Scaling Issues in Windows NT 4.0- CCIE Security Training
In larger Windows NT environments, you can have many domains. Windows NT allows information sharing between domains with the use of trusted domains. A trusted domain grants or denies access to clients without having to manage each user individually. Each domain can exchange information and form a trust relationship. Based on these trust relationships, end users from each domain can be allowed or denied access. Creating trust relationships allows secure data to flow between different domains and ensures adequate security for data files and application files in any Windows-based network.
Windows NT supports several domain models, including the following:
• Single domain —Used in small networks.
• Global domain —Automatically trusts every domain.
• Master domain —Trusted by all remote domains but does not trust the remote domains.
• Multiple master domains—Used in large networks where the master domain is trusted by other master domains, which in turn trust smaller domains.
Windows NT Login and Permissions
NT users must log in to the domain. Pressing Control-Alt-Delete together displays the login utility.
After a valid username and password pair are entered, the verification process starts by comparing the username/password pair with the data stored in the Security Accounts Manager (SAM), which is stored on the NT server in the form of a database.
This database also contains a list of privileges for each user. For example. the database might contain the following permissions:
• User _l is permitted access to group Cisco Icon
• User _2 is permitted access to group APAC.
• Directory d:\data has read and write access to both groups Cisco _Icon and APAC.
• The Word documents stored in d:\data\word are owned by group APAC only.
• The Excel documents stored in d:\data\excel are owned by group APAC, and read access is granted to all other users.
When a user or client attempts to access objects shared by other users in the domain. permissions are used to authorize or deny services.
The Windows NT file system is called New Technology File System (NTFS).NTFS is a naming file system that allows extra security. Earlier versions of Windows, such as 95, did not support NTFS and do not support file permissions.
The following are six NTFS permissions:
• R—Read only The data or object can only be viewed.
• NV— Write access. The data can be changed.
• X—Execute. The data can be executed. (For example. a directory can be viewed or a program can be executed.)
• D—Delete. The data can be deleted.
• P—Change Permissions. The data access permissions can be altered.
• 0—Take Ownership. The ownership can be altered.
The NTFS permissions can also be combined for certain tiles and directories. For example, RX (read/execute) allows a client to view and execute the data.
Computers running DOS/Windows 3.X, 95, 98, or ME/Windows NT with FAT partition do not provide any file permissions. They can provide only share-level permission. (Remote users can be permitted or denied access.) File permissions for local users can be implemented only in an NTFS file system.
Windows NT Users and Groups
The following is an explanation of the groups,
• Global Groups —A global group contains only individual user accounts (no groups) from the domain in which it is created. It can be added to a local group. After created, a global group can be assigned permissions and rights, either in its own domain or in any trusting domain. Global groups are available only on Windows NT Server domains.
Domain Admins and Domain Users are two built-in groups.
• Local Groups Localgroups are created on a Windows NT Server or Workstation computer and are available only on that computer. A local group can contain user accounts or global groups from one or more domains. They cannot contain other local groups. Backup Operator and Guests are examples of built-in local groups.
The permissions for a user of multiple groups will be additive of all permissions except for NO PERMISSION. which overrides all other permissions.
Windows NT Domain Trust
Setting up trust among multiple NT domains allows the users of one domain to use resources from another domain. The trusting domain allows the trusted domain to control
3. and finally resource
Windows NT Domain Trust comprise of the resources that authenticated users need to access. Trust relationships cannot be changed or can not be transitive. In other words, if the A domain trusts B, and B trusts C, A doesn’t inevitably trust C. A domain’s administrator must absolutely grant a belief or trust to the other domain to make a trust bonding or relationship. Trust is one way; if A trusts B B does not necessarily trust A.