2008 Oct 18
| Accounts | Groups |
There are two type of accounts: default accounts and accounts created by administrators. When the Primary Domain Controller (PDC) is installed two accounts, Administrator and Guest, are automatically created. The default Administrator has the highest level of privileges of any login account (like root in Unix).
One property of the default Administrator account is that it, by default,
cannot be locked no matter how many bad passwords an attacker guesses for
this account. A utiliy named PASSPROP.EXE in the Windows NT
Resource Kit enables the default Administrator account to be locked when
a specified number of failed logons is reached, provided there is at least
one other nondisabled account with administrator pivileges.
The Guest account is disabled by default (and should be left as such) because this account cannot be deleted. Other accounts (which can be deleted) can be created as needed. Some applications require the creation of an account. Any accounts other than the default Administartor and Guest can be disabled or deleted.
It is recommended to rename the default Administrator account to a different name and to also change its description to make it harder for an attacker to know which one it is. Then create a non privilieged account named Administrator as a decoy. Give a very hard to guess password for the default undeletable Guest account.
Users with the Logon Locally right can log on while at the physical console of a server or workstation. If a partition is not NTFS then the user can do anything.
Groups are used to control access and privileges which is easier than doing so on an account by account basis when there are a large number of users. Global groups have access to any resource on any server within a domain. Local groups have access only on the server or workstation on which they have been created. A Global group can be included in a Local group. In WIN_NT users normally obtain access by being included in global groups that are included in local groups. Global groups and local groups cannot be included in local groups. In Win 2000 there is also Universal which can contain users and groups from every domain within any forest (cutting across domain and tree boundaries).
When the PDC is installed, particular default groups (global and local) are created.
| Local Groups | Global Groups | Purpose |
|---|---|---|
| Administrators (local) | Domain Administrators | Administration |
| Domain Users | ||
| Account Operators | Can administer non privileged accounts. | |
| Server Operators | Can adjust servers, control shares, and more. | |
| Backup Operators | Can make backups. | |
| Print Operators | Can set up printer shares, install and maintain print drivers. | |
| Replicators | ||
| Power Users | ||
| Users | ||
| Guests | Lowest level of privilege and access permission. | |
| Everyone | Provides access control to certain objects by unprivileged system processes. | |
| Interactive | Consists of currently logged in local users. | |
| Network | Consists of users currently logged over the network. | |
| Creator Owner | Owner of a specific object (even if not the actual creator). | |
| System | Highest privilege, but has no login account. Provides privileges for some system processes. |
Other (local or global) groups can be created as needed, and assigned specific privileges and access permissions.
Privilges can be viewed as rights and abilities. Rights are what users can do that can be given or taken from individual users or groups. (with a few exceptions). Abilities cannot be changed, they are inherent to various groups. Unfortunately it is not possible to create a custom group that has a chosen set of privileges.
For example, Act as part of the Operating System enables
the right to directly reach subsytems and components within Kernel Mode,
to alter the system in fundamental ways and access protected information.
The right to access a domain controller applies to all domain controllers
in the domain - this is not true for servers or workstations in the domain.
Windows 2000 (Windows NT 5, or NTS-5) object access combined control privileges:
Individual permission include:
2005-2008