SecurityWindows 2000

Richard Goldman© December 4, 2001

Local or Domain Logon

• Before a user can access any resource the user must successfully logon to either the local computer or to a domain.

• To logon locally, the user must have a user account set up on the specific computer that is to be accessed.– Windows 2000 Professional uses the registry and internal security

systems to authenticate a local logon.

• To logon to the domain, the user must have a user account set on the domain that is to be accessed.– Windows 2000 servers uses Active Directory to authenticate a

domain logon.

Logon

• To logon locally, the user must enter:1. Identification (I.D. or User Name)

2. Authentication (Password) – Case Sensitive

• To logon to the domain, the user must enter:1. Identification (I.D. or User Name)

2. Authentication (Password) – Case Sensitive

3. Domain Name

Access Token

• When the logon is successfully completed, an Access Token is created that identifies:– The user (user’s SID)

– The groups that the user belongs to (group SIDs)

– The user’s rights and privileges

• The access token is attached to all process run by the user and accompanies all requests for access to computer or network resources.

Access Control List (ACL)

• All computer and network objects have an ACL.

• The ACL defines:– Who has access to the resource.– What type of access is provided for each user.

Accessing an Object

• When a user (or process) requests access to a resource – the request is accompanied by the user’s Access Token.

• The Access Token and the type of request is compared with the ACL.

• If the Access Token and the type of request is allowed then the request is granted.

MyDocument.DOC

Read request for access to MyDocument.DOC by a user in the student group.

ACL

Staff Group Y Read Y Write N Delete

Student Group: Y Read N Write N Delete

Read Request

Access Token

User: John Smith

Groups: Student

Request: Read

MatchMatch

X

MyDocument.DOC

Read request for access to MyDocument.DOC by a user in the student group.

ACL

Staff Group Y Read Y Write N Delete

Student Group: Y Read N Write N Delete

Read Request

Access Token

User: John Smith

Groups: Student

Request: Read

Read Access Granted

Customizing Windows 2000 Professional Logon

• Select:– Control Panel– Administrative Tools– Local Security Policy

Customizing Windows 2000 Professional Logon

Customizing Windows 2000 Professional Logon

Customizing Windows 2000 Professional Logon

• To Disable the display of the last username:– From Within Local Security Policy

1. Expand Local Security Settings

2. Expand Local Policies

3. Select Security Options

4. Double-click Do not display last user name in logon screen

5. Set the value to Enable.

Customizing Windows 2000 Professional Logon

Disabling the display of the last username

Customizing Windows 2000 Professional Logon

Disabling the display of the last username

Customizing Windows 2000 Professional Logon

Adding a Security Message

• The two elements of the Security Warning Message are:– Legal Notice Caption – 30 characters on the title bar

of the Security Warning Message window.– Legal Notice Text – up to 65K of text to go inside the

Security Warning Message window.

Customizing Windows 2000 Professional Logon• To use the Local Computer Policy you must add the

Group Policy (not “Global Policy”) snap-in to an MMC.– Click the Start button– Select Run– Enter MMC– Select Add/Remove Snap-in– Click on Add button– Select Group Policy– Click on the Add button– Click on the Finish button– The “Local Computer Policy” is then added to the MMC.– Click on the Close button– Click on the OK button– Save the MMC as Local Computer Policy– The MMC called Local Computer Policy will now appear in the

Administrative Tools group.

Customizing Windows 2000 Professional Logon

Adding a Security Message

Customizing Windows 2000 Professional Logon

Adding a Security Message