Designing Group Security - PowerPoint PPT Presentation

About This Presentation
Title:

Designing Group Security

Description:

Define the group type and the group scope when creating a custom group. ... Windows 2000 based computers that are not DCs maintain their own user accounts database. ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 28
Provided by: higheredM
Category:

less

Transcript and Presenter's Notes

Title: Designing Group Security


1
Designing Group Security
  • Designing security groups
  • Designing user rights

2
Designing Microsoft Windows 2000 Security Groups
  • Windows 2000 groups
  • Assessing group usage

3
Windows 2000 Groups
  • Access to network resources is authorized through
    inspection of the user SID and any group SIDs for
    a user account.
  • Use security groups to allow auditing of security
    access and to simplify the administration of
    network resources.
  • Define the group type and the group scope when
    creating a custom group.
  • There are two types of groups security and
    distribution.

4
Security Groups
  • If a group's purpose is to define security for a
    resource, the group type must be a security
    group.
  • Used in discretionary access control lists
    (DACLs) and system access control lists (SACLs)
    to define security and auditing settings for an
    object.
  • Membership provides the equivalent rights and
    permissions assigned to that group.
  • Security group SIDs are included in the access
    token.

5
Distribution Groups
  • Used primarily for e-mail distribution lists.
  • When an access token is built for a user,
    distribution group memberships are ignored.
  • Can be converted into a security group by using
    Active Directory Users And Computers.
  • SIDs are automatically assigned to newly created
    distribution groups.
  • Identify the SID of a distribution group by using
    the Active Directory Administration Tool
    (Ldp.exe).

6
Windows 2000 Group Scopes
  • The scope defines
  • Where the group can be used
  • Where group membership is maintained
  • How the group can be used
  • Native-mode group scopes available
  • Domain local groups
  • Global groups
  • Universal groups
  • Computer local groups

7
Domain Local Groups
  • Used to grant permissions to resources.
  • New groups can be added to existing domain local
    groups.
  • Membership is maintained in the domain where the
    domain local group exists.
  • Can only be used on domain controllers (DCs) in a
    mixed mode environment, much like local groups in
    Microsoft Windows NT.

8
Global Groups
  • Used to combine users and other global groups
    that have similar business requirements.
  • Membership is maintained in the domain where the
    domain local group exists.

9
Universal Groups
  • Used to collect similar groups that exist in
    multiple domains.
  • Memberships are stored in both the domain where
    the universal group exists and in the global
    catalog.
  • Memberships stored in the global catalog can be
    verified without contacting a DC.
  • Any changes to universal group membership will
    result in modification and replication of the
    global catalog.

10
Computer Local Groups
  • Windows 2000based computers that are not DCs
    maintain their own user accounts database.
  • Define permissions for resources stored at that
    computer.
  • Are not shared between computers.
  • Must be defined at each computer where they
    exist.

11
Assessing Group Usage
  • Determine how permissions will be assigned to
    resources.
  • Create custom groups to provide the permissions
    necessary to protect resources.
  • Know how group memberships will be set.
  • Define a strategy for assigning permissions
  • A-G-DL-P
  • A-G-U-DL-P

12
Domain Local Group Membership
  • Mixed mode membership
  • User accounts from any domain
  • Global groups from any domain
  • Native mode membership
  • User accounts from any domain
  • Global groups from any domain
  • Universal groups from any domain
  • Domain local groups from the same domain

13
Global Group Membership
  • Mixed mode membership
  • User accounts from the same domain
  • Native mode membership
  • User accounts from the same domain
  • Global groups from the same domain

14
Universal Group Membership
  • Mixed mode membership
  • None
  • Native mode membership
  • User accounts from any domain
  • Global groups from any domain
  • Universal groups from any domain

15
Computer Local Group Membership
  • Mixed mode membership
  • Local user accounts
  • Domain user accounts from any domain
  • Global groups from any domain
  • Native mode membership
  • User accounts from any domain
  • Global groups from any domain

16
A-G-DL-P Strategy
17
A-G-U-DL-P Strategy
18
Making the Decision Designing Custom Security
Groups
  • Determine if an existing group meets
    requirements.
  • Define what purpose the group will serve.
  • Determine if additional groups are required.
  • Do not assign excess permissions.
  • Document new groups.

19
Applying the Decision Designing Custom Security
Groups for Hanson Brothers
  • Determine existing groups.
  • Determine the number of group scopes
    using A-G-DL-P.
  • Determine the number of group scopes
    using A-G-U-DL-P.
  • Choose a methodology.
  • Document the newly created groups.

20
Designing User Rights
  • Defining user rights with Group Policy
  • User rights within Windows 2000
  • Assessing where to apply user rights

21
Defining User Rights with Group Policy
  • Administrators define user rights to authorize
    users to perform specific actions
  • Who can log on to a computer
  • Methods for logging on to a computer
  • Privileges that have been assigned to a user or
    group on that computer
  • It is best to define user rights by using Group
    Policy
  • Ensures consistent application of user rights
  • Ensures that local changes will not override
    settings applied at the site, domain, or OU level

22
User Rights Within Windows 2000
  • Defined within local computer policy.
  • Applied through the Windows 2000 Group Policy
    defined at the site, domain, or OU.
  • Always preferable for a centrally administered
    network.
  • Take precedence over local computer policy.
  • Know what privilege a user right provides to any
    security principals.
  • Group computers that require like assignments
    into the same container.

23
Assessing Where to Apply User Rights
  • Store DCs within the Domain Controllers OU and
    apply user rights to the Domain Controllers OU
    Group Policy.
  • Collect all Windows 2000 member servers into a
    common OU structure.
  • Apply the user rights settings at the domain to
    affect all computers running Windows 2000
    Professional in the domain.

24
Determining Where to Apply User Rights
25
Making the Decision Designing User Rights
  • Determine what user rights to grant to a security
    principal.
  • Determine where to apply user rights.
  • Determine whether to apply user permissions or
    user rights.

26
Applying the Decision Designing User Rights for
Hanson Brothers Deployment of Exchange Server
  • Determine a name for the service account.
  • Determine which user rights to assign to the
    service account.
  • Determine where to assign the user rights.

27
Chapter Summary
  • Designing Windows 2000 security groups
  • Group types
  • Group scopes
  • Assessing group usage
  • Group memberships
  • A-G-DL-P and A-G-U-DL-P strategies for assigning
    permissions
  • Designing user rights
  • Assessing where to apply user rights
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Designing Group Security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!