A New Paradigm

With the release of Windows 2000, Microsoft has implemented a major paradigm shift in the way that the OS treats default security settings. The easiest way to see what's new is to view the NTFS permissions on the installation directory, which by default is winnt. The change is an improvement over Windows NT as it relates to protecting your network, but potential pitfalls await the unaware.

In NT, the default NTFS permissions for the installation directory are Full Control for members of the Everyone group. The Everyone group is special because the system administrator doesn't control this group's membership; instead, the system places users in groups. The Everyone group has restricted permissions in the various winnt subfolders, but the group still enjoys some access throughout. A common practice in NT is to use the Everyone group as a catchall when assigning permissions. However, administrators who want a more secure configuration need to remove the Everyone group and assign different permissions to various local groups. Win2K gives you some new tools to do just that.

Security Templates and Increased Security
During Win2K setup, the system applies new security settings using security templates. With these new settings, Microsoft applies its recommendations, using the Everyone group less frequently in favor of the Administrators, Power Users, and Users local groups. The most inclusive of these groups, Users, has more restrictive permissions than NT 4.0's Everyone group. These restrictive permissions are good for increased security, but they can present problems in some situations.

Depending on whether you install Win2K as an upgrade from NT or as a clean install, certain legacy applications (i.e., applications that don’t meet the Win2K Applications Specification) might not work on certain Win2K machines for members of the Users group. On a machine that you upgrade from NT 4.0, the system applies a security template that adds the built-in Authenticated User and Interactive special groups to both the Users and Power Users local groups, giving users the permissions assigned to the Power Users group on that machine. On a machine that begins with a clean Win2K install, the system applies a different security template that makes these special groups members of the Users group only, giving users the permissions assigned to the Users group on that machine. The result is that a typical user can run legacy applications on an upgraded machine, but that same user might not be able to run an identical application on a machine that began with a clean install of Win2K. As you can imagine, this problem can be extremely difficult to troubleshoot unless you understand the different templates that the system applies during installation. To work around this problem, you need to add your users to the Power Users group or replace your legacy applications with versions that can accommodate the new security changes.

Security Templates and Decreased Security
As you begin to work with security templates, realize that these templates can loosen the security that critical network systems use. On high-risk, high-vulnerability systems where you have more stringent security settings, the default template for an upgraded machine will still apply, resulting in new ACL settings, a less secure configuration, and, therefore, exposure to vulnerabilities that didn’t exist when the machine was running NT 4.0.

On a more positive note, Win2K's use of security templates, along with the functionality of Group Policy and Active Directory (AD), make it easier to apply and enforce your security configurations. Such features let you create custom default security settings to apply the security policy that gives you the right balance between functionality and vulnerability. For more information about using Group Policy to control security, check out Group Policy and Security.