Auerbach Publications
© 1998 CRC Press LLC 04/98
DATA COMMUNICATIONS MANAGEMENT
S
ECURITY
IN
A
W
INDOWS
NT E
NVIRONMENT
Gilbert Held
I N S I D E
The User Manager, Creating a User Account, Comparing NT and NetWare Groups, Assigning Users to Groups, Working with Rights, Auditing
OVERVIEW
If a user obtains physical access to a Windows NT computer, one of the first things that might be tempting to do to test its security is to power off the computer, place a system diskette in drive A, and power the comput-er back on. Although this sequence of opcomput-erations can be used to ovcomput-er- over-come the use of utility programs developed to provide a degree of security to DOS, Windows 3.1, and Windows 95-based computers, when used in an attempt to overcome Windows NT’s built-in security, this tech-nique fails. Once power is restored to a Windows NT computer, the se-curity module of the operating system prompts the user to log into the system. In comparison, the other operating systems automatically search drive A for a bootable disk, allowing a diskette with one or more system files to be used to gain control of the computer.
THE USER MANAGER
In addition to preventing a reboot from overcoming its built-in security, Windows NT includes a powerful tool that can be used to manage se-curity. That tool is known as the User Manager, which is included as a util-ity program whose icon is contained in the window labeled “Administra-tive Tools.” Exhibit 1 illustrates the Windows NT Administrative Tools window, with the “User Manager” icon highlighted.
P A Y O F F I D E A
Unlike Windows 3.1 and Windows 95, Windows NT includes a built-in security mechanism that makes it well-suited for use as both a workstation and server in situations demanding a high degree of security. This article examines the security built into both Windows NT Workstation and Windows NT Server. It also examines how user accounts are established, the assignment of rights, and the use of auditing for different predefined groups con-tained in the operating system. From the informa-tion presented in this article, network managers and administrators will obtain an appreciation for the security features included in both client work-station and server versions of the NT operating system, as well as the use of those features.
The User Manager utility program allows a user to create and manage user accounts, create and manage groups of users, and establish and manage security policies applicable to users of the computer. By double-clicking on the “User Manager” icon, the main User Manager window is displayed. That window is illustrated in Exhibit 2.
The User Manager window illustrated in Exhibit 2 consists of two sec-tions. The upper section provides a list of user accounts, while the lower section contains a list of groups. The usernames “Administrator” and “Guest” are predefined in the operating system. Similarly, the six groups listed in the lower portion of Exhibit 2 are also predefined in the operat-ing system. To the right of each predefined username and group is a de-scription of the intended use of the username and group. At the time the screen shown in Exhibit 2 was captured, the user had logged onto Win-dows NT and created one user account using the username gxheld.
The User Manager window provides two basic methods for working with user accounts and groups. The user can either double click on an entry in the window, or select an entry by single clicking on it and then using an appropriate command from the User menu.
To illustrate the use of double-clicking, this author did so on the user-name entry “Administrator.” The result of this action is a display of a di-alog box labeled “User Properties” for the selected username. This didi-alog box is illustrated in Exhibit 3.
EXHIBIT 2 — Main User Manager Window
In the dialog box illustrated in Exhibit 3, there are five options that can be set for any user account. The first three options govern the user’s password, while the last two options govern actions that can be set to a user’s account. Although Exhibit 3 illustrates the dialog box labeled “User Properties” for the administrator, the same dialog box is generated for any selected user. Now that there is an appreciation for the general use of the User Manager window, the article will now focus on the creation of a new user account.
CREATING A USER ACCOUNT
The creation of a new user account can be easily accomplished by select-ing the “New User” option from the User menu located in the extreme upper-left corner of the User Manager window. This action results in the generation of a dialog box labeled “New User,” which is illustrated in Ex-hibit 4, to include entries placed in the Username, Full Name, and De-scription boxes (by the author of this article). Note that when a user account is established, the default password option is the one shown se-lected. That is, after an administrator sets an initial user password, the user is responsible for changing it when he or she logs in to the comput-er. Once the appropriate user account settings are selected, the user sim-ply clicks on the OK button to establish the account. Once a user account
has been established, the steps required to turn that user into a member of the Power Users group can be examined. Doing so enables the user to share directories and printers.
Once a user account is created, the user can be assigned to a group by either clicking on the button labeled “Groups” in the dialog box la-beled “New User,” or by double clicking on the appropriate group name in the lower left portion of the User Manager window. The latter action is slightly faster because it directly opens the relevant dialog box. In com-parison, the first method requires that an appropriate group be selected, which adds an additional step to the process.
COMPARING NT AND NETWARE GROUPS
Similar to Novell’s NetWare, Windows NT enables one or more users to be associated with one or more groups. Like NetWare, the purpose of Windows NT groups is to provide a facility to set common properties to many users. Where Windows NT groups differ from NetWare groups is in the number and function of predefined groups. Under NetWare, there are two predefined groups — Supervisor and Everyone — with all users automatically assigned to the latter group. Under Windows NT, there are six predefined groups. These groups, which are shown in the lower left portion of Exhibit 2, include Administrators, Backup Operators, Guests, Power Users, Replicator, and Users. Unlike NetWare, in which all users are initially placed into the Everyone group, there are no predefined placements of Windows NT users into any predefined group. Instead, one must manually place users into one or more groups.
ASSIGNING USERS TO GROUPS
The direct assignment of users into a group is accomplished through a Local Group Properties dialog box when users have direct access to a Windows NT computer. That dialog box is generated by either directly double clicking on a user group listed in the lower portion of the User Manager window or selecting the Group entry from the User menu in that window.
Exhibit 5 illustrates the display of the dialog box labeled “Local Group Properties” for the Power Users group. In Exhibit 5, the group named Power Users is highlighted, which serves as an indication that this entry was double clicked on to generate the indicated dialog box. It should also be noted that there are presently no members assigned to the Power Users group.
EXHIBIT 5 — “Local Group Properties” Dialog Box
In the dialog box labeled “Add Users and Groups,” the first selection box labeled “List Names From” gives the ability to select a computer in the NT network for which one wants to select a user. In this example, the computer named “GILSPC” was selected.
The second selection box in the dialog box shown in Exhibit 6 lists the names of users with accounts on the selected computer. The user “RDOLE,” which was previously created in Exhibit 4, is highlighted. Clicking on the Add button after selecting a user name results in the se-lected user being assigned to the group. This is indicated in Exhibit 7, in which the entry “GILSPC\RDOLE” is shown entered in the box labeled “Add Names” located at the bottom of the display. Once users have been added to a group, clicking the button labeled “OK” will terminate the as-signment operation.
WORKING WITH RIGHTS
One of the key properties that can be granted to individual users and groups are user rights. Under Windows NT, a right authorizes a user to perform predefined actions or activities. Assigning rights to a group and assigning users to that group, provides a common set of rights to all members of a group.
Rights apply to the computer system as an entity and should not be confused with permissions. Concerning the latter, permissions are appli-cable to specific objects, such as files and directories, and control the ability of users to access, modify, or delete information.
One can directly grant rights to individual users, or, after assigning us-ers to groups, assign rights to groups of usus-ers. From an administrative perspective, it is easier to assign a user to a built-in group that already possesses required rights in comparison to administering a user rights policy on an individual user basis.
The assignment of rights to users and groups is accomplished through the selection of the “Rights” entry in the “Policies” menu. By first select-ing a user from the upper portion of the User Manager window and then selecting the “Rights” entry from the “Policies” menu, one obtains the ability to assign rights to an individual user. In comparison, by first select-ing a group from the lower portion of the User Manager window and then selecting the “Rights” entry from the “Policies” menu, one would ob-tain the ability to assign rights to the selected group.
Exhibit 8 illustrates the display of the dialog box labeled “User Rights Policy,” which is displayed after selecting the “Rights” entry from the “Pol-icies” menu. In Exhibit 8, the group entry “Power Users” is highlighted, indicating that user rights are being assigned to the highlighted group.
Windows NT currently supports 12 rights, of which 7 are shown when the pull-down box labeled “Rights” was lowered in Exhibit 8. Exhibit 9
provides a complete list of Windows NT rights. When examining those rights, it should be noted that most advanced user rights are primarily useful to programmers developing applications to run on Windows NT, and are not normally granted to conventional users and users of conven-tional groups.
Once the dialog box labeled “User Rights Policy” is generated, rights can be added or removed by clicking on the appropriate button located in the lower right portion of the box. That is, one would click on the “Add” button after selecting an appropriate right to add that right to a previously selected user or group. Similarly, clicking on the “Remove” button removes a right from a previously selected user or group.
AUDITING
In addition to accounts and rights, Windows NT includes a third built-in security measure. That measure is an audit capability that can be used to track selected activities of users or groups.
Through the use of the built-in Windows NT audit policy, one can de-fine the types of security events the operating system will log. The audit capability of Windows NT is invoked by selecting the “Audit” entry from the “Policies” menu in the User Manager window.
Exhibit 10 illustrates the dialog box labeled “Audit Policy,” which is displayed in response to selecting the “Audit” entry from the “Policies” menu. Similar to other Windows NT security-related measures, auditing can be associated to an individual user or a group. To associate auditing with an individual user, first select a user prior to displaying the dialog box labeled “Audit Policy.” In comparison, to associate an audit policy to a group, first select a group prior to displaying the previously mentioned dialog box.
EXHIBIT 9 — Windows NT User Rights • Access this computer from network. • Back up files and directories. • Change the system time.
• Force shutdown from a remote system. • Load and unload device drivers. • Log on locally.
• Manage auditing and security log. • Restore files and directories. • Shut down the system.
In Exhibit 10, the group labeled “Power Users” is highlighted. This in-dicates that the audit policy will be associated with that group. It should also be noted that the default audit policy is “do not audit.” Auditing is assigned on the basis of the success or failure of up to seven events.
Once auditing has been assigned to one or more events, the results of Windows NT auditing can be viewed through the use of the operating system’s Event Viewer. The Event Viewer represents a utility program whose icon is located in the Administrative Tools window previously shown in Exhibit 1. Thus, one can examine the success or failure of log-ons and log-offs, attempts to use user rights, and other events. Although an auditing capability is built into the User Manager as one of three se-curity methods, it can also be used to determine if users are having net-work-related problems, forgot their passwords, or attempted to perform certain operations that should be performed. For example, some users might simply log off a network by powering off their PC at night instead of first performing a log-off to gracefully terminate their network session. The latter action might avoid the potential loss of data due to a file being processed by a server or another operation being performed when the computer was powered off.
RECOMMENDED COURSE OF ACTION
Windows NT includes a three-tier security capability. In addition to set-ting up user accounts, the data communications manager can assign rights to individuals and groups of users as well as perform auditing of different events. By understanding the use and operation of each securi-ty-related measure, as well as how those features are invoked, the work-station and server users can be provided with a secure networking environment.
