S 2.370 Administration of access rights under Windows Server 2003 and higher

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator, Specialists Responsible

Overview of the authorisation concepts available

The Windows security model, with its accounts, groups, and access authorisations, is by no means limited to objects in the NTFS file system. In fact, authorisations for each type of account requiring authentication can be specified in detail in almost all areas of the operating system. Therefore, a separate authorisation concept must be created for Windows servers.

Aspects of the Windows server authorisation model under Server 2003 and higher are:

• user accounts and computer accounts
• system accounts
• pre-defined default groups
• group memberships
• nested groups (Active Directory only)
• access authorisations for an object (i.e. the Access Control List, ACL)
• system access control settings for the object (i.e. the System Access Control List, SACL)
• inheritance

The following authorisation settings are not part of the authorisation model named above:

• resource-based authorisation mechanisms in the Internet Information Services (IIS)
• system rights/privileges
• role-based access management (i.e. Role Based Access Control, RBAC)

The capabilities of these authorisation settings are explained in the Resources for IT-Grundschutz (see Administration of authorisations under Windows Server 2003 in the Resources for Windows Server 2003).

Training

Understanding of the mechanisms listed above and the underlying philosophies must be provided to the administrators in the form of training and technical books. Otherwise, secure operation of the mechanisms used, and therefore of Windows Server, cannot be guaranteed overall.

Depending on the tasks performed by the administrators, they should also receive training in the use of the corresponding components so they can estimate the effects of authorisation configurations and plan accordingly in advance.

Details on individual authorisations in the various parts of the operating system can be found in the Windows online help system and in the Microsoft Technet documentation for administrators.

Basic rules

The administration of authorisations for user accounts and administrative accounts requires certain rules to be followed and a basic understanding of authorisation and security mechanisms. Particular care must be taken when making changes to authorisations during live operation (if the changes have not been tested beforehand) to ensure the availability of the IT system is not endangered.

When performing all tasks and planning in connection with the granting of authorisations, you must abide by the principle of least privilege. According to this principle, an account should not be granted wide-ranging privileges as a "precaution", but should only be granted the authorisations required to fulfil the requirements defined for the account. Authorisations can be granted step-by-step to obtain a higher level of authorisation when the requirements justify this. For example, an account should not be granted full access to a resource if the user of the account does not need to perform administrative tasks on the resource.

A general difficulty is predicting the effects of a certain authorisation configuration. Windows servers provide various simulation tools for predicting the effects of authorisation configurations:

• The Effective Authorisations tab
  
  In the security settings of an object, for example, of a file, the simulation option is found under Advanced | Effective Authorisations | Select. Simulations should be performed using the configured security group and using random samples of user accounts that will exercise the rights.
• The Resultant Set of Policies consoles (RSOP console)
  
  Start | Execute | enter rsop.msc
  
  When Active Directory is used, this process can also be started and evaluated on remote computers in the network using the Group Policy Management Console.

The simulation tools should be used extensively when modelling authorisations and when performing administration tasks during live operation. It is recommended to state this in a corresponding security policy for the configuration change release process.

Account sharing, forgotten passwords

User accounts may not be used by more than one person (referred to as account sharing). This applies to administrative accounts as well as to normal user accounts. If an administrator needs to be provided with a shared account for compelling organisational reasons, then each case of such a shared account is to be documented and reasons for sharing the account provided. The account used, the method for enforcing the password policies, the authorisations (ACL), the monitoring settings (SACL), and the authorised group of people are to be documented. Misuse of such accounts can only be prevented through organisation. Shared user accounts, like administrative accounts, are to be considered critical accounts and must be taken into account when monitoring the system.

The Forgotten Password Wizard under Windows XP and Server 2003 and higher is used to reset forgotten local passwords without deleting the private key stored locally. This wizard should not be used in an environment using centralised authentication since it undermines the security of such a concept. Creating data media by means of which the password can be reset ("Password Reset Disc") is not allowed. This must be stated in the security policy and can be implemented using group policies, for example.

Review questions:

• Is there a separate authorisation concept for Windows servers?
• Are the administrators trained on the authorisation concepts of Windows servers?
• Are simulation tools used under Windows servers as a precaution when modelling authorisations and when performing administration tasks during live operation?
• Is account sharing under Windows servers prohibited or reduced to a minimum?