mcseFREEsite Just the right place to learn for Microsoft certifications

Windows NT Workstation and Server
(Study Guide: Written By Baalendu Dadhich)
Part 2

 In Windows NT, there is a well-managed mechanism to carry out transactions involving files and directories. Unlike desktop operating systems, files are not everyone's property. They are not open for everyone to manipulate in whatever manner he or she wants to. In compliance with the C2 level security standards, Windows NT provides a proper file access management system that uses a set of permissions to regulate access to files and directories. Under this system, different groups of users are given different levels of permissions in context with files. They can access these files within the scope of permissions granted to them.

 There are two different sets of permissions. 1) Share level permissions and 2) NTFS permissions. Share level permissions apply when a user accesses a disk resource (file or directory) over the network (from other computer that is a member of the network). These permissions are available both on FAT formatted drives as well as NTFS formatted drives. On the contrary, NTFS permissions apply when a user accesses a disk resource either locally or remotely (over the network). They are only available if the drive/ partition is formatted using NTFS. From exam point of view this paragraph is of extreme importance.

 We will first talk about Share level permissions. Before we proceed, let's understand what 'Share' is. Probably you know that when you work in networking environment, you have the liberty to use files/directories, which are actually stored on other computers. But it does not mean that you can access all the files residing over all the computers that are part of the network. Your access is limited to a few directories, which have been properly declared accessible over the network by 'Sharing.' You share a directory by first selecting it and then pressing the 'Shared As' radio button in the Sharing tab of the properties window. You must be aware that when you right click over a file or directory, you are presented with the Properties Window that keeps different details regarding it. You can give any shared name to the shared directory. Share name does not have to be the same as the directory name. You can assign permissions to particular groups or users by clicking Permissions button.

 After sharing, the following noticeable changes will occur:

• An open palm will appear under the directory icon in Windows NT Explorer.
• The directory will now be accessible over the network from other computers.

Other computers will be able to access this directory with the Shared name and not the original name in accordance with the permissions they enjoy over it. They will only see the Shared name when they will list all the network directories using Network Neighborhood. You must be aware that Network Neighborhood is the utility to access disks resources over the network.

 Remember: Sharing can only be done at folder (directory) level. You can't share a file. Also, by default all the subdirectories inherit the share access level of the parent directory. Again, only Administrator and a group called Power Users are allowed to create shares on a Windows NT Workstation and Windows NT Member Server. On Domain Controllers (Servers with administrative abilities), this can be done also by Domain Admins and Server Operators. We will talk about these server roles and groups shortly.

 Share level permissions used in Windows NT are the following:

 In Shared permission mechanism, Administrators can always take ownership of files, even if they are restricted to No Access permission.

 You can also create hidden shares by putting $ sign at the end of a share name. These directories and their content will not be visible to others.

 Sharing can also be done from command prompt. Syntax for this is:

Net use <share_name> = <drive_name>: path /remark /users

Let's now talk about NTFS permissions, which are available both for directories as well as files. The procedure for assigning NTFS permissions is the same as Share level permissions that is by selecting a directory (or a file), invoking its Properties Windows, go to Security tab, click to Add button and select which group or user is to be given what permission.

 NTFS provides the following directory level permissions:

 File level permissions available by NTFS security mechanism are the following:

 A thing or two about effective permissions in case of clash between different levels of permissions:

If a user has both levels of permissions (Share level + NTFS) assigned to a directory, the effective permissions will be the following:

• If the user is accessing the directory locally (by sitting over the same computer where the directory resides), only NTFS level permissions will be applicable.
• If he is accessing the directory remotely (over the network, from other computer), then the most restrictive permissions (between share level and NTFS) will be applicable.
• If a user is a member of different groups having different Share level permissions on the directory, the least restrictive permissions will be effective Share level permissions. Likewise, If a user is a member of different groups having different NTFS permissions on the directory, the least restrictive permissions will be effective NTFS permissions. If he is a member of different groups that have different permissions of both types (NTFS as well as Share level), then First we will calculate the least restrictive permissions of each type (least restrictive NTFS permissions and least restrictive Share level permissions) and finally find out the most restrictive permissions between them (between the effective Share level permissions and the effective NTFS permissions) that will be applicable on the directory.
• No Access permission nullifies all other permissions. If a person has Full Control over a file but the group he is a member of has only No Access permissions over it, the effective permission will be No Access. Likewise, if he has No Access permission over the directory and Full Control permission over the file, the effective permission will be No Access.

 Copying a file to a directory on the same NTFS volume will result in the copied file inheriting the access attributes of the target directory. If a file is moved to a directory on the same NTFS volume, it will keep its own access attributes. But if a file is moved to a directory located on a different partition, it will inherit the access attributes of the target directory. These rules are same as those regarding compressed directories.

 If a user has full control over a directory, he can delete top-level files in that directory even if he is not given delete permission on those files. This feature is called File Delete Child.

 By default all directories have Everyone/ Full Control permissions, except for Windows NT installation directory that has System/ Full Control permissions.

Account Management

 As we have already discussed, makers of Windows NT have given security issues utmost importance. A result of this is the account management system that maintains a list of valid users and groups and the level of access granted to them against every object. Whenever these users or members of groups try to access a particular resource, the system first checks from its database whether they are valid users and to what extent they are allowed to access that resource.

 Windows NT administrators can create two types of accounts: User and Group. User accounts belong to one person only. Rights and permissions assigned to a user account affect only the person who uses that account to log on. Group accounts are shared by more than one person and all their members possess all the rights and permissions held by the group. Whenever the user or member of a group logs on, a check of their rights is carried out and an Access Token is generated that keeps record of their access rights over every object. Afterwards, whenever the person tries to access any file or any other resource (such as printers) the system first takes a look at the access token to ascertain whether he should be allow to proceed.

 You must already know what a domain is. Before we proceed further, you should also know that Windows NT Server can work in three different roles: Primary Domain Controller, Secondary Domain Controller and Member Server. Of them, the first two are used for administrative purposes and the third as an ordinary member of the network.

 Windows NT Workstation and Windows NT Server includes six built-in groups that are an integral part of the system. These groups cannot be deleted or renamed. These groups are Administrators, Power Users, Users, Guests, Backup Operators and Replicator. Let's have a look at their inherent rights.

 Till now we have only talked about Local groups, whose scope of functions was limited only to the computers they were attached to. Let's now talk about accounts with a wider scope of rights. When a Windows NT Server is made a Primary Domain Controller or Backup Domain Controller, 6 additional groups are created. Of them three are local groups like all other groups we have talked about and three others are built-in Global Groups. Rights of these Global Groups have a wider scope and are not limited to local computers only. Members of these groups can work on all computers that are part of the domain network. These global groups are:

Local groups created on Domain Controllers are:

 Apart from these built-in groups two built-in users are also created on all the computers. They are Administrator (by default a member of Administrators local group on Workstation and Member Server and Domain Admin group on Domain Controllers) and Guest (Bu default a member of Guests local group on Workstation and Member Server and Domain Guests group on Domain Controllers).

 Two very important points to remember:

• Users and Global groups can be made members of local groups while local groups cannot be members of global groups.
• Only local groups have access to resources. Global groups don’t have access to files, printers etc. If they are to be given access to these resources, you have to make these global groups members of the local groups that have access to the resources. For example, Accountants local group has access to a particular printer which members of a Global group called Marketing want to use. There is only one way for them to use the printer and that is to make Marketing group a member of the Accountants local group. Members of Marketing group can individually be made members of Accountants local group too.

 Domain users and groups are created using a utility called User Manager for Domains that is found only on domain controllers. User Manager for Domains can also create local groups that will be available on the particular computers only. This utility is also used for assigning these users and groups access rights to particular resources.

 Local users and groups on the Windows NT Workstation and Windows NT Server can be created using similar utility called User Manager. This utility is also used for assigning these users and groups access rights to particular resources.

 Users can also be copied and renamed. When we copy a user's account his rights and permissions are not copied. But when we rename an account, all the rights and permissions are automatically made available to the new user. This is particularly useful when another user needs to be assigned same rights (For example when an executive replaces another and needs to have similar rights on all the files that the earlier executive used to access). This will save the administrator from the trouble of assigning the new user rights on each and every resource individually.

 Groups cannot be renamed.

 Guest account is disabled by default.

 User account names can be up to 20 characters long.

 Global groups can be created on a PDC from any Windows NT Workstation, Windows NT Member Server or even Windows '95 client if they have User Manager for Domains utility installed.

 Administrators or Power Users have the right to create local groups on Windows NT Workstation and Member Server. Administrators local group and Account Operators local group can create Global as well as local groups on domain controllers. Global groups can only be created using User Manager for Domain while local groups can be created either by User Manager for Domain or User Manager.

Built-in System Groups:

Some more groups are created by the system in order to systematize the use of network resources. They are:

 User Manager and User Manager for Domains can be used to create, modify, copy or delete user accounts. A typical User Manager screen shows records of all user accounts, group accounts, description of their role in the network and full names of users. A new user can be created by choosing the New menu command from the User Manager's User menu. A dialog box is opened in which information such as Username, Full Name, Description, Password, Group to which he will belong, his profile (we will talk about it below), and Dial-In properties can be filled. It also has four check-boxes that can be used to specify whether 1) The user must change his password at next logon, 2) Or, he can never change his password, 3) The password never expires 4) Or is the Account Disabled.

 Similarly, these utilities can also be used to create, modify, copy or delete group accounts.

 Users and groups can be assigned rights by choosing User Rights menu from the Policies menu of the User Manager.

Profiles:

 When a new account is made, a personal default profile is created for that user. This profile governs the settings for the desktop environment (background picture, icons, task bar settings etc. specific to that user) that the user will be presented to work on. If the user so wishes, he can change his profile settings with the help of the Administrator. This can be done without effecting the desktop environment of other users.

 Profiles can contain many settings such as Settings for user-specific Control Panel entries, Persistent network drive connections, remote printer connections, personal program groups, user environment variables, bookmarks in Help, preferences for Win32 applications and most recently used documents in Win32 applications.

 Profiles are managed by a set of files in %Winnt_root%\profiles\Default User directory. These files include Ntuser.dat (containing registry information), a transaction log file Ntuser.dat.log (that keeps records of changes made in the Ntuser.dat file) and some other folders containing details regarding shortcuts and application specific data.

 Windows NT provides two types of user profiles: Local profiles and Roaming profiles. A local profile is stored on a workstation and is effective only on that computer. A roaming profile is stored on a central location that other workstations can access at logon. This profile will be always available to the user it belongs to, irrespective of the computer where he logs on. When you create a roaming profile, you have to specify a path to the relevant files in User Manager-> New User-> User Properties ->Profile.

 When a user logs on to the domain from a workstation, the Windows NT logon process checks to see if the account database contains a roaming profile path for the account. If it does, then a roaming profile is loaded. If it does not, the local profile is used.

 If the administrator does not want the user to change his profile, he can make his roaming profile a Mandatory Profile. To do so, he needs to create a roaming profile subdirectory and specify the path to that directory in User Manager. Then, copy a user profile to the roaming profile subdirectory (using the Copy To command in the User profile tab of the Control Panel System application) and rename the ntuser.dat file to ntuser.man. The Man extension makes the file a read-only file.

 Same user profile can be assigned to many users.

 Hardware Profiles can also be created to define a set of hardware conditions under which the PC will operate at a given time. This feature was designed specially for portable computers. The reason was that these might be used from different places at different time and each time they might have to work with different hardware. For example, a portable computer may be connected to a network in the office. But when its owner wants to use it at his home, the network will not be available. In such circumstances, he might prefer to connect to the office network via Internet. For this, however, he will require different hardware settings as the old network settings might not allow the computer to work properly. This is where we need different pre-defined hardware settings called Hardware Profiles. The user may choose any one of these different hardware profiles based on the requirements.

 Hardware profiles allow the user to define a set of hardware conditions under which the PC will operate at a give time. Hardware profiles can be created, deleted or modified using the Hardware Profiles tab in the Control Panel System application. If a person has more than one hardware profiles, he is asked to specify which profile does he want to use at startup and accordingly the profile is loaded.

System Policies:

 Windows NT ships with a utility called System Policy Editor, available only to members of the Administrators group. This is basically used to customize a user's desktop. If the administrator feels that a particular user should not be given access to a particular tool or icon than he can use System Policy Editor to do so. It can also be used to restrict options in the Control Panel, configuration of network settings and control network logon and access. Users, groups and even computers can have their own policy settings.

 System Policy Editor can be run in two modes: Registry Mode and Policy File Mode. In Registry Mode, the administrator can edit the registry of the local computer or of a remote computer. Some changes to the registry take effect immediately while others come into effect only after the computer is restarted. In Policy File mode, System Policy Editor creates and maintains system policy indirectly. Changes take effect only after the user logs on afresh.

 System Policy Editor organizes registry settings into two hierarchies: Local User (limited to the user himself) and Local Computer (limited to the computer, the machine).

 For changing policy settings, you need to click Open Registry on the File Menu of the System Policy Editor. Now Double click either the icon meant for Local User or Local Computer. You will be presented with a Policies tab having lots of different settings for configuring the user's/computer's desktop environment.

 For creating a logon banner, you need to double click the Local Computer and in the Policies tab, expand Windows NT System. Here you will see a list of different settings. Choose and expand Logon. Click the Logon banner option. In the Caption box, enter the text for display in the logon banner's title bar. In the Text box, enter the text for display in the logon banner's window.

 For disabling the display of the last logged-on user name at the beginning of the logon process. Expand Logon from the list entries and check "Do not display last logged on Username" option.

 Hierarchical management of system policies: System policy that will be effective at the time a user logs on depends upon the following rules:

• If individual user policy exists for that user, it will be executed.
• If no individual user policy exists but group policy is available, then the later will be executed. If the user is member of more than one group, group policies will be applied in priority order.
• If no user or group policy is in place, default user policy will be used.
• In the end, the System Policy Editor will see if there is any policy defined for the individual computer as well. If one is available, it will combine computer policy with the effective user/group policy emerging from the above three steps. If there is no specific policy for that computer available, default computer policy settings will be combined with user/group policy settings. A result of this combination will be presented to the user.

 Policies are saved in %Winnt_root%\System32\Repl\Imports\Scripts\NTConfig.pol file. If a policy is to be made effective in the entire domain, it should be saved in the above file on the boot partition of the Primary Domain Controller. The folder in which system policy file is saved on the primary domain controller is shared as \\PDC_servername\Netlogon$ for being accessed remotely. This file is not copied to the Backup Domain Controllers unless the directory replicator service is configured.

 If you are using a Windows 95 computer, you should save the policy in a file called Config.pol (not NTConfig.pol) and in the Netlogon$ share of the primary domain controller.

 System policy for users modifies the HKEY_CURRENT-USER subtree in the registry. System policy for computers modifies the HKEY-LOCAL_MACHINE subtree in the registry.

 Since System Policy and User Profiles deal with many common points, there is a system to decide effective desktop settings. System policy settings always override settings stored in Local, Roaming or Mandatory user profiles. In this context, priority levels are maintained in the following order:

 Login Scripts are batch files that are executed at the time a user logs on. They allow an administrator to configure common drive mappings; run central batch files and configure the system. For example, if the system administrator wants a person to see the Watch at logon, he can create a batch file consisting of commands for executing the Watch file and run it as login script. When the person will log on, he will see the watch on his desktop. In NT, batch files have .bat or .cmd extension. These files are specified in User Manager-> New-> New User-> User Properties-> Profiles-> Logon Script.

Auditing:

 Windows NT provides a well defined rights structure for all levels of users. Users and groups are given proper access to objects they need to deal with. And with the help of its wide security umbrella, others are denied access to objects they have no link with. Still, attempts to access various resources by unauthorized persons are very common. With the phenomenal spread of Internet, they have become even larger a threat for Network Administrators. Fortunately, Windows NT has an answer to this problem as well. It can audit successful or unsuccessful attempts to access files/ directories/ printers etc. Such records can be utilized in tracing the culprits and suitable actions may be taken.

 You can audit attempts to access a particular object or you can audit a particular user's activities. For auditing of object access, you can simply open Windows NT Explorer/ Network Neighborhood/ My Computer, select the concerned object (file/directory/printer etc.) and right click to invoke its properties window. Now select the security tab and click the Auditing button to set the auditing levels for that object. You can audit actions by the following means:

• By enabling the Read event, you can find out if an attempt was made to open a fie.
• By enabling the Write event, you can find out if someone has attempted to modify the contents of a file.
• By enabling the Execute event, it can be determined whether a user has attempted to run a program.
• By enabling the Delete event, you can find out whether a user has attempted to delete a file.
• By enabling the Change Permissions events, it can be determined when a user has tried to change the permissions on a file or directory.
• By enabling the Take Ownership event, it can be determined when a user has attempted to take ownership of an object.

 After the auditing has been set, the Security Log of the Event Viewer can be checked to see the auditing details. Event Viewer: It is an administrative utility that ships with Windows NT. It is used to record logs (records entered in ordinary text) relating to breaches of security, certain system events, messages generated from different applications etc (You will read about in detail some time later).

 Only files and directories on NTFS partitions can be audited.

 Another level of auditing is done with User Manager for domains. You can audit certain events (including file/object access events, system related events, user rights related events etc). It can be done using Policy->Audit Policy dialog box. Events that can be audited are:

• Logon and Logoff (Both Success and Failure)
• File and Account Access (Both)
• Use or User Rights (Both)
• User and Group Management (Both)
• Security Policy Changes (Both)
• Restart, Shutdown and System (Both)
• Process Tracking (Both).

These events are also logged in Event Viewer.

....Proceed to Part 3/ Back to Part 1/ Back to Top /Back to Home