1 / 39

Windows 2000 Server Components Overview

This introduction provides an overview of the components and features of Windows 2000 Server, including monitoring components, user and group management, group security policies, and security services.

afarnham
Download Presentation

Windows 2000 Server Components Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Windows 2000 Server Components Ryan Larson David Greer

  2. Win2K Components Overview • Monitoring Components • User and Group Management • Group Security Policies • Windows 2000 Security Services

  3. Monitoring Components • Computer Management • Click Start, Settings, Control Panel, Administrative Tools, Computer Management • Event Viewer • Performance Log • Shared Folders • Services

  4. Computer Management

  5. Event Viewer • The Event Viewer gathers information about hardware, software, and system problems and monitor Windows 2000 security events • Application Log • Events logged by applications or programs. • Security Log • Records security events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files. • System Log • Events logged by the Windows 2000 system components.

  6. Performance Log • Performance Logs and Alerts contains features for logging counter and event trace data and for generating performance alerts. • Can record data about hardware usage and the activity of system services from local or remote computers. • Logging can occur manually on demand, or automatically based on a user-defined schedule

  7. Shared Folders • Create, view, and set permissions for shares, including shares on computers running Windows NT 4.0. • View a list of all users who are connected to the computer over a network and disconnect one or all of them. • View a list of files opened by remote users and close one or all of the open files. • Configure Services for Macintosh. This enables personal computer users and Macintosh users to share files and other resources, such as printing devices, through a computer running Windows 2000 Server.

  8. Services • Using Services, you can start, stop, pause, or resume services on remote and local computers, and configure startup and recovery options. You can also enable or disable services for a particular hardware profile. • With Services, you can: • Manage services on local and remote computers, including remote computers running Windows NT 4.0. • Set up recovery actions to take place if a service fails, such as restarting the service automatically or restarting the computer (on computers running Windows 2000 only). • Create custom names and descriptions for services so that you can easily identify them (on computers running Windows 2000 only).

  9. Users and Groups Overview Administrator Account Guest Account Managing User Accounts Group Types Managing Groups

  10. Administrator Account Admins can do the following: • Access any file or directory • Create and delete users and groups • Establish trust relationships • Manage printers and print sharing • Assign operators • Create and modify logon scripts • Set default account policies • Set and change passwords • Manage auditing and security logs • Not be deleted

  11. Administrator Account (cont.) Admins are by default in the following groups: • Administrators • Domain Admins • Domain Users • Enterprise Admins • Group Policy Admins • Schema Admins

  12. Guest Account • Guest account is disabled by default • Enable the Guest account only in low-security networks • Always assign a password • Can rename Guest account, but cannot delete it • Should only have low privileges

  13. Managing User Properties

  14. Manage User Options

  15. Managing User Accounts Managing User Accounts • Click Start, Settings, Control Panel, Administrative Tools, Computer Management • Expand System, Local Users and Groups Creating User Accounts • Right-Click Users, and then click New User • Fill in the appropriate fields Managing User Properties • Right-Click on a User, and then click Properties • Modify the appropriate fields

  16. Group Types • Domain Local Group • Open membership: members can come from any domain • Members can access resources only in the local domain • Global Group • Limited membership: members only come from local domain • Members can access resources in any domain • Universal Group • Open membership: members can come from ay domain • Members can access resources in any domain

  17. Groups Types (cont.) Points to keep in mind… • Local groups on domain controllers have rights only on the domain where they were created. • Local groups on Windows 2000 Workstation computers and member servers (non-Domain Controllers) have rights on the computer where they were created.  • Local groups cannot contain other local groups; they can contain only user accounts or global groups from the same domain or other domains. • Global groups contain user accounts from only one domain. They cannot contain local groups or other global groups.  • Universal groups contain user accounts from any domain. They can contain universal accounts, global groups, local groups, and user accounts.

  18. Predefined Groups

  19. Predefined Group (cont.)

  20. Special Groups

  21. Managing Groups Managing Groups • Click Start, Settings, Control Panel, Administrative Tools, Computer Management • Expand System, Local Users and Groups Creating Groups • Right-Click Groups, and then click New Group • Fill in the appropriate fields Add Members to Group • Right-Click on a Group, and then click Add to Group • Click Add, Select User(s), Click Add, Click OK

  22. Security Policy • Password Policy • Account Lockout Policy • Audit Policy • User Rights Assignment • Security Options • Encrypting File System Properties • Kerberos Properties • IPSec Properties • Configuring and Analyzing by Templates

  23. Opening MMC Snap-Ins To open Microsoft Management Console Snap-ins • Click start, run • Type “mmc” and hit enter • Under the “Console” menu, click “Add/Remove Snap-in” • Click “Add”, select Snap-in, click “Add” • Opt: Fill any options, click “ok” • Click “close”, click “ok”

  24. Security Policy • It is important to notice: • Almost all of these settings can be enforced at the local level, or at the domain level, if the computer is on a domain (in which case the domain settings would be taken from Active Directory) • Settings at higher levels of the Active Directory Tree override those at lower levels

  25. Password Policy • Open “Group Policy” snap-in • Under Computer Configuration/Windows Settings/Security Settings/Account Policies • Controls the formation and changing of user passwords • Age, Length, History, Complexity

  26. Account Lockout Policy • Open “Group Policy” snap-in • Under Computer Configuration/Windows Settings/Security Settings/Account Policies • Controls the lockout settings for incorrect passwords

  27. Audit Policy • Open “Group Policy” snap-in • Under Computer Configuration/Windows Settings/Security Settings/Local Policies • Controls which system events are recorded in the Event Log, to be viewed in the Eventviewer later • For all events, successes and/or failures may be logged • Must be careful not to audit too much

  28. Audit Policy (Example) • By double clicking on Audit Account Logon Events and checking “success” and “failure”, you can log to the Event Log every attempt at access to the computer

  29. User Rights Assignment • Open “Group Policy” snap-in • Under Computer Configuration/Windows Settings/Security Settings/Local Policies • Controls which users and groups have access to special system-level commands, such as shutting down the computer

  30. Security Options • Open “Group Policy” snap-in • Under Computer Configuration/Windows Settings/Security Settings/Local Policies • Controls miscellaneous other security options, especially the permissions of remotely connected users.

  31. Security Options

  32. Security Options (Examples) • Using “Rename Administrator Account”, you can change the admin name and create a dummy “Administrator” account with no privileges, that is heavily logged • Set “Clear memory pagefile when system shuts down” to prevent the swap file from being recovered (easily)

  33. Encrypting File System Properties • Open “Group Policy” snap-in • Under Computer Configuration/Windows Settings/Security Settings/Public Key Policies • Or open “Certificates” Snap-in • Controls the certificates (public keys) of Encrypted Data Recovery Agents • Whenever a file is encrypted by a user, there must be a recovery agent

  34. Encrypting File System (Examples) • Under certificates for a File Recovery Agent (default Admin), Personal/Certificates, Right click on the file recovery certificate and click All Tasks, export. • You can export and delete the recovery agent private key, and store it in a secure location for later recovery • Thus, one cannot get the recovery agent key, even by breaking the account password

  35. Kerberos in W2K • Windows 2000 uses Kerberos V for authenticating computers and users between domains • The domain controller acts as the KDC (a trusted third party) in mutually authenticating clients to servers in inter- and intra domain communication • Secret-key tickets are given to communicating parties

  36. Kerberos Settings • Open “Group Policy” snap-in • Under Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy • Only for computers on Domains • Controls the details of Kerberos tickets and authentication • Microsoft says, and NSA agrees, the default settings are OK

  37. IPSec Settings • Open “Group Policy” snap-in • Computer Configuration/Windows Settings/ Security Settings/IP Security Policy • Controls the policies for secure communication via IPSec and its cryptographic settings • Allows filtering of packets of various protocols without authentication and IPSec • Can require that all communication be Secured (Secure Server)

  38. Configuring and Analyzing Security Properties by Templates • Open “Security Configuration and Analysis” snap-in • Right click “Security Configuration and Analysis” and click “open database”, make a new database file, click “open”, and select a template, such as “hisecws.inf” (high secure workstation/server) and click open • Right click “Security Configuration and Analysis” again and choose to configure (set your settings to template) or to analyze (compare your settings to template

  39. Any Questions?

More Related