1 / 27

Designing Group Security

Designing Group Security. Designing security groups Designing user rights. Designing Microsoft Windows 2000 Security Groups. Windows 2000 groups Assessing group usage. Windows 2000 Groups.

shandi
Download Presentation

Designing Group Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Designing Group Security • Designing security groups • Designing user rights

  2. Designing Microsoft Windows 2000 Security Groups • Windows 2000 groups • Assessing group usage

  3. Windows 2000 Groups • Access to network resources is authorized through inspection of the user SID and any group SIDs for a user account. • Use security groups to allow auditing of security access and to simplify the administration of network resources. • Define the group type and the group scope when creating a custom group. • There are two types of groups: security and distribution.

  4. Security Groups • If a group's purpose is to define security for a resource, the group type must be a security group. • Used in discretionary access control lists (DACLs) and system access control lists (SACLs) to define security and auditing settings for an object. • Membership provides the equivalent rights and permissions assigned to that group. • Security group SIDs are included in the access token.

  5. Distribution Groups • Used primarily for e-mail distribution lists. • When an access token is built for a user, distribution group memberships are ignored. • Can be converted into a security group by using Active Directory Users And Computers. • SIDs are automatically assigned to newly created distribution groups. • Identify the SID of a distribution group by using the Active Directory Administration Tool (Ldp.exe).

  6. Windows 2000 Group Scopes • The scope defines • Where the group can be used • Where group membership is maintained • How the group can be used • Native-mode group scopes available • Domain local groups • Global groups • Universal groups • Computer local groups

  7. Domain Local Groups • Used to grant permissions to resources. • New groups can be added to existing domain local groups. • Membership is maintained in the domain where the domain local group exists. • Can only be used on domain controllers (DCs) in a mixed mode environment, much like local groups in Microsoft Windows NT.

  8. Global Groups • Used to combine users and other global groups that have similar business requirements. • Membership is maintained in the domain where the domain local group exists.

  9. Universal Groups • Used to collect similar groups that exist in multiple domains. • Memberships are stored in both the domain where the universal group exists and in the global catalog. • Memberships stored in the global catalog can be verified without contacting a DC. • Any changes to universal group membership will result in modification and replication of the global catalog.

  10. Computer Local Groups • Windows 2000–based computers that are not DCs maintain their own user accounts database. • Define permissions for resources stored at that computer. • Are not shared between computers. • Must be defined at each computer where they exist.

  11. Assessing Group Usage • Determine how permissions will be assigned to resources. • Create custom groups to provide the permissions necessary to protect resources. • Know how group memberships will be set. • Define a strategy for assigning permissions: • A-G-DL-P • A-G-U-DL-P

  12. Domain Local Group Membership • Mixed mode membership • User accounts from any domain • Global groups from any domain • Native mode membership • User accounts from any domain • Global groups from any domain • Universal groups from any domain • Domain local groups from the same domain

  13. Global Group Membership • Mixed mode membership • User accounts from the same domain • Native mode membership • User accounts from the same domain • Global groups from the same domain

  14. Universal Group Membership • Mixed mode membership • None • Native mode membership • User accounts from any domain • Global groups from any domain • Universal groups from any domain

  15. Computer Local Group Membership • Mixed mode membership • Local user accounts • Domain user accounts from any domain • Global groups from any domain • Native mode membership • User accounts from any domain • Global groups from any domain

  16. A-G-DL-P Strategy

  17. A-G-U-DL-P Strategy

  18. Making the Decision:Designing Custom Security Groups • Determine if an existing group meets requirements. • Define what purpose the group will serve. • Determine if additional groups are required. • Do not assign excess permissions. • Document new groups.

  19. Applying the Decision: Designing Custom Security Groups for Hanson Brothers • Determine existing groups. • Determine the number of group scopes using A-G-DL-P. • Determine the number of group scopes using A-G-U-DL-P. • Choose a methodology. • Document the newly created groups.

  20. Designing User Rights • Defining user rights with Group Policy • User rights within Windows 2000 • Assessing where to apply user rights

  21. Defining User Rights with Group Policy • Administrators define user rights to authorize users to perform specific actions: • Who can log on to a computer • Methods for logging on to a computer • Privileges that have been assigned to a user or group on that computer • It is best to define user rights by using Group Policy • Ensures consistent application of user rights • Ensures that local changes will not override settings applied at the site, domain, or OU level

  22. User Rights Within Windows 2000 • Defined within local computer policy. • Applied through the Windows 2000 Group Policy defined at the site, domain, or OU. • Always preferable for a centrally administered network. • Take precedence over local computer policy. • Know what privilege a user right provides to any security principals. • Group computers that require like assignments into the same container.

  23. Assessing Where to Apply User Rights • Store DCs within the Domain Controllers OU and apply user rights to the Domain Controllers OU Group Policy. • Collect all Windows 2000 member servers into a common OU structure. • Apply the user rights settings at the domain to affect all computers running Windows 2000 Professional in the domain.

  24. Determining Where to Apply User Rights

  25. Making the Decision: Designing User Rights • Determine what user rights to grant to a security principal. • Determine where to apply user rights. • Determine whether to apply user permissions or user rights.

  26. Applying the Decision: Designing User Rights for Hanson Brothers’ Deployment of Exchange Server • Determine a name for the service account. • Determine which user rights to assign to the service account. • Determine where to assign the user rights.

  27. Chapter Summary • Designing Windows 2000 security groups • Group types • Group scopes • Assessing group usage • Group memberships • A-G-DL-P and A-G-U-DL-P strategies for assigning permissions • Designing user rights • Assessing where to apply user rights

More Related