Controlling User Rights and Built-in Groups

As I demonstrate in the previous articles in this series about Windows NT security fundamentals, NT security isn't as centralized as many people believe. (See "Related Articles in Previous Issues," page 42, for a list of the other articles in the series.) You need to carefully configure and maintain security settings—including NT user rights and built-in groups—on each system in your domain. Each member server and workstation has a local SAM with a discrete set of rights assignments and built-in groups; also, the domain controllers (DCs) in each domain share a common set of rights and built-in groups. You need to understand the different repercussions of rights you assign on a member server or workstation and those you assign on a DC. You also need to understand the authorities that NT's built-in groups grant, and how local groups on member servers and workstations can interact with domain groups to enhance or weaken your network's security.

Know the Scope
User rights control users' ability to perform certain actions, such as changing the system time. (You assign user rights at the system level; you assign permissions at the object level.) The first step in properly assigning user rights is to understand their scope.

Regardless of which computer you log on to, User Manager for Domains' focus defaults to the domain SAM on the PDC (the title bar displays the domain's name). When you select Policies, User Rights from the menu bar, the resulting User Rights Policy dialog box that Figure 1 shows displays the rights assignments in the PDC's SAM. (Each BDC simply maintains a replica of the PDC's SAM. Therefore, the rights assignments that User Manager for Domains displays when focusing on the domain are the effective rights assignments on all the DCs in the domain.)

However, each member server and workstation maintains its own rights assignments. For example, when you use User Manager for Domains to grant the Change the system time right to the ClockWatchers group, you give that group the authority to set the system clock on the DCs in the domain—but not on the member servers and workstations. To edit the rights assignments on a member server or workstation, log on to that system and open User Manager for Domains. Choose User, Select Domain from the menu bar. Enter the computer's name, preceded by a double backslash (\\), then click OK. User Manager for Domains refocuses on that computer's local SAM and displays the computer's name in the title bar.

Powerful User Rights
You should closely monitor several important rights, especially on computers that store sensitive information, host critical operations, or serve as workstations for highly privileged users. Allocation of these rights can improve—or weaken—the security of your entire domain.

Access this computer from the network. The Access this computer from the network right is necessary and useful for users and administrators. To connect over the network to a computer's shared folders, registry, event log, SAM, or Control Panel Services applet, you must use an account that possesses this right on the remote computer. However, you can restrict the assignment of this right to protect computers from certain remote attacks.

You should avoid the use of local accounts because they aren't subject to your DCs' centralized control, and attackers often try to use these accounts to connect to remote systems. The Everyone group has the Access this computer from the network right by default—an assignment that's too permissive because that group includes local user accounts. I recommend that you assign the right only to the Domain Users group on member servers (so that users and administrators can access servers as necessary for daily operations) and to the Domain Admins group on workstations (so that administrators can manage workstations remotely). The Domain Users and Domain Admins groups exclude local user accounts, so these rights assignments will protect you against local user account—based attacks even when a computer's passwords and lockout controls are weak.

Backup files and directories. A user with the Backup files and directories right can access any object on the computer, regardless of the object's permissions. To protect confidential information, restrict the assignment of this right. You need the right to run NT's native backup program, but most companies use a third-party backup solution (e.g., Computer Associates'—CA's—BrightStor ARCserve Backup, VERITAS Software's Backup Exec) that runs as a service. In that case, the backup application's service account needs the right, and you can avoid assigning the right to user accounts. (However, each backup application tends to have individual arcane requirements, so be sure to review your product's documentation.)

Restore files and directories. The Restore files and directories right complements Backup files and directories and lets you restore (from backup media) any object on the system, regardless of whether the user has access to the object. Guard this right as closely as you do Backup files and directories because attackers can use Restore files and directories to replace files with previous versions and thus cover up evidence of intrusion.

Load and unload device drivers. The right to load device drivers carries a great security risk because device drivers run in kernel mode. The OS trusts programs running in kernel mode more than it trusts typical applications. Thus, malicious users can code and load a device driver to escalate their privileges and perform unauthorized operations. Administrators and consultants commonly consider the Load and unload device drivers right as a means to permit an ordinary user to load device drivers, but even users who hold this right must be members of the Administrators group. Therefore, I suggest that you grant the right to that group only.