The interactive logon process is Windows 2000's first line of defense against unauthorized access. The process may begin with a "Welcome Box" that asks a user to press the Ctrl+Alt+Del keys.

• Pressing Ctrl+Alt+Del offers a strong defense against any application running in the background, such as a Trojan horse, that attempts to capture a user's logon information.

Meet SID and SAM

If you type a local Windows 2000 Workstation name to log on locally, the local security account database (SAM - Security Access Mangement) is used to validate you.

If your credentials are authentic, an access token or ticket is created to identify you for all subsequent requests for resources. The access token contains your Security IDentifier (SID), group IDs, and user rights. This token is your "gold card" to system objects.

Meet the ACL (Access Control List)

Each object on the system has an ACL - and each ACL is made up of ACEs (Access Control Entries J). The ACL for an object tells the system who has access privileges to that object. An ACL is simply a list of which SIDs have access to the object or resource.

When users attempt to access an object, their personal security IDs (or the security ID of one of the groups to which they belong) are matched to entries in the ACL.

• If a user's security ID and access request match security ID and permission, then the user ID is granted access.
• If any group to which a user belongs is denied access to a resource, that user is denied access regardless of any access rights he or she is granted in either a personal user account or the accounts of other groups to which that user belongs

Account Management

Accounts - windows denies/grants access based on accounts and groups.

• Administrator - has full rights over the entire computer

• Guest - allows users to log into the computer without a password. On most systems this is (or should be) disabled.

Groups - classes with shared common privileges. Common access needs can be given similar privileges.

• Administrators - can do it all
• Power users - many but not all of admin privileges. Can manage printers. Create shares.
• Users - base-level access to system.

Rights Management

Setting up Rights and Policies - the ability to change system settings. Administration Tools, Local Security Policy/Settings

Windows Explorer can be used to set and modify permissions on shares, files and directories - Very A+

In order to alter any permissions on a file or directory, you must either have

• Ownership of the resource
• Full control access to the resource
• Change permission rights

NOTE: The file system automatically gives the Everyone group Full Control to all new directories. As soon as you create new directories, change this setting to one that better serves your security needs.

Inappropriately set permissions can deny valid users access to required files and directories. For example, even though a user has the right to view and execute a program, the user may not have permission to access a particular dynamic-link library (DLL) required to run that program.

NTFS Permissions (security)

• Any file or folder can have NTFS permissions applied to it
• NTFS permissions affect access via the local system

Permissions

• Read - (R) - read files
• Read and Execute - (RX) - read and execute files
• Modify - (RWXD) - create, modify, delete, change attributes
• Full Control - (RWXDOP) - perform any functions (including ownership and permission control)
• List Folder Contents - (only on folders) - same as read with ability to traverse into subdirectories

• Each permission has two options: Allow and Deny
• Deny permissions always take precedence over Allow
• Permissions are cumulative except Deny
• File permissions always override folder permissions

Folder Permissions	File Permissions

Drive or Folder Share Permissions (sharing)

• Any shared folder can have share permissions applied to it
• Shared permissions do not affect accessing the folder locally

Permissions

• Read - (RX) - read, display, execute files
• Change - (RWXD) - create, modify, delete, change attributes
• Full Control - (RWXDOP) - perform any functions

• Each permission has two options: Allow and Deny
• Deny permissions always take precedence over Allow
• Permissions are cumulative except Deny

Share Permissions

When accessing resources over the network on an NTFS partition, the following rules apply:

• Add all NTFSpermissions to get a cumulative NTFS permission
• Add all of the share permissions to get a cumulative share permission
• The most restrictive of the two cumulative permissions is the resultant permission over the network

Remember, Deny means Deny!

Moving and copying

Moving files and folders to:<

• Same partition - keep their permissions
• Different partition - inherits destination folder's permissions
• FAT partition - loses permissions (share permissions are inherited)

Copying files and folders to:

• Same partition - inherits destination folder's permissions
• Different partition - inherits destination folder's permissions
• FAT partition - loses permissions (share permissions are inherited)