Building blocks of an impenetrable network
Consider the adage "A chain is only as strong as its weakest link." You might be surprised to discover that the weakest link in your organization's high-tech security chain is an imperfect understanding of Windows NT security basics. Even if you're migrating to Windows 2000, a comprehensive understanding of NT security is invaluable because it provides the foundation for a deeper understanding of Win2K. That foundation might not be as rock-steady as you think.
Several popular misconceptions persist regarding NT's "centralized" security capabilities. Many people think that an NT domain's PDC completely controls security for the entire domain, but that idea couldn't be further from the truth. NT security is woefully decentralized. NT security is a complex combination of tightly integrated control areas, such as account policy, user rights, audit policy, ACLs, audit control lists, administrative authority, and system services. The mix becomes even more complicated when you factor in domains and trust relationships. Although domain-level security affects each system in the domain, each NT workstation or server that isn't a domain controller (DC) also functions independently with regard to security. Furthermore, you can control local security on each machine at several levels (e.g., the system level, the object level).
To fully protect your entire domain, you need to understand the interaction between domain-level security and each system's independent security. You also need a complete understanding of how each host-level security control area works. At every level, important configuration tips can help you keep your computers locked down against the bad guys.
Local Security at the System Level
Each NT computer maintains a local SAM database under the HKEY_LOCAL_MACHINE\SAM registry subkey. The local SAM stores the computer's local user accounts, groups, rights assignments, and account policy. The user accounts in a computer's local SAM are also known as machine local accounts because they permit users to log on to and access resources on only the local computer. Likewise, the user groups in a computer's local SAM are known as machine local groups and can access objects only on the local system. (In contrast, domain users and domain groups can access objects on any computer in a domain.)
To view and maintain a computer's machine local accounts and machine local groups, log on at the computer and open User Manager (under Administrative Tools). This tool maintains everything in the local SAM, including account policies, user rights, and audit policy.
Account policy. Select Policies, Account from User Manager's menu bar to open the Account Policy dialog box, which Figure 1 shows. The password and lockout specifications in this dialog box govern the computer's machine local accounts. You can require users to select passwords that meet a minimum length, force users to change their passwords on a regular basis, and prevent users from reusing passwords. You can also implement an account lockout policy to slow down attackers who try to access the system by guessing passwords.
User rights. Select Policies, User Rights from User Manager's menu bar to open the User Rights Policy dialog box. A user right (which NT sometimes refers to as a privilege) is the authorization to perform some type of system-level function. For example, to log on at the local console, you need the Logon locally right. The User Rights Policy dialog box lists the local computer's user rights assignments.
Audit policy. Select Policies, Audit from User Manager's menu bar to open the Audit Policy dialog box, which Figure 2 shows. This policy determines the types of security events that NT will log in the computer's local Security log. NT provides seven audit categories that let you monitor such events as logon activity, file access, program execution, security policy changes, and user accounts changes. You can instruct NT to record failed or successful events for each category. (For a list of articles about auditing and the NT Security log, see "Related Articles in Previous Issues.")
To view the local Security log, open the NT Event Viewer (under Administrative Tools) and select Log, Security from the menu bar. To configure the log, select Log, Log Settings to open the Event Log Settings dialog box.
You can configure a maximum size for the Security log and specify what the computer should do when the log reaches that size. You can choose to have the system overwrite events as necessary; the computer will overwrite the oldest events in the log as it records new events. You can configure the system to overwrite events that are older than a specific number of days; when the log fills, the computer will discard events older than the specified number of days. (If no events meet the expiration criteria, the system stops logging events until older events expire.) Or you can tell the system not to overwrite events; in that case, you'll need to clear the log manually on a regular basis because the system will simply stop logging events when the log is full. (Increasing the size of a full log doesn't restart logging; you must clear events from the log to make space for new events.)
Other Local Security Control Areas
Whereas you can configure the account policy, user rights, and audit policy control areas at the system level through the SAM, several other control areas—ACLs, audit control lists, administrative authority, and system services—operate independently of the SAM.