Planning Distributed Security |
After a user logs on, the user is authorized to access various network resources, such as file servers and printers that grant permissions to Authenticated Users. Make certain you restrict a user's view of network resources to the devices, services, and directories that are job related. This limits the damage that an intruder can do by impersonating a legitimate user.
Access to network resources is based on permissions. Permissions identify users and groups who are allowed to perform specific actions by using specific resources. For example, the Accounting Group has read/write permission to access files in the Accounting Reports folder. The Auditor Group has read-only access to files in the Accounting Reports folder.
Permissions are enabled by using the ACL associated with each resource. You can find the ACL on the Security tab of the property sheet. An ACL is a list of the security groups (and rarely the individuals) who have access to that resource.
Security groups are the most efficient way to manage permissions. You can assign permissions to individuals; but in most cases, it is easier to grant permissions to a group and then add or remove users as members of the group.
Windows 2000 has a security group called "Everyone" which appears on network-share ACLs by default when they are created. To restrict access to network shares, you must remove the Everyone group and substitute a more appropriate group or groups. Do not assume the default permissions for a resource are necessarily appropriate permissions.
File system permissions by default are granted to a security group called Users. Any user authenticated to the domain is in the group called Authenticated Users, which is also a member of Users. Look at what the resource is used for and determine the appropriate policy. Some resources are public while others need to be available to specific sets of people. Sometimes a large group has read-only permission to a file or directory, and a smaller group has read/write permission.