Windows NT Security Issues

tllcurv.gif (1047 bytes)

Home

Free Downloads

Product FAQs (NT)

Product FAQs (OpenVMS)

Product Alerts

Technical References

Links

brlcurv.gif (1043 bytes)

Windows NT Security

Windows NT provides security features to prevent unauthorized accessto data, programs, printers, etc. It complies with the government Class C2 standard, which basically requires:

Logon protection, where each user has a unique name and password.
Access protection, to limit who can access a file or run a programor use other system resources.
Audit capability, to make a record of anyone who has tried to accesssomething they are not allowed to access.
Memory protection, in which memory (RAM, not disk) is reinitializedwhen a process finishes using it.

The second and third points are the subject of this article.

How Security is Assigned

All Windows NT system resources are treated as "objects".This includes all files and programs. Thus, they can all be processed by the Windows NT object manager, all inthe same way, which makes the code much simpler and more reliable. Every time users attempt to access an object,they must pass through a Windows NT security gateway, which is the object manager. Since security is applied throughthe Master File Table, this applies only to files and programs on NTFS partitions. The FAT file system does notsupport access protection.

When an object is created, it is immediately assigned its securitydescriptors. The primary purpose of these descriptors is to list the protections for the object. This list is calledthe Access Control List (ACL). The ACL includes a series of entries, called Access Control Entries (ACE). EachACE contains a security ID (the name of one user or group) and the permissions which that ID has in regard to thisobject.

Usually the creator of the object is the owner, who can specify theprotections for that object. There are five built-in groups: Administrators, Power Users, Users, Backup Operators,and Guests. Additional user groups can be created by Administrators and Power Users. In addition, there are theindividual users. Any of these groups or users can have an ACE created for it and inserted in the ACL of an object.

There are three criteria, which the security manager uses to assignACLs to new objects. In descending order of priority, they are:

If the creator of the object specifies an ACL for the object, thenthat ACL is used.
If no ACL is specified, and the object has a name, then the securitysystem checks the directory to which the object belongs. If the ACL for that directory contains ACEs which aremarked "inherit", then those ACEs are used to make the ACL for the new object.
If the creator did not specify an ACL and the object does not havea name, then the creator's default ACL is attached to the new object.

How Security is Used

When a user attempts to access an object, the user is assigned anobject handle. The security system uses the security reference monitor to check whether this user is allowed toaccess the object. It does this by checking the ACEs in the object's ACL until it finds one that matches the username or any group of which the user is a member. If the access is allowed, the handle is granted; otherwise accessis denied. If security auditing is enabled for that object, an entry is made in the audit log, recording the objectand the security ID of the user who attempted access. An alarm can also be sounded or displayed on the securityadministrator's monitor.

Note that the security reference monitor stops its check at the firstACE that fits the user. It is possible for the user to fit more than one ACE (for example, username ROCKY and groupUSERS). The ROCKY ACE may allow access, while the USERS ACE denies access. Whether Rocky gets access depends onwhich ACE comes first in the ACL. This feature can be useful. In the example above, you can exclude everyone inthe group USERS, except for selected users, such as ROCKY.

How to Enable Security

The details on enabling security can be found by starting from yourdesktop and clicking Start , then Help . Type the key word or phrase (given below).The key word will highlight in the index, with several subtopics below it. Double-click the subtopic you want.

Each key phrase below is followed by its subtopics.

access permissions

DCOM applications
files, directories
inheritance
printers
RAS
shared folders

permissions

DCOM applications
files
directories
inheritance
printers
RAS
shared folders

security

auditing
DCOM applications
DDE shares
domains
events
files, read-only
logs, Event Viewer
ownership
policies
printers
user accounts

Incidentally, there is a lot of information in the WindowsNT Help. We strongly recommend using it whenever you are confused or don't understand something about using WindowsNT.

Diskeeper, being fully compliant with C2 security, maintains any securitysettings that have been set on an object. But, in order to move files, Diskeeper relies on having System and Administratoraccess to files; otherwise, Diskeeper can't really do its job. Therefore, you should confirm that the Permissionsin REGEDT32 and in the root directory of each NTFS partition have "Type of Access" set for both Administrator and System to have "Full Control" for the entire partition of any drive that you will defragment.(See the article Permissions for details on how to do this.) These settings should not conflict with any security plan you have in place, sincemembership in the Administrator group should be very restricted, and System access applies only to the operatingsystem, not users.

If you have any comments about this article orany requests for new technical articles e-mail

Executive Software Europe





				Home
				Free Downloads
				Product FAQs (NT)
				Product FAQs (OpenVMS)
				Product Alerts
				Technical References
				Links


	Windows NT Security Windows NT provides security features to prevent unauthorized accessto data, programs, printers, etc. It complies with the government Class C2 standard, which basically requires: Logon protection, where each user has a unique name and password. Access protection, to limit who can access a file or run a programor use other system resources. Audit capability, to make a record of anyone who has tried to accesssomething they are not allowed to access. Memory protection, in which memory (RAM, not disk) is reinitializedwhen a process finishes using it. The second and third points are the subject of this article. How Security is Assigned All Windows NT system resources are treated as "objects".This includes all files and programs. Thus, they can all be processed by the Windows NT object manager, all inthe same way, which makes the code much simpler and more reliable. Every time users attempt to access an object,they must pass through a Windows NT security gateway, which is the object manager. Since security is applied throughthe Master File Table, this applies only to files and programs on NTFS partitions. The FAT file system does notsupport access protection. When an object is created, it is immediately assigned its securitydescriptors. The primary purpose of these descriptors is to list the protections for the object. This list is calledthe Access Control List (ACL). The ACL includes a series of entries, called Access Control Entries (ACE). EachACE contains a security ID (the name of one user or group) and the permissions which that ID has in regard to thisobject. Usually the creator of the object is the owner, who can specify theprotections for that object. There are five built-in groups: Administrators, Power Users, Users, Backup Operators,and Guests. Additional user groups can be created by Administrators and Power Users. In addition, there are theindividual users. Any of these groups or users can have an ACE created for it and inserted in the ACL of an object. There are three criteria, which the security manager uses to assignACLs to new objects. In descending order of priority, they are: If the creator of the object specifies an ACL for the object, thenthat ACL is used. If no ACL is specified, and the object has a name, then the securitysystem checks the directory to which the object belongs. If the ACL for that directory contains ACEs which aremarked "inherit", then those ACEs are used to make the ACL for the new object. If the creator did not specify an ACL and the object does not havea name, then the creator's default ACL is attached to the new object. How Security is Used When a user attempts to access an object, the user is assigned anobject handle. The security system uses the security reference monitor to check whether this user is allowed toaccess the object. It does this by checking the ACEs in the object's ACL until it finds one that matches the username or any group of which the user is a member. If the access is allowed, the handle is granted; otherwise accessis denied. If security auditing is enabled for that object, an entry is made in the audit log, recording the objectand the security ID of the user who attempted access. An alarm can also be sounded or displayed on the securityadministrator's monitor. Note that the security reference monitor stops its check at the firstACE that fits the user. It is possible for the user to fit more than one ACE (for example, username ROCKY and groupUSERS). The ROCKY ACE may allow access, while the USERS ACE denies access. Whether Rocky gets access depends onwhich ACE comes first in the ACL. This feature can be useful. In the example above, you can exclude everyone inthe group USERS, except for selected users, such as ROCKY. How to Enable Security The details on enabling security can be found by starting from yourdesktop and clicking Start , then Help . Type the key word or phrase (given below).The key word will highlight in the index, with several subtopics below it. Double-click the subtopic you want. Each key phrase below is followed by its subtopics. access permissions DCOM applications files, directories inheritance printers RAS shared folders permissions DCOM applications files directories inheritance printers RAS shared folders security auditing DCOM applications DDE shares domains events files, read-only logs, Event Viewer ownership policies printers user accounts Incidentally, there is a lot of information in the WindowsNT Help. We strongly recommend using it whenever you are confused or don't understand something about using WindowsNT. Diskeeper, being fully compliant with C2 security, maintains any securitysettings that have been set on an object. But, in order to move files, Diskeeper relies on having System and Administratoraccess to files; otherwise, Diskeeper can't really do its job. Therefore, you should confirm that the Permissionsin REGEDT32 and in the root directory of each NTFS partition have "Type of Access" set for both Administrator and System to have "Full Control" for the entire partition of any drive that you will defragment.(See the article Permissions for details on how to do this.) These settings should not conflict with any security plan you have in place, sincemembership in the Administrator group should be very restricted, and System access applies only to the operatingsystem, not users. If you have any comments about this article orany requests for new technical articles e-mail
	Executive Software Europe