Methods of Restricting Registry Access phần 3

Windows Server 2003 built-in local security groups (the screenshot is taken on the domain controller) Standard security settings are applied by Security Configuration Manager during the operating system installation,
Nội dung trích xuất từ tài liệu:
Methods of Restricting Registry Access phần 3Figure 9.10: Windows Server 2003 built-in local security groups (the screenshot is takenon the domain controller)Standard security settings are applied by Security Configuration Manager during theoperating system installation, when the GUI setup starts. For this purpose, the SecurityConfiguration Manager uses security templates located in the %SystemRoot%\inf folder.Naturally, the template used for applying default security settings depends on the OSbeing installed and the computers role in your network environment. When you performa clean installation of workstations running Windows XP Professional, the%SystemRoot%\inf\defltwk.inf security template will be used (notice that upgrades fromWindows 9x platforms are treated as clean installs). If you are upgrading to Windows XPfrom Windows NT/2000, Security Configuration Manager will use the%SystemRoot%\inf\DWUp.inf security template. When you perform a clean installationof Windows Server 2003 member server, default security settings are taken from the%SystemRoot%\inf\defltsw.inf security template, while for upgrades-from the%SystemRoot%\inf\dsup.inf template. For domain controllers, the%SystemRoot%\inf\defltdc.inf template is used. When you upgrade domain controllersfrom Windows NT 4.0, the Security Configuration Manager will use the%SystemRoot%\inf\dcup.inf template.Note If you want to affect the security settings that are applied by default during installation, you can modify the above-mentioned security templates in the installation files folder.As was already discussed, for standalone computers or computers participating in aworkgroup, users belonging to the Administrators group have unlimited access to all filesystem and registry objects. Users and Power Users have a more restricted set of accessrights.Note Windows XP and Windows Server 2003 include a new root ACL, which is also implemented by Format and Convert commands. In addition to previous releases, the Security Configuration Manager now secures the root directory during setup, if the current root security descriptor grants the Everyone group Full Control permission. This provides increased security for non-Windows directories. The new root ACL is as follows: • Administrators, System: Full Control (Container Inherit, Object Inherit) • Creator Owner: Full Control (Container Inherit, Object Inherit, Inherit Only) • Everyone: Read\Execute (No Inheritance) • Users: Read\Execute (Container Inherit, Object Inherit) • Users: Create Directory (Container Inherit) • Users: Add File (Container Inherit, Inherit Only)Power Users can write new files into directories (the list is provided below), but cantmodify files that were written to these directories during installation. All members of thePower Users group inherit Modify access to all the files created in these directories by amember of their group. %SystemRoot% %SystemRoot%\inf %SystemRoot%\Config %SystemRoot%\media %SystemRoot%\cursors %SystemRoot%\system %SystemRoot%\fonts %SystemDir% %SystemRoot%\help %SystemDir%\RASMaintaining Proper System File and Registry Permissions across All WindowsServer 2003 Computers within a DomainAlthough standard system file and registry permissions for Windows Server 2003 seemfairly secure, a wise administrator doesnt assume that the default permissions on systemfolders, files, and registry keys are always going to be the best possible settings. Forexample, the installation of new software always adds folders and files, and sometimesservices, for which youll also need to consider permissions set automatically, as well aschanges to the inherited permissions.Note When a Windows Server 2003 computer is promoted to a domain controller, an additional set of permissions is applied.If you need to return to the settings applied at install time after having changed thedefault permissions, proceed as follows: 1. From the Start menu, select Run, and type mmc into the Open field. When the MMC console window opens, select the Add/Remove snap-in command from the File menu. The Add/Remove Snap-in window opened at the Standalone tab will open. Click the Add button, and select the Security Configuration and Analysis option from the list of available snap-ins (Fig. 9.11). Click Add, then Close, then OK. Figure 9.11: Adding the Security Configuration and Analysis standalone snap-in2. Right-click the Security Configuration and Analysis item and select the Open Database … command from the context menu (Fig. 9.12). The Open Database dialog will appear (Fig. 9.13), where you will be prompted to select a database, and then click Open. By default, security templates are stored at %SystemRoot%\security\templates. Navigate to this folder and select the required template. To reapply the default server security settings, select the setup security.inf file. To reapply the settings applied when a server is promoted to a domain controller, use the DC security.inf security template. If you only want to reapply the system drive root security settings, select the rootsec.inf security template, which implements the above-mentioned new Windows Server 2003 root ACL. Notice that this template can also be used to apply similar settings to the root of other disks. Figure 9.12: Opening the Security Configuration Database Figure 9.13: The Open database dialogNote You must realize that after you reapply the default permissions using these security templates, any configuration settings that you may have applied either manually or using Group Policy will be overwritten by the default settings. Therefore, if you need to preserve your changes, create a copy of the default template(s), ...