84-02-04

DATA SECURITY MANAGEMENT IMPLEMENTING LEAST PRIVILEGE IN WINDOWS 2000, PART I: STAND-ALONE W2K

Roberta Bragg, CISSP

INSIDE Groups; Default Groups; Implicit Groups; User Rights; Default Object Access — Object Permissions; Group Scope; Practical Implications; Best Practices

The key to understanding how to apply least privilege lies in understand- ing four W2K concepts:

1. groups 2. user rights 3. object permissions 4. group scope

The meaning of these concepts is often obscured by a discussion of W2K domains and Active Directory issues. To start with the basics, the discussion is divided into two parts.

This article deals primarily with the PAYOFF IDEA implementation of least privilege on One of the most critical tenets of information sys- W2K systems that are not joined in a tem security is the principle of least privilege, that W2K domain. Another article, Part II, is, the application of a policy that provides each user of the system with the most restrictive set of will enlarge the discussion to include access and privileges that will still allow the user W2K systems that have been joined to get his or her job done. One can implement this in a W2K domain. Included in that principle in Windows 2000 as it protects access discussion will be additional features to system operation and to object access by re- of Active Directory (delegation of quiring authenticated system access, assign- ment of privileges, and granular assignment of authority, object permissions) that object permissions. The key to understanding can be used to further enhance the how to apply this principle lies in understanding process. four W2K concepts: (1) groups; (2) user rights; (3) object permissions; (4) group scope.

Auerbach Publications © 2001 CRC Press LLC

DATA SECURITY MANAGEMENT

Information, except where noted, applies to Windows 2000 Profes- sional, Windows 2000 Server, or Windows 2000 Advanced Server com- puters. When these systems are not joined in a domain, they are often referred to as stand-alone not because they are unconnected from other information systems, but because access to their resources, and manage- ment of their processes is only assigned to local groups or accounts. Lo- cal groups and accounts exist only within the system’s local user database, a database that is present only on the local machine. Access to local resources and privileges on the system are granted to these local user and group accounts.

GROUPS While user accounts can directly be assigned user rights and access to re- sources, the recommended practice in W2K is to place user accounts into groups and assign the groups rights and permissions. To foster this prac- tice, Windows 2000 comes preconfigured with default groups, each of which has a set of preassigned user rights. Default user accounts exist as well. New user and group accounts can be created, and group member- ship can be changed. Privileges and access permissions can be assigned to these new accounts and default groups can have their rights and per- missions removed. The wise designer of security on W2K systems will first consider default groups, then create groups that represent additional job functions, place user accounts in the appropriate groups, and assign privileges to the groups. In addition to explicit groups, implicit groups exist as well. Implicit group membership is determined by user state and is not under admin- istrative control.

DEFAULT GROUPS To view the list of default users and groups:

Windows 2000 Professional: 1. Click the Start button and select “Settings” 2. Select “Control panel” 3. Click the “Administrative Tools” icon 4. Select “Computer Management” 5. Navigate to and expand “Local Users and Groups”

Two folders, one for Users and one for Groups, can be opened to see their respective lists. Double-clicking on a User or Group will allow one to view their property pages and determine group membership as well as other attributes. Default Users on Windows 2000 Professional, Windows 2000 Server, and Advanced Server are:

IMPLEMENTING LEAST PRIVILEGE IN WINDOWS 2000, PART I: STAND-ALONE W2K

• Administrator: all-powerful access and control of the local system. One can remove the Administrators privileges; however, one privi- lege will always remain: the ability to take ownership of objects. This account cannot be removed or disabled. • Guest: disabled by default, this account could allow unauthenticated access to the system. • TsInternetUser: this account is used by Windows 2000 Terminal Ser- vices and is only available on Server/Advanced Server.

Default Groups are: • Administrators: all-powerful access and control of the local system • Backup operators: privileges to backup and restore data • Guests: access to resources as designated • Power users: users with more rights than normal users, but less than Administrators • Replicator: a special group with privileges to participate in file repli- cation with down-level (Windows NT 4.0) systems • Users: every user account becomes a member of this group

Tip: For ease in administering and auditing stand-alone systems, one can place the “Administrative Tools” shortcut on the Start menu. To do so:

1. Right click on the Task bar and select “Properties” from the pop- up menu. 2. Select the “Advanced” tab. 3. Check the box “Display Administrative Tools.” 4. Click OK.

Now the path will be:

Start\Programs\Administrative Tools

Each default group has predefined sets of user rights and specified de- fault access to system files and folders, and registry keys.

IMPLICIT GROUPS Implicit groups are also assigned rights and access abilities on the sys- tem. Membership in implicit groups is determined by the activities of the user. Is the user sitting at the console having logged on using a local user account? They are automatically a member of the INTERACTIVE group. Is the user accessing shared resources across the network? Now

DATA SECURITY MANAGEMENT they are members of the NETWORK group. No administrator can force membership in any of these groups, nor can an administrator remove a user from them. The administrator, can, however, assign implicit groups additional privileges and permissions on the system. Because a user’s actions determine group membership, administrators can indirectly in- clude or exclude membership by granting privileges and assigning per- missions to users and groups. For example, if you deny my account the right to “access this computer from the network,” then you have effec- tively denied me membership in the NETWORK implicit group. On the other hand, if you do not configure the system to “restrict anonymous access,” you are allowing membership in the group Everyone to anyone who can connect to the system, even if they do not have a W2K local account on the system. Implicit groups in Windows 2000 are:

• Everyone: users that have achieved access to the system, whether by authentication or via anonymous access. • Authenticated user: users that have successfully authenticated to the system. • ANONYMOUS LOGON: users achieving logon via anonymous ac- count or access. • BATCH: the user has the “batch logon” right and is logged on. The batch logon right is rarely used in W2K. It would be necessary if an account was used by an application to logon and run a background process such as a bank reconciliation. • CREATOR OWNER: when a user creates an object in Windows 2000, that user becomes the CREATOR OWNER of that object. • CREATOR GROUP: the group to which the creator belongs. The abil- ity to assign this group privileges is useful in creating interoperability with UNIX systems. For an example, look to objects created by an Administrator; the Administrators group is considered always listed as object owner. • DIAL-UP: users who have accessed the computer via dial-up. • INTERACTIVE: users who are accessing resources while sitting at the computer console. • NETWORK: users accessing resources across networks. • SERVICE: accounts used to run a W2K service. • SYSTEM: the operating system itself. • TERMINAL SERVER USER: users accessing the system via terminal services.

USER RIGHTS Access to Windows 2000 systems includes the ability to access objects such as files and registry keys and the privileges of performing actions.

IMPLEMENTING LEAST PRIVILEGE IN WINDOWS 2000, PART I: STAND-ALONE W2K

Access to objects is defined by granting permissions on these objects. Registry keys have default access permission assigned. If the systems has been installed on an NTFS partition, system files and folders have default access permissions predefined. Changes to these permissions sets, as well as the assignment of access permissions to new objects, is under ad- ministrative control. Permissions should be granted to groups, but may be assigned directly to an account. Privileges to perform actions is defined by user rights in Windows 2000. Default sets of user rights is assigned to default Windows 2000 groups, but can be modified. This is an important concept and its ulti- mate meaning is that all access, and thus the configuration of “least priv- ilege,” is under the control of system administrators. Every preassigned user right, except the right of the local Administrator account to take ownership of objects and thus regain privileges and rights removed or denied, can be changed. To repeat: Every user right assignment can be modified. This means that one cannot totally restrict administrative ac- counts; after all, someone must be able to administer the system, but it does mean one can alter their rights and privileges of access on a system. Typically, one will accept the default sets of user rights, and perhaps ex- pand them by creating user groups to fit one’s security model, and grant- ing these user defined groups appropriate privileges and object access. A good example of restricting default user rights (and thus further defining “least privilege”) might be to remove the “restore files and directories” right from the local backup group, and creating a new group called “Lo- cal Restore” and granting that group the user right to restore files and di- rectories. Now, by controlling membership in these groups, one has fulfilled one’s mission of “least privilege” and, incidentally, another secu- rity maxim — “separation of duties.” One group can back up the data; another group restores it. User logon rights and privileges are listed in Exhibit 1. One can examine the default user rights assignments, change them, or give user rights to additional groups, by visiting the Local Security Policy Console, which is also available from the Administrative Tools Group. The User rights folder is found within the Local Policies container. Exhib- it 2 displays this folder. For more information on user rights, consult the Windows 2000 Resource Kit article “Privileges.” Differences between Windows 2000 Professional and Windows 2000 Server/Advanced Server are listed below.

• Logon locally. Windows 2000 Professional is designed to be an end- user system. As such, the right to logon locally is assigned to most major default groups (Guest, Users, Power Users, Backup Operators, Administrators). Windows 2000 Server/Advanced Server, however, is not meant to be used as a desktop server. It can host various services such as Certificate Services, Routing and Remote Access Services,

DATA SECURITY MANAGEMENT

EXHIBIT 1 — User Logon Rights and Privileges

User Right/Privilege Ability Assigned by Default To

Access this computer Connect to a computer share. Everyone, Users, Power from the network Users, Backup Operators, Administrators Act as part of the Perform kernel level processing. The LocalSystem account operating system This privilege is extremely (an account used by the dangerous and should not be operating system to run assigned to any group or account services.) The in most environments. A user LocalSystem account with this right can logon as a user does not show up in the and while logged on run user database GUIs and processes that would have the is not under right to add additional privileges. administrative control. The process could even be An administrator can, developed to leave no identity for however, require services tracking events in the audit log. running on W2K to use the LocalSystem account for logon. Add workstations to Add this computer to a domain. (While not relevant for domain stand-alone systems as such, it is required if a user is to perform the joining. This privilege is granted to Domain Admins.) Back up files and Copy all files and folders, including Backup Operators, directories those for which the user has no Administrators permissions. It is only effective when an application attempts access using the NTFS backup API. (application programming interface). Users with this privilege cannot open and read the contents of files they have no access to. Bypass traverse The ability to traverse the Everyone, Users, Power checking hierarchical structure of folders Users, Backup Operators, and files on a system, even if the Administrators privilege to access the folders or files is not granted. It does not give the user the “list” contents of a folder permission, merely the right to traverse its directories. Change the system Set the internal computer clock. Power Users, time Administrators Create a page file Create a new page file, or change Administrators the location or size of the existing page file. Create a token object Create access tokens. Access (While not visible in the tokens include information on User Rights container, the user account group this privilege is granted to membership and access the LocalSystem privileges. account.) Create permanent The ability to create a directory (Components running in shared objects object in the Windows 2000 kernel mode already object manager. Useful in have this privilege.) extending the Windows 2000 namespace.

IMPLEMENTING LEAST PRIVILEGE IN WINDOWS 2000, PART I: STAND-ALONE W2K

EXHIBIT 1 — User Logon Rights and Privileges (Continued)

User Right/Privilege Ability Assigned by Default To

Debug programs Attach a debugger to a process. Administrators Provides access to sensitive and critical operating system components and should not be widely distributed. Deny access to this Prevent listed groups from remote computer from the access to the computer. network Deny logon as a Prevent batch job logon. batch job Deny logon as a Prevent service logon. service Deny logon locally Prevent logon from console. Enable computer and In a Windows 2000 domain, certain user accounts to be activities require this right, such trusted for as storing encrypted files on delegation computer from across the network. This privilege is required in order to set the “Trusted for Delegation” setting on a computer or user object in the Active Directory. Force shutdown from The ability to shut down a system Administrators a remote system from another system Generate security Necessary to generate entries in the (Typically granted to audits security log. accounts that will be used by services. Native W2K processes already have this privilege.) Increase quotas Can be used to increase the Administrators processor quota assigned to a process. Could be used to fine- tune the system, but could also be abused in a denial-of-service attack. Increase scheduling Each running process is assigned a Administrators priority default priority. Priorities ensure more important processes have more access to system resources and ensure all processes a slice of OS time and resources. Scheduling is preemptive and under the control of the OS. A user with this privilege can modify the scheduling priority in the Task Manager dialog box. User modification of the priority of a process can have disastrous results and result in system crashes. Load and unload Install and uninstall plug-and-play Administrators device drivers device drivers (non-plug-and-play device drivers can only be installed by Administrators). Device drivers run as privileged programs; hostile programs run by users with this privilege have potential destructive access to resources.

DATA SECURITY MANAGEMENT

EXHIBIT 1 — User Logon Rights and Privileges (Continued)

User Right/Privilege Ability Assigned by Default To

Lock pages in Pages are generally moved into memory and out of memory according to their need. Some OS pages are never removed. This privilege would allow holders to ensure that pages chosen by them would never be swapped by the OS (and could result in reduced system performance). Log on as a batch job Run in the background, as in running programs such as a bank reconciliation process. Log on as a service Authenticate as a services, versus authenticating as a machine or user. Log on locally Log on from the console. Guest, Users, Power Users, Backup Operators, Administratorsa Manage auditing and Select objects for auditing. Objects Administrators security log include files, folders, registry keys, etc. View and clear the Security Log. (Auditing will not be done unless it has been enabled.) Modify firmware Change system environment Administrators environment values variables. Environment variables are items such as system path, number of processors, etc. Profile single process Run performance monitoring tools Power Users, such as Performance Monitor to Administrators monitor a specific, non-system process. Profile system Run performance monitoring tools Administrators performance to monitor a system process. (Determine how the system is performing, for example, measuring the percentage of processor utilization.) Remove computer Issue a command to un-dock the Power Users, Users, from docking portable system. (Eject PC on the Administrators station Start menu.) Replace a process- The ability to programmatically level token change tokens. The parent process with this privilege can replace the token of its child process. Tokens attached to processes include the authorization rights for that process. Restore files and Restore files from backup. The user Backup Operators, directories with this privilege does not need Administrators to have access permissions on the files or folders. Users with this privilege, however, cannot restore a backed-up, encrypted file to a FAT volume unless they are the encryptor of the file, or the file encryption recovery agent.

IMPLEMENTING LEAST PRIVILEGE IN WINDOWS 2000, PART I: STAND-ALONE W2K

EXHIBIT 1 — User Logon Rights and Privileges (Continued)

User Right/Privilege Ability Assigned by Default To

Shut down the system Start the orderly process of shutting Users, Power Users, down the local operating system. Backup Operators, (A separate privilege, “Force Administratorsa shutdown from a remote system,” allows remote shutdown.) Synchronize directory Only relevant on domain (None by default) service data controllers. (Allows process to synchronize directories.) Take ownership of The ability to give oneself the Administrators files or other objects ownership role on objects that one is not an owner of. Administrators can use this privilege to regain control of orphaned files, folders, and other resources.

a Different for Professional versus Server Systems.

Print Services, as well as serve as a file server. Therefore, direct ac- cess via logon at the console is not, by default, so broadly assigned. Instead, only members of the Administrators group, Backup Opera- tors and Power Users groups have this right. • Shut down the system. While end users are, by default, granted the right to shut down their Windows 2000 Professional systems, servers should not be causally stopped. Only members of the Administrators, Power Users, and Backup Operators Groups have this privilege.

DEFAULT OBJECT ACCESS — OBJECT PERMISSIONS Windows 2000 also protects system files and folders and registry keys by assigning access permissions to appropriate default groups. The design seeks to provide the strictest control of system resources and yet enable processes to run when initialized by appropriate authority. This basic pro- tection can be modified either to tighten access or relax it. The privilege to do so, in most cases, is also controlled by assigned group permissions on the objects; that is, Administrators have full control of system folders. Ex- hibit 3 displays the default permission settings on the W2K system folder. However, one access right in place prevents Administrators or any other user of the system from replacing or deleting system files. Operat- ing system files are digitally signed by Microsoft. If there is an attempt to delete or overwrite a system file, the action is detected. Three possible outcomes result.

1. If a copy of the file resides on the system (copies of system files are located in \system32\dllcache), it is copied into the appropriate location in the system files.

DATA SECURITY MANAGEMENT User Rights Can Be Examined and Modified in the User Rights Folder of Local Security Policy Console

— EXHIBIT 2

IMPLEMENTING LEAST PRIVILEGE IN WINDOWS 2000, PART I: STAND-ALONE W2K

EXHIBIT 3 — Object Permissions Are Set from the Security Tab of the Properties Pages for the Object

2. If a copy does not exist on the system, the user is prompted to insert the Windows 2000 CD-ROM so that the file can be replaced. 3. If the process performing the deletion or overwrite is an approved Microsoft upgrade, hot-fix, or service pack, the file will be deleted or overwritten.

One can demonstrate this process to oneself, without potentially mak- ing the system unstable, by attempting to delete the solitaire game. This game file can be found in \System32 and is called “sol.exe.” Simply open the folder, select the file, and press the Delete key. The file will disappear, then seconds later reappear in the folder. Assigning object access permissions to default and user defined groups can also protect files, folders, and registry keys added to the system.

DATA SECURITY MANAGEMENT

GROUP SCOPE An important determination in whether or not a user can access a re- source, or utilize a privilege, is dependent on where the user account re- sides and the type of group to which the account has membership. This concept is called group scope. There are four different types of scope, and the types available are dependent on two factors:

• Is the Windows 2000 system a member of a Windows 2000 domain? • If so, is the domain in mixed or native mode?

Quick Definition Windows 2000 domains are logical collections of computers. Windows 2000 servers can be promoted to domain controllers and additional serv- ers and professional systems are joined in the domain by adding a com- puter account in the domain and joining the sytem. This conveys additional management and resource availability structures. A Windows 2000 domain is in mixed mode by default. It can be changed to native mode. Mixed mode domains can have Windows NT 4.0 BDCs (backup domain controllers) as members in the domain. Windows 2000 native mode domains cannot have Windows NT 4.0 BDCs as members in the domain. The native mode domain can have as members, Windows NT 4.0 member-servers, Windows NT 4.0 Workstations, as well as other ver- sion of Windows 2000. Users of Windows 95/98 systems with domain ac- counts can log-on to native or mixed-mode domains, but these computers cannot be joined in the domain (they do not receive a com- puter account). One of the major changes to user and group manage- ment occurs when computers are joined in a domain. The second article in this series explains these changes. The four types of group scope are:

1. Local. The group resides in the computer local account database and can only be used on that computer. 2. Domain local. The group exists in a domain. There are separate meanings for this scope, depending on whether the domain is in na- tive or mixed mode. 3. Global. The group exists in a domain. 4. Universal. The group exists in the forest (this group scope only exists in a Windows 2000 native mode domain).

Of the four group scopes, only the “local” scope exists on Windows 2000 stand-alone computers. Groups on these systems can only have as mem- bers users with local accounts on the system. More information on group scope is provided in the second article in this series.

IMPLEMENTING LEAST PRIVILEGE IN WINDOWS 2000, PART I: STAND-ALONE W2K

PRACTICAL IMPLICATIONS Ok, got it? So now what? If charged with implementing security on Win- dows 2000 systems that are not part of a Windows 2000 domain, one should now understand that it will be necessary to approach this strategy on a machine-by-machine basis. This does not mean that one cannot au- tomate some of the work with security templates, Security Configuration and Analysis console, scripts, etc. It does mean that the process will be a little tougher. If Margaret-a-User-in-the-network needs access to files on three stand- alone W2K file servers in the network, then one will have to create an ac- count for her on each of these three servers. On each server, one will only be able to give that account (the one that exists on that server) any object access or user right local to that system. If one creates a new group on server A, server B will have no knowledge of that group. (In a domain this is all changed; a domain level account or group is visible to all ma- chines joined in the domain — see Part II for information.) If one creates a group on server A and one with the same name on server B, and then places Margaret’s account in the group on server A, the group on server B will not have her account in it until it is placed there. One can give the account the same name, and even the same password, but they will not be the same account and passwords will not be synchronized. However, if one keeps the user ID of the account the same, Margaret will be able to access all the resources. Exhibit 4 illustrates this point. In the exhibit, server A and server B both have a group called “Accountants.” They also have a payroll file and the group “Accountants” is given read and write permissions to this file. However, only the “Accountants” group on server A has Margaret as a member. On server B, Margaret will not be able to access the payroll file. If one’s goal is to give Margaret that permission, then one must create an account for her on server B and give her mem- bership in the “Accountants” group on server B. For each machine then, one must decide the number of groups that are necessary, create them, assign privileges and permissions to the groups, create users, and add them to the groups that fit their job requirements. For a Windows 2000 Professional system, this might mean simply cre- ating a user account for the users who will be using the system. By de- fault, they will be in the default Users’ group. This will give them reasonable access to the system. One will have to decide if further re- strictions or privileges are necessary. If this machine is used by multiple people, one may want to consider creating a group for each class of user, assigning each group appropriate user rights and file/folder access. Then, should an employee quit, one only has to remove one account from the group. When new users join the company, one can add their new account to the group and instantly provide them with just the access and privilege they need, and no more.

DATA SECURITY MANAGEMENT

EXHIBIT 4 — Access to Files on Different Servers

Server A Server B

Accountants Accountants Margaret Peter

Payroll Payroll Database File Database File

Accountants Accountants Read and Write Read and Write

A Windows 2000 server will require more consideration, but its con- figuration uses the same basic approach. What functions will users who need to access this server need to perform their jobs? Is it file access? Web proxy? Remote dial-in capability? Once the roles are defined, groups can be created, privileges and permissions assigned, and finally user ac- counts created and placed in appropriate default and user-defined groups on the server. Remember, this will need to be done for each serv- er. Now does that not make you want to learn how to implement least privilege in a Windows 2000 domain? While there are some new con- cepts to learn, the actual implementation, maintenance, and audit of least privilege is easier in a W2K domain.

BEST PRACTICES Thoroughly understand the user rights and the implication of changing the groups with these privileges. Use default groups where suitable and add user accounts to these groups to give users these privileges. Where default groups do not fulfill requirements or where their user rights as- signments are too broad, create groups for specific purposes and assign appropriate user rights. Groups are created in the Computer Management console and user rights are assigned in the Local Security Policy console. Add user accounts to default groups or created groups. Do not assign rights directly to users.

IMPLEMENTING LEAST PRIVILEGE IN WINDOWS 2000, PART I: STAND-ALONE W2K

Roberta Bragg, MCSE, MCT, CTT, CISSP, is a veteran of over 20 years of IT experience. Her company, Have Com- puter Will Travel, Inc., keeps her writing, teaching, and consulting primarily on Windows (NT and 2000) Security. She is a contributing editor and security columnist for Microsoft Certified Professional Magazine (www.mcpmag.com) and the author of two books. She is an online instructor in Seattle Pacific University’s MCSE program (www.spu.edu\prolearn).