer is part of the Administrator group on his or her computer. Administrators Can: • • • • • •
Create, modify, and access local user accounts Install new hardware and software Upgrade the operating system Back up the system and files Claim ownership of files that have become damaged Do anything a Power User can
Power Users The Power User class can perform any task except for those reserved for Administrators. They are allowed to carry out functions that will not directly affect the operating system or risk security. All domain accounts are part of the Power Users group on public Windows 2000 computers. Power Users Can: • • • • • • • • •
Create local user accounts Modify user accounts which they have created Change user permissions on users, power users, and guests Install and run applications that do not affect the operating system Customize settings and resources on the Control Panel, such as Printers, Date/Time, and Power Options Do anything a User can Power Users Cannot: Access other users' data without permission Delete or modify user accounts they did not create
Users Users can perform common tasks, but have little power to affect the computer outside of their own account. The Users group is the most secure environment in which to run programs, since a User cannot affect the operating system or program files. Users Can: •
Create, modify, and delete their own data files
• • • • • • • • • • • •
Run system-wide or personally installed applications Change their personal settings Install programs for their own use only Access the network Print to local or networked printers Do anything a Guest can Users Cannot: Modify system-wide settings, operating system files, or program files Affect other users' data or desktop settings Install applications that can be run by other users Add printers Configure the system for file sharing
Guests The Guests group grants limited access to occasional or one-time users. Once a Guest logs out, all files created by the guest is deleted. Guests Can: • • • •
Log in and out Run installed applications Navigate through the file system Shut down the system
Guests Cannot: •
Do anything else.
How to Add Account 1. 2. 3. 4. 5. 6. 7.
Right click My Computer Select Manage Expand Local Users and Groups Right click Users Select New User... Type in required information Click Create
To change membership of the user 1. 2. 3. 4. 5.
Right click user name Select Properties Select Member Of Add groups as desired Click OK
How to Reset the Password To reset password for your account
1. 2. 3. 4. 5.
Log onto the system where you want to change the password. Press Ctrl-Alt-Del to bring up the Windows Security dialogue box. Click the "Change Password..." button (bottom left in that window). Verify the correct Username in the first field. Verify the account (whether a Domain account, or local computer account) in the second field. 6. Enter the old (current) password for the account in the third field. 7. Enter in the new password (to use from now on) in the fourth field, and again in the fifth to help rule out typing errors. 8. Click OK to finish and change the password. 9. Click OK to acknowledge the message that the password was changed. 10. Press the Esc button, or click Cancel to return to the Windows 2000 desktop. To reset password for any account 1. 2. 3. 4. 5. 6. 7. 8.
Right click My Computer Select Manage Expand Local Users and Groups Select Users Right click user's account in the right pane. Select set Password Type in new password, confirm password Click OK
Passwords Passwords are used to protect computer systems and the data that they contain. A computer user may use several passwords to protect several different aspects of his or her computer. Access to a network, e-mail access, Internet access, database access, and even access to the computer itself may be controlled by a password. Therefore, it is not surprising that all of these passwords may cause some confusion. When a password fails to work, it is important to first be sure that the password has been entered proper correctly. Passwords are usually, but not always entered in all lower case letters, and may contain numbers as well. The two most common causes for password failure are accidental activation of the keyboard’s Caps Lock (Capital Lock) function and deactivation of the Num Lock (Number Lock) function for the numeric keypad. Indicator lights on the keyboard, usually in the upper right corner, indicate the status of these functions. When the light is on, the
function is active. Another common cause of password failure is the use of the wrong password. More than one password may be used on a computer to protect multiple applications. It is important to be sure that the password being used is the right one for the application in question. Passwords are intended to protect your information. Posting passwords in an obvious place, such as on the computer’s monitor compromises the your computer’s security. Passwords should be written down and kept hidden in a safe place. Good passwords contain both upper and lower case letters, as well as a special character (such as # or ; or -), and numbers. Some simple guidelines that will help you choose better passwords are: • • • • • • • • •
• • • • • •
A password should be a minimum of eight characters long. Try to include some form of punctuation or digit. Use mixed case passwords if possible. Choose a phrase or a combination of words, that make the password easier to remember. Do not use a word that can be found in any dictionary (including foreign language dictionaries). Do not use a keyboard pattern such as qwertyui or oeuidhtn (look at a Dvorak keyboard). Do not repeat any character more than once in a row like zzzzzzzz. Do not use all punctuation, all digit or all alphabetic. Do not use things that can be easily determined such as: o Phone numbers. o Car registration. o Friends' or relatives' names. o Your name or employment details. o Any Date. Never use your account name as its password. Use different passwords for each machine. Change the password regularly and do not reuse passwords. Do not append or prepend a digit or punctuation mark to a word. Do not reverse words. Do not replace letters with similar looking numbers. For instance, all of the letters i should not be blindly replaced replaced by the digit 1.
Under Windows 2000, multiple accounts may exist. Each account should have a password that allows access to the Windows operating system in that account.
File Permission Introduction The concept of a network of computers is not new or revolutionary. Servers, typically kept in locked rooms, store the company resources (folders, files, documents, spreadsheets, etc). These servers are locked behind closed doors so that the only access that employees have to the resources is over the network. So, one level of security for protecting the resource is the physical security that is provided by not allowing employees direct access to the hardware upon which the resource is located. In order for employees to access the resources configured to allow the employees to access the environment, this is done through shared folders. over the network so that all users on the network Figure 1.
stored on the servers, the server resources over the network. For a When a folder is shared it becomes can see the shared folder name, as
must be Windows available shown in
Figure 1: Listing of shared folders available on a server over the network In order to protect the resources that are made available through shared folders, administrators must configure “permissions” for the folders and files that are made available over the network. There are two types of permissions that can be configured on shared folders: share and NTFS. We are going to focus on the share permissions, discussing some pitfalls that are exposed when you use them, as well as some recommended methods to successfully configure permissions for shared folders.
A Tale of Two Permissions To make sure that I am clear about my description of the permissions available on a shared folder, I wanted to start off by describing the two different permissions that can be configured on each shared folder. The two permissions are: share and NTFS.
NTFS Permission NTFS permissions are an attribute of the folder or file for which they are configured. The NTFS permissions include both standard and special levels of settings. The standard settings are combinations of the special permissions, making the configuration more efficient and easier to establish. These permissions include the following, as shown in Figure 2:
§ § § § § §
Full Control Modify Read & Execute List Folder Contents Read Write
Figure 2: NTFS standard permissions for a folder There are 14 special permissions for folders, which include detailed control over creating, modifying, reading, and deleting subfolders and files contained within the folder where the permissions are established. NTFS permissions are associated with the object, so the permissions are always connected with the object during a rename, move, or archive of the object. When you check the permissions on an NTFS folder, you see a double set of permissions. The first set in parentheses refers to the directory itself and the second set of parentheses refer to the contents of the directory (but not to contents in any subdirectories).
Permission
Directory
Directory Contents
List
(RX) Read and traverse directory
(not specified)
Read
(RX) Read and traverse directory
(RX) View data files and run applications in directory
Add
(WX) Traverse directory, add files and subdirectories to directory
(not specified) cannot read or change contents
Add & Read
(RWX) Read and traverse directory, add files and subdirectories to directory
(RX) View data files and run applications in directory
Change
(RWXD) Add, read, execute, modify, and delete directory
(RWXD) Add, read, execute, modify, and delete directory contents
Full Control
(RWXDPO) Take ownership, change permissions, add, read, execute, modify, and delete directory
(RWXDPO) Take ownership, change permissions, add, read, execute, modify, and delete directory contents
No Access
() No access to directory
() No access to directory conte nts
There is also Special Directory Access and Special File Access. Special Access allows you pick which combination of Read, Write, Execute, Delete, Change Permission and Take Ownership NTFS permissions for files include Read, Change, Full Control, Special Access and No Access. Special access for files includes read, write, execute, delete, change permission and take ownership.
Share permissions Share permissions are only associated with the folder that is being shared. For example, if there are 5 subfolders below the folder that is shared, only the initial shared folder can have share permissions configured on it. NTFS permissions can be established on every file and folder within the data storage structure, even if a folder is not shared. Share permissions are configured on the Sharing tab of the shared folder. On this tab, you will have a Permissions button, which exposes the share permissions when selected, as shown in Figure 3.
Figure 3: Share permissions on a shared folder As you can see, the share permissions standard list of options is not as robust as the NTFS permissions. The share permissions only provide Full Control, Change, and Read. There are no special permissions available for share permissions, so the standard permissions are as granular as you can go for this set of access control.
The share permissions are not part of the folder or file, so when the share name is changed, the folder is moved, or the folder is backed up, the share permissions are not included. This makes for a fragile control of the share permissions if the folder is modified.
Historic Share Permissions Microsoft has historically configured all new shared folders with very open share permissions. The default share permissions for Windows NT, Windows 2000 (Server and Professional), and Windows XP (pre Service Pack 1) is that the Everyone group has Full Control access. This might seem insecure with Full Control access, but when the NTFS permissions are combined with the share permissions, the most secure of the two permissions controls the access to the resource. In the past, when share permissions are altered from Everyone having Full Control, it can cause more problems than it is worth. For example, when a company typically does not use share permissions, it can take a longer cycle to fix access to resources when they are used. When share permissions are configured incorrectly on a shared folder, the share permissions are not the initial configuration to be checked. In most cases, I have found that it can take hours before the share permissions are investigated. During the troubleshooting procedures, users can be added to “admin” groups, given elevated user rights, and added directly to the ACL of the resource. When the share permissions are finally investigated and fixed, it can be hard to remember all of the other configurations that have been made in an attempt to fix the users access to the resource. Of course, this leaves the resource and overall network in an insecure state, all due to share permissions being configured incorrectly.
New Share Permissions With all of the confusion that old share permissions could cause, Microsoft decided to change the rules for default share permissions with the release of Windows XP Service Pack 1. With every operating system after this service pack release (including Windows Server 2003), the new default permissions for all new shared folders is Everyone having Read only access, as shown in Figure 3. This seems like a good security setting, until you consider how many resources on your network can actually have “read-only” access for everyone. There are not many, due to the fact that users need to modify and alter the contents of most resources to be productive. In almost every instance the share permissions will need to be changed from Read access. This sets up the administrator to configure detailed share permissions, which can cause the issues that we discussed before with regard to troubleshooting resource access with the old share permissions being modified. With the share permissions being changed by default, I have found that many administrators don’t feel that they need to configure NTFS permissions anymore, as they rely on the share permissions to protect the resource. This is a gross error and leaves the network and resources in a very vulnerable state. Share permissions are only valid when the resource is accessed over the network, but not when it is accessed locally, using Terminal Services, etc. Also remember that share permissions are not backed up with resource, so all backed up files are vulnerable as well, without any permissions protecting them.
Share Permissions Best Practice As a best practice, it is most efficient to configure share permissions with Authenticated Users having Full Control access. Then, the NTFS permissions should configure each group with standard permissions. This provides excellent security for local and network access to the resource. It also provides excellent protection of the resource for when it is backed up and when the resource name is changed or relocated. As I said earlier, the NTFS permissions will protect the resource even if the share permissions are set to Full Control access.