Windows 2000 Security Overview
By Stephen Bucaro
Computer network security is a large topic. You can't configure strong security if
you don't have a "top-down" overview of the security features available and how to
configure them. Windows 2000 security includes the following security features.
• User Accounts
• Security Policies
• File Encryption
Windows 2000 provides strong security by centralizing security around Active
Directory. Active Directory stores user accounts, provides authentication services,
and provides centralized security management.
Windows 2000 has two types of user accounts, local and domain. A local user account
exists on a single computer and is used to log onto that computer. A local user
account gives the user access only to resources on that single computer.
A domain user account exists throughout the domain and lets the user log on to the
domain from any computer in the domain. A domain user account gives the user access
to resources on the network.
• Windows 2000 uses groups to simplify security and access to resources. A group is a collection of users
who need the same access rights. Instead of assigning access rights to individual users,
access rights are assigned to groups. A User is a member of several groups.
Domain user accounts and domain groups are created and managed through a Windows 2000
server. Domain user accounts and domain groups are created and managed with the
Active Directory Users and Computers utility. Local user accounts are created and
managed through the Local Users and Groups utility on a Windows 2000 Professional
workstation. The Users and Passwords utility found in the Control panel is used to
make a local user account from an existing domain account.
When a user logs onto a Windows 2000 system, they provide a user name and a password.
Windows 2000 must then authenticate the users account. If the user logs on to their
local computer, the authentication is performed by the local security system. If the
user logs on to the network, the authentication is performed by the domain security
system. After a user logs on, they are associated with an "access token". The access
token defines the users group membership and user rights.
• Windows 2000 uses the Kerbos authentication protocol. Kerbos is an authentication protocol developed at
MIT and maintained by the Internet Engineering Task Force. Kerbos encrypts the user
name and password and passes the encrypted user name and password along with the
encryption key to any network service the user requests.
Everything on a Windows 2000 network is an object. Files, folders, printers, and
applications are all objects. Each type of object has a specific set of permissions
to access that object. For example Read, Modify or Write permissions.
Every object on the network has a list of which users and groups are permitted to
access the object and what type of access they are granted. This is called an
"Access Control List" (ACL). When Windows 2000 is first installed, a group called
"Everyone" has permission to do anything. The first thing you should do is remove
the Everyone group.
A user has "Full Control" permission of an object they create. This gives them the
right to change the permissions of the object. An object can inherit permissions
from its parent. For example subfolders can inherit the permissions of their parent folder.
Each time a user attempts to access an object, the users access token is compared
against the objects ACL to determine whether access is allowed and what type of
access is allowed. It is the job of the system administrator to set permissions that
grant users and groups only the permissions required to perform their jobs.