•
Mean Time Between Failures MTBF
•
offline
•
online
•
RAID
•
removable media
•
stateless protocol
Chapter 10: Windows Security
This chapter will provide you with all the information you need to understand the major Windows security mechanisms in the Windows NT2000XP family, along with some
management advice and practical walkthroughs.
But no single chapter, and perhaps not even a single book, could cover the wide array of Windows security mechanisms in complete detail. Once you’ve read this chapter and used the
information presented herein to design a security architecture for your network, consult the Internet RFCs upon which most of these standards are based for technical details of their
operation. Microsoft’s Resource Kits and Training Kits are the authoritative source for the Microsoft implementation of these mechanisms and should be consulted for configuration-
specific information.
Windows Local Security
Windows security is based on user authentication. Before you can use a Windows computer, you must supply a username and a password. The logon prompt provided by the WinLogon
process identifies you to the computer, which then provides access to resources you are allowed to use and denies access to things you aren’t. This combination of a user identity and
password is called a user account.
logon prompt
The interface through which users identify themselves to the computer.
user account
The association between a user account name, a password, and a security identifier. Note Windows 9598Me has no significant security mechanisms to speak of, and these
systems are not in themselves secure, so no information in this chapter applies to them. It is possible for a computer to be set up to automatically log on for you, using stored
credentials or an account that has an empty password as is the case by default in Windows XP Home, but an account is still logged on, and the security that applies to that account is
used to manage permissions for that user session.
Windows also provides Security Groups. When a user account is a member of a security group, the permissions that apply to the security group also apply to the user account. For
example, if a user is a member of the “Financial” security group, then the permissions of the Financial security group are applied to the user account. User accounts may be members of
any number of security group accounts, and they accumulate the sum of the permissions allowed for all of those groups.
Security Group
A construct containing a SID that is used to create permissions for an object. User accounts are associated with security groups and inherit their permissions from them.
Note Allowing multiple people to log in using a single account invalidates the concept of accountability that is central to Windows security. Even when a group of people do the
same job, each user should have an individual account so that when one user violates security, you can track the violation back to a specific user rather than a group of
people. If you want to control security for a group of people, use security groups rather than shared accounts.
User and group accounts are only valid for the Windows computer on which they are created. These accounts are local to the computer. The only exception to this rule is computers that are
members of a domain and therefore trust the user accounts created in the Active Directory on a domain controller. Domain security is discussed in the
next section . Computers that are
members of a domain trust both their own local accounts and Active Directory accounts Windows 2000 or the PDC’s accounts Windows NT.
Warning The most common Windows security flaw I see is administrators who strongly secure domain accounts yet forget about the local administrator account on
workstations and member servers. These passwords are rarely changed from the installation default, which is frequently left blank or set to something simple during
the operating system installation Always set very strong local administrative account passwords.
Each Windows computer has its own list of local user and group accounts. The WinLogon process which logs you on and sets up your computing environment passes your credentials
to the Local Security Authority LSA when you log in. The LSA determines whether you are attempting to log on using a local account or a domain account.
process
A running program.
Local Security Authority LSA
The process that controls access to secured objects in Windows.
If you’re using a local account, the LSA invokes the Security Accounts Manager SAM, which is the Windows operating system component that controls local account information.
