Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

7.4.3. Group Strategies

Granting resource privileges to groups rather than to users directly is preferable. The optimum methodology to assign permission is as follows:

1.  Create a descriptive global group to organize the user accounts.

2.  Make the user accounts members of the global group.

3.  Create a descriptive local group at the place of the resource if one does not already exist.

4.  Grant the local group the appropriate permissions to the resource.

On the surface, taking all these steps might seem unnecessary. Technically there is nothing wrong with assigning the user account permissions directly to the resource. The benefit in following this order is easier to appreciate when you try to track the permissions of a user from a single point or try to create an additional user with the same privileges of another.

This is the preferred method of granting permissions. Remember that on the exam you might be asked not only what is the best method, but what is technically possible.

7.5. Implementing Policies

By properly implementing user policies, an NT administrator can easily control users’ abilities to perform specific system functions. Policies are used to enforce rules on an NT network. These rules may apply to users and groups or even to the system itself. This section demonstrates how to implement various rights utilizing both User Manager for Domains and the System Policy Editor.

7.5.1. Implementing User Rights

The user rights discussed in this section deal with specific abilities to perform actions such as logging on locally to a system. Do not confuse these rights with the rights or permissions assigned to users and groups to shares or NTFS resources.

An NT Server administrator modifies user rights by using User Manager for Domains. Rights allow users and groups to perform certain actions. For example, members of the Backup Operators group are able to both back up and restore local files; this is based on the Backup Operators group being assigned the right to perform these tasks as shown in Figure 7.14.

Figure 7.14.  The Backup Operators group is assigned by default the rights to back up and restore the system.

As an administrator, you can control access to the system both locally and from across the network through the use of rights. If a particular server was to be secured so that only members of the Accounting group could gain access from across the network, an administrator could remove the Everyone group from having the right to access this system from across the network. The Accounting group could then be added as the only group with network access to that server.

7.5.2. Implementing Account Policies

Account restrictions are another form of policy that an NT administrator can use to secure a system. One of the most common restrictions that an administrator can enforce is how passwords are handled for users of the system or domain. As Figure 7.15 shows, a majority of the account policies deal directly with password-related issues.

Figure 7.15.  The majority of account policies deal directly with password issues.

Password Restrictions

Assigning password restrictions must be done while balancing out the security risks versus user convenience. When in doubt it is always safer to err on the side of caution. In Figure 7.15 the administrator is implementing some relatively strong account policies. The settings in the example vary from the default settings, which are more permissive.

•  Users must change their password every 42 days.

•  Passwords must be a minimum of 10 characters.

•  Users can change their password only once every two days.

•  By setting the password uniqueness to 5, it will be a minimum of 10 days before a user could reuse the same password. Multiply password uniqueness (5) by minimum password age (2) to derive the number 10.

•  An account will be locked out for 30 minutes if five bad logon attempts occur within a period of 30 minutes.

•  Users must log on to change their passwords. If they let a password expire an administrator must reassign a password for them.

•  Users will be forcibly disconnected from the system if they remain attached over their allowed time window.

7.5.3. Implementing an Audit Policy

Implementing a proper audit policy is part of any good management and security plan. The key is determining which objects will be of value to audit. Never arbitrarily select the objects to audit; auditing the wrong objects will be of no value and auditing all objects will degrade system performance. By default auditing is disabled.

In Figure 7.16 an audit policy that covers the most frequently audited parameters has been implemented.

Figure 7.16.  The audit policy can be configured to track the success and failures for various events.

In Figure 7.16 the administrator has implemented an audit policy that will enable her to track basic attempts at security violations.

•  Logon and Logoff: By tracking both successful and unsuccessful logon attempts, the administrator can verify both valid and invalid logon attempts and their sources.

•  File and Object Access: Enabling this option as a policy does not in itself create an object audit trail. The administrator is required to identify which NTFS files and directories are to be audited. This option must also be selected for the option to audit the printer to function.

•  User and Group Management: The administrator has chosen to audit when a successful change has been made to an account, such as a new member being added to a group or a password being changed.

•  Security Policy Changes: All attempts to modify trust relationships, audit policies, and user rights can be tracked.

•  Restart, Shutdown, and System: An entry is made to the security log whenever the system is restarted or shut down, or when the security log is truncated or overwritten.

All of the security events that are tracked will be recorded in the security log. The security log can be viewed through the Event Viewer.

7.6. Implementing System Policies

System policies are restrictions that the administrator can dictate which are effected as changes to the registry. The policies can be established for all computers and users of a domain or for only select users and computers. The primary tool for managing policies is the System Policy Editor. This section details the use and implementation of policies using this application.