Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2003 on HP ProLiant Servers : Security Planning and Design (part 1)

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
2/7/2013 5:11:45 PM

Migrating from Windows NT to Windows Server 2003 presents considerably different challenges in security planning than if you are migrating from Windows 2000, chiefly because if you are at Windows 2000, you probably already migrated from Windows NT and resolved security issues at that point. This section focuses primarily on a Windows NT-to-2000 migration, although there will be notes about security features that are different in 2003, such as the Kerberos cross forest trust.

Security Groups

Windows 2000 introduced two new security groups: universal groups and domain local groups. Other groups, such as built-in and global groups, have been around since Windows NT, but Windows Server 2003 does not introduce any new classes of groups. This section is not intended to educate you on the details of these groups, but how security requirements should be specified in the AD design document. The most significant change in Windows 2000 or 2003 security groups from Windows NT security groups is the addition of universal and domain local groups.

When you create universal groups, as Table 1 indicates, you can include accounts, global groups, and other universal groups from any domain in the forest. This gives the Administrator a great deal of power and flexibility in creating groups with forest-wide scope. Universal groups are only available in Windows 2000 native mode domains and in Windows Server 2003 domain functional level domains. Only GC servers can enumerate universal group membership because only GCs know about all objects in all domains in the forest.

Table 1. Security Group Comparison
Universal GroupsLocal GroupsDomain LocalGlobal
Can contain members from any domain in the forest:
  • Users, computers, printers, contacts

  • Global, universal groups

Can contain accounts; domain local groups from the same domain; global groups, and universal groups from any domain in the forest (mixed or interim Domain functional level).Can contain accounts, global groups, and universal groups from any domain and other domain local groups from the same domain (native mode).Can contain accounts and global groups from the same domain (native mode only).
Can be assigned permissions from any domain in the forest.Can be assigned permissions only on the computer it is defined on.Assigned permissions only in the domain it is in.Assigned permissions in any domain within the forest.
Available in Windows 2000 and 2003 native mode domains only (not Windows 2000 mixed mode). Windows 2000 and 2003 native mode domains. 
Can be converted to domain local. Can be converted to a global group if it doesn't contain other universal groups as members. Can be converted to universal if it doesn't contain any other domain local groups.Can be converted to universal if it's not a member of another global group.

note

Windows Server 2003 provides additional choices in GC authentication with the Universal Group Membership Caching feature.This feature allows a user's universal and global group membership to be cached by a local DC, which contacts the GC on behalf of the user. This provides performance improvement for users in sites that have a DC server, but not a GC server.


The domain local group is seen by all machines in the domain. This gives you the capability of assigning a local group to a resource without having to create it on every single computer in the domain. Domain local groups, like universal groups, are only available in Windows 2000 native mode domains and in Windows Server 2003 native mode (Windows Server 2003 Domain functional level) domains.


Table 1 is a good summary of universal, local, domain local, and global groups.

When migrating from Windows NT 4.0, it's imperative that you make a comprehensive list of all groups defined in the Windows NT domain(s). You might be surprised to find out how many groups are defined and how few are used. In the county government case study noted previously, it had a very small staff of users, but the security group listing was several pages long. A chart such as that in Table 2 helps map the old groups to the new Windows Server 2003 designations and identifies groups that should be eliminated. Remember, the migration is a good opportunity for a house cleaning of groups. 

Table 2. Group Migration Mapping
Group Name and DescriptionScope (Windows NT)Scope (Windows 2003)

DEVGG: global group, developers

GlobalEliminated

PRN-LG1: printers local group1

LocalDomain local

ITS-GG: global group, IT staff

GlobalUniversal (rename to ITS-UG)
Domain usersGlobalGlobal

Role Based Security

Role-based security is a common sense approach. Traditionally, users were assigned security permissions based on their job titles. Role-based security is applied based on the user's job function. Using the group scopes described in the previous section and the user job functions, you can create a map such as that shown in Table 3. You can use the following list to help define these roles; of course, you will probably be able to identify other roles.

  • Identify specific tasks that will need to be performed, such as creating users, changing passwords, starting and stopping services, and managing and creating print queues. Identify tasks that are domain- and OU-centered.

  • Identify the permissions that are required to perform those tasks.

  • Identify specific job functions such as OU Admin, Domain Admin, Enterprise Admin, Desktop Support, Print Operators, Backup Operators, and so forth.

  • Map each job function to the required permissions to perform the tasks that are associated with that function.

Table 3. Role-Based Security Matrix
TaskPermissions GrantedFunction: Domain AdminFunction: Printer OperatorFunction: OU Admin
User Acct ControlCreate UserYesNoYes – for OU
User Acct ControlChange PasswordYesNoYes – for OU
Print Que MgtCreate Print QueYesYesYes – for OU
Print Que MgtClear Print QueYesYesYes – for OU

After these definitions are made, create a global group for each job junction identified, and add the members with that job function to the group. Create a domain local group and apply the appropriate permissions. Add the global group created for the function to the domain local group.


NTFS and Share Permissions

NT File System (NTFS) and share permissions should be mapped out in a form using a table format, for example. This table identifies each directory and the permissions granted to each group. You also should develop a strategy for defining share and NTFS permissions. For instance, because share permissions are less granular and less secure than NTFS permissions, a common strategy is to leave share permissions open and then restrict NTFS permissions. This strategy should also take into account applications that might have their own requirements. You must thoroughly test user access to appropriate data—both gaining access to data they are permitted to access, and being denied access to data they are not permitted to access.


Computer Security Templates

Computer security is determined by the security template used. These templates are stored in %systemroot%\security\templates and contain security settings for basic, secure, and high secure conditions. Although some are applied by default, the Administrator can import them into any Group Policy. They are intended merely as an aid to the Administrator and should not be considered a perfect answer. Windows 2000 contains 12 default security templates:

  • Basicdc.inf: Basic security for DCs.

  • Securedc.inf: Medium-level security for DCs.

  • Hisecdc.inf: High-level security for DCs.

  • DCsecurity.inf: Default security settings for DCs.

  • Basicsv.inf: Default template used for servers that are not DCs.

  • Basicws.inf: Basic security for workstations.

  • Securews.inf: Medium-level security for workstations.

  • Hisecws.inf: High-level security for workstations.

  • Compatws.inf: Relaxed security settings to allow legacy applications to run.

  • Setup Security.inf: Default security settings.

tip

The Setup Security.inf template should never be modified. This template can be used to apply the default security settings to a GPO. Note also that this should not be accomplished by editing the GPO, but by using the Security Configuration and Analysis snap-in. For more information, see “Best Practices for Security Templates” in the Windows Server 2003 online help.


In addition, you can create your own template by creating a GPO, modifying the security settings, and then exporting the settings into an INF file. In the Group Policy Editor, go to Computer Configuration\Windows Settings, right-click on Security Settings, and select Export Policy. Save to the %systemroot%\security\templates folder, and the templates will be easy to import to other GPOs. Table 4 provides a matrix of the security settings for each of these templates in Windows 2000.

Table 4. Security Settings
FilenameAccount PoliciesLocal Policies
 Pass wordAcct Lock-outKerberosAudiingUser RightsSecurity OptionsEvent LogRestricted GroupsSystem ServicesRegistryFile System
Basicdc.inf00000YY00YY
Securedc.infYY0Y0YY0000
Hisecdc.infYY0Y0YY0000
Basicsv.infYY000YY0YYY
Basicwk.infYY00Y0Y0YYY
Compatws.inf0000000Y0YY
Securews.infYY0Y0YYY000
Hisecws.infYY0Y0YY00YY

Windows Server 2003 has only nine of these templates, including compatws.inf, DC security.inf, hisecdc.inf, hisecws.inf, iesacls.inf, rootsec.inf, securedc.inf, securews.inf, and setup security.inf. The DC security.inf template is applied to DCs during the DCPromo process. The rootsec.inf template, new to Windows Server 2003, applies root permissions to the root of the system drive. More information on these templates is available in the Windows Server 2003 online help under Predefined Security Templates.
Other -----------------
- Developing with SharePoint 2010 (part 4) - Developer Toolbar
- Developing with SharePoint 2010 (part 3) - Server Object Model
- Developing with SharePoint 2010 (part 2) - SharePoint Fundamentals
- Developing with SharePoint 2010 (part 1) - Platform Development Tools, Development Server Configuration
- SQL Server 2008 R2 : Creating and Managing Stored Procedures - Viewing Stored Procedures
- SQL Server 2008 R2 : Creating and Managing Stored Procedures - Deferred Name Resolution
- Using Microsoft SharePoint with Microsoft Dynamics CRM Functions (part 2) - Displaying Data Using BDC in Microsoft Office SharePoint Server
- Using Microsoft SharePoint with Microsoft Dynamics CRM Functions (part 2) - Displaying Data Using BDC in Microsoft Office SharePoint Server
- Using Microsoft SharePoint with Microsoft Dynamics CRM Functions (part 1) - Displaying Data in SharePoint Using the List Web Part for Microsoft Dynamics CRM 4.0
- Microsoft Exchange Server 2007 : Single Copy Clusters (part 2) - Installing Exchange Server 2007 on the Active Node
 
 
25 Inspiring Game of Thrones Quotes
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
programming4us
Natural Miscarriage
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer