Windows 2000 Security Overview

Windows 2000 has two types of user accounts, local and domain. A local user account exists on a single computer and is used to log onto that computer. A local user account gives the user access only to resources on that single computer.

A domain user account exists throughout the domain and lets the user log on to the domain from any computer in the domain. A domain user account gives the user access to resources on the network.

 Windows 2000 uses groups to simplify security and access to resources. A group is a collection of users who need the same access rights. Instead of assigning access rights to individual users, access rights are assigned to groups. A User is a member of several groups.

Domain user accounts and domain groups are created and managed through a Windows 2000 server. Domain user accounts and domain groups are created and managed with the Active Directory Users and Computers utility. Local user accounts are created and managed through the Local Users and Groups utility on a Windows 2000 Professional workstation. The Users and Passwords utility found in the Control panel is used to make a local user account from an existing domain account.

When a user logs onto a Windows 2000 system, they provide a user name and a password. Windows 2000 must then authenticate the users account. If the user logs on to their local computer, the authentication is performed by the local security system. If the user logs on to the network, the authentication is performed by the domain security system. After a user logs on, they are associated with an "access token". The access token defines the users group membership and user rights.

 Windows 2000 uses the Kerbos authentication protocol. Kerbos is an authentication protocol developed at MIT and maintained by the Internet Engineering Task Force. Kerbos encrypts the user name and password and passes the encrypted user name and password along with the encryption key to any network service the user requests.

Permissions

Everything on a Windows 2000 network is an object. Files, folders, printers, and applications are all objects. Each type of object has a specific set of permissions to access that object. For example Read, Modify or Write permissions.

Every object on the network has a list of which users and groups are permitted to access the object and what type of access they are granted. This is called an "Access Control List" (ACL). When Windows 2000 is first installed, a group called "Everyone" has permission to do anything. The first thing you should do is remove the Everyone group.

A user has "Full Control" permission of an object they create. This gives them the right to change the permissions of the object. An object can inherit permissions from its parent. For example subfolders can inherit the permissions of their parent folder.

Each time a user attempts to access an object, the users access token is compared against the objects ACL to determine whether access is allowed and what type of access is allowed. It is the job of the system administrator to set permissions that grant users and groups only the permissions required to perform their jobs.