Changes to Default Settings Make Windows Server 2003 More Secure (Part 1)
There are two basic approaches that can taken when it comes to network and operating system security, and they are based on two very different philosophies. Neither is "right" or "wrong" - the one that is best for a given computer or network depends on the circumstances, needs and priorities of the organization or individual user. Most importantly, the choice is dependent on which is more important in a given situation: access or control:
- Access as top priority: In this case, the choice would be an open-by-default system, in which security measures are implemented on an as-needed basis. You start with everything accessible, then determine what shouldn't be accessed and lock down those elements.
- Control (Security) as top priority: In this case, a better choice is a closed-by-default system, based on the principle of least privilege. You start with everything locked down and then open up only that which is necessary.
The two will always be at opposite ends of the security continuum. The more control you have over the network or OS, and the more tightly you secure it from the hazards of computing in an interconnected world (including intruders, attackers, viruses and other malware), the less accessible it will be. On the other hand, the easier you make it for employees, customers, partners and others to access resources, the less controlled and secure it will be. This tradeoff is inevitable, so the first step in developing a security plan is determine which is the greater priority and where on the continuum your needs fall. The ideal system would be completely user-friendly to those who authorized and absolutely impenetrable by anyone else, but such a system doesn't - and can't - exist.
In the past, Microsoft's operating systems have been based on the premise that access was the priority, and in the past, for most organizations, this was true. If users couldn't access the resources they needed, productivity (and money) was lost. Ten years ago, the risk of intrusion or attack was outweighed by the need for easy access. But times have changed, the virtual streets have gotten meaner, and the prevalence and increased sophistication of hackers and virus writers has raised the stakes. Now, for most organizations, security is the top priority. Microsoft has responded to this in many ways, starting with their "trustworthy computing" initiative. One big change, very noticeable in Windows Server 2003, is the difference in default settings. In this two-part article, we'll look at how the out-of-the-box server differs in its defaults from previous versions and how the new defaults make the OS more secure (while at the same time causing frustration for some admins and users who find themselves unable to gain access that was available without any reconfiguration in earlier operating systems). In Part 1, we'll focus on how the default permissions have changed, changes to the membership of the Everyone group, and ownership of objects.
New Default Permissions Settings
MCSE candidates in the NT and 2000 tracks had it drilled into their heads, and many "OJT" (on the job trained) network admins learned it the hard way: by default, both share and NTFS permissions were wide open - the Everyone group had full control. That meant anyone could do anything to the folder or file: change it, delete it, even change the permissions on it. The first thing an experienced security-conscious admin did upon creating a share was to change that default.
Now, with Server 2003, things are a little more locked down. By default, the Everyone group has only Read and Execute permissions on the root of each drive. These permissions are not inherited by subfolders; the Everyone group has no permissions by default to a newly created folder or file.
Similarly, when you create a shared drive or folder, the Everyone group now has only Read permission by default, rather than full control. This is quite a change from earlier versions of Windows, where every new folder gave everyone full control via both NTFS and share permissions.
NOTE: Although the Everyone group has no NTFS permissions to a newly created folder or file, the Users group does have the following permissions: Read & Execute, Read, and List Folder Contents. What's the difference between Everyone and Users? One big difference is that you can add and delete members of the Users group. By default, any new user you create will belong to the Users group but this can be changed. The Everyone group is a built-in group with set membership (that is, you cannot add and delete members as you can with most other security groups).
By default, the Administrators group, the system and the owner/creator still have full control of new folders via NTFS permissions.
Permissions can be applied not only to NTFS files and folders and shared folders (regardless of file system), but also to Active Directory objects. Another change in Windows Server 2003 is to the default Active Directory permissions to the IP Security Policies container, which are more restrictive than in Windows 2000. Now the only users who have Read permission are Group Policy Creator Owners and members of the Domain Computers group. Domain Admins group members are able to make configuration changes to this container.
Changes to the Membership of the Everyone Group
In past versions of Windows, the built-in Everyone group consisted of literally everyone who accessed the system, including anonymous users. In Server 2003, the Everyone group does not incude anonymous users, so that even if permissions are granted to the Everyone group, those who are logged on anonymously do not have those permissions.
Those who log on anonymously are part of the Anonymous Logon group, another built-in group with set membership.
Note that in a Windows Server 2003 domain environment, you can allow members of the Anonymous Logon group to be members of the Everyone group on a domain controller by editing the domain security policy (Start | Programs | Administrative Tools | Domain Security Policy). In the left pane of the console, expand the following nodes: Default Domain Controller Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, and click Security Options. In the details pane, right click Network Access: Let Everyone permissions apply to anonymous users. Select Properties and check the Define this policy checkbox, then select Enabled to apply the policy.
Changes in Object Ownership
By default, the creator of a file or folder on an NTFS partition is the owner of that object. In previous versions of Windows, it was possible to take ownership but it was not possible for the owner to give ownership to someone else. In Server 2003, however, you can "give away" the ownership of an object if you are the owner.
This is done by right clicking the file or folder, selecting Properties, selecting the Security tab, and clicking the Advanced button. Click the Owner tab; this shows the current owner of the item. Under Change owner to, you can select a user or group account to which you want to assign ownership. This gives you more control and makes it easier to change the ownership of file and folder objects (this also applies to printer objects).
Default settings in Windows Server 2003 are designed to provide more of a locked down environment than ever before. In Part 2, we'll look at changes to the default settings for common services, changes in the authentication process, and also at those areas in which some feel Server 2003's default are still too open.