. Network Security under winows NT4.0

. Network Security hotspot network under winows NT4.0

In a multi-user network environment, system security and permission settings are very important. Windows NT 4.0 provides a successful security and confidentiality system in a network environment. Windows NT 4.0, which has been widely used since its initial development, has become increasingly mature and complete, however, it also makes the system administrator feel complicated and difficult to grasp when constructing the network environment and assigning permissions. I have consulted a large number of relevant materials and made a brief analysis and introduction after repeated practices.

The Network Security of Windows NT 4.0 depends on three capabilities assigned to users or groups:

· Power: Authorization for specific actions on the system is generally assigned to the built-in group by the system, but can also be extended to the group and users by the Administrator.
· Sharing: folders that users can use over the network.
· Permission: users or groups can be granted file system capabilities.

I. Power

Power is applicable to operations on objects and tasks in the entire system. It is usually used to authorize users to execute certain system tasks. When a user logs on to an account with certain power, the user can execute tasks related to this power.

Specific user powers are listed below:
· Access this computer from network allows users to access this computer over the network.
· Add workstation to a domain allows users to add workstations to a domain.
· Backup files and directories authorize the user to back up files and directories on the computer.
· Change the system time users can set the computer's system clock.
· Load and unload device drive allows users to install and delete device drivers on the networkProgram.
· Restore Files And Directories allows users to restore files and directories backed up previously.
· Shutdown the system allows users to shut down the system.
These powers have generally been granted to built-in groups by the system and are rarely involved in routine maintenance. administrators can also extend these powers to groups and users as needed. Hotspot Network

Ii. Share Permissions

Sharing is only applicable to folders (directories). If a folder is not shared, no user can see it on the network, and thus it cannot be accessed. The vast majority of servers on the network are mainly used to store files and directories accessible to network users. To enable network users to access files and directories on the NT Server server, you must first create a share for it. The shared permission establishes the highest level of access to the shared directory through the network.

Table 1 lists the sharing permissions from the maximum limit to the minimum limit.
Table 1 share Permissions
User Actions permitted by the shared permission level
No access (inaccessible) Prohibit Access to directories and files and subdirectories
Read allows you to view file names and sub-directory names, change the sub-directories of shared directories, View File data, and run applications.
Change has operations permitted by the read permission. In addition, it allows you to add files and subdirectories to directories, change file data, and delete files and subfolders.
Full Control (full control) has the operation permitted in the "change" permission, and also allows the permission to change (applies only to NTFS volumes) and to obtain ownership (applies only to NTFS volumes)

Iii. Permissions

Permission applies to operations on specific objects such as directories and files (only applicable to NTFS volumes), specifying which users are allowed to use these objects, and how to use it (for example, grant the access permission of a directory to a specified user ). Permissions are divided into directory permissions and file permissions. Each permission level determines the ability to execute a specific task combination. These tasks are: Read (R), execute (X), write (W), delete (D), set permission (p), and take ownership (o ). Tables 2 and 3 show how these tasks are associated with various permission levels.

Table 2 Directory Permissions
User Actions permitted by the permission level rxwdpo
No access user cannot access this directory
List RX can view the subdirectories and file names in the directory, or enter its subdirectories.
Read RX has the list permission. You can read files in the directory and applications in the running directory.
Add XW users can add files and subdirectories
Add and read rxw has the read and add permissions
Change rxwd has the ADD and read permissions. You can also change the file content and delete files and subdirectories.
Full Control rxwdpo has the change permission. In addition, you can change the permission and obtain the directory ownership.

If you have the execute (x) permission on the directory, You can traverse the directory and enter its subdirectory.

Table 3 File Permissions
User Actions permitted by the permission level rxwdpo
No access user cannot access this file
Read RX users can read the file, if the application can run
Change rxwd has the read permission and can be used to modify and delete files.
Full Control rxwdpo includes the change permission. You can also change the permission and obtain the file ownership.

Iv. domain and Delegation

Domain is the basic unit of the Windows NT Server 4.0 network security system. & amp; 127; delegation is the basic relationship between domains in the complex NT network. In NT 4.0, the domain delegate relationship provides a more flexible and simple management method for large or complex systems.

A domain is a group of computers that share databases and have common security policies (generally speaking, any group of NT servers and workstations ). At least one server in a domain is designed as the master Domain Controller (called PDC) and can (in most cases) contain one or more backup domain controllers (called BDC ), the PDC maintains a central account database that applies to all servers in the same domain. The user account database can only be changed in PDC, and then automatically sent to BDC. the read-only backup of the user account database is kept in BDC. If the PDC fails to run due to a major error, you can change the BDC to the PDC so that the network can continue to work normally.

In a network composed of two or more domains, each domain works as an independent network with its own account database. By default, time domains cannot communicate with each other. If users in a domain need to access resources in another domain, they need to establish a principal relationship between domains. The delegation opens the communication channels between domains.

Domain A ── → Domain B
Commission
(Delegated domain) (entrusted domain)
Users in entrusted Domain B can access resources in delegated Domain.

The delegation relationship can be bidirectional, that is, Domain A delegates Domain B and Domain B delegates Domain A, so that users in Domain B can access resources in Domain, users in Domain A can access resources in Domain B.

V. User Group

A user group is a group of users with the same user power. In the form of a group, you only need to perform one operation to change the permissions and permissions of the entire group. This allows you to quickly and conveniently authorize multiple users to access network resources, simplify network management and maintenance.

Windows NT supports two types of groups:

· Global group: contains the user account from the domain in which the global group was created. By using the delegation relationship between domains, the global group can be granted the permissions and permissions for resources in other delegated domains.
· Local Group: it can contain user accounts in the domain where the group is located and other entrusted domains, or global groups in the domain where the group is located and in other entrusted domains. You can only grant permissions to resources in the region where the group is located to a local group.

Vi. Network Security Settings

After analyzing and understanding the above knowledge, we will briefly analyze the network security management work.
First, consider the division of the entire NT network domain. There are four specific models: single-domain model, single-master domain model, multi-master domain model, and fully-trusted multi-master domain model. For networks with few users that can be managed without logical division and require minimal management workload, it is best to use a single domain model. In this model, all servers and workstations are in the same domain. local groups and global groups are the same and there is no delegated relationship to be managed. However, using this model also has some disadvantages, for example, as resources increase, browsing speed slows down as servers increase. If the network is large and requires high security, a multi-domain model should be used to divide domains reasonably. When dividing domains, you can use a variety of partitioning principles, such as Division by organization department and division by geographical location. In the process of planning the domain, it is best to minimize the number of domains, because the complexity of network management will increase exponentially as the number of domains increases, each added domain introduces new problems and creates new difficulties. Some users in one domain need to access resources in another domain, so they need to establish all possible delegation relationships.

Second, create a group (including global and local groups) in the domain and set up users with similar job or resource access requirements and similar functions. You only need to authorize the group. The Group simplifies the management of resources, because access rights can be controlled and allocated in an overall way.

Finally, assign the shared permissions and permissions. When setting these permissions, you should make the system operations as simple as possible, and assign the relevant permissions to the Group as much as possible, instead of assigning them to a single user, unless necessary, do not assign permissions to files. Centralized permission management can simplify management and maintenance.

To use a folder (directory) for access by multiple users, you must first share it, and then add constraints to the fat volume in the form of shared permissions, but these constraints are limited to the directory level (rather than the file level ). The directory on the NTFS Volume has the same share permission as the directory on the fat volume, but they can also use permission settings. On this volume, each directory has a "security" attribute page, you can impose more detailed permission restrictions on them, and restrict the permissions of each file through the "Security" attribute page of the file.

The shared permission determines the maximum access to resources over the network. For example, if you set the share permission to change, the highest access permission that a user can perform over the network is change, this means that if a user obtains a higher permission level than change (such as full control) through the "Security" attribute page, the highest access permission that the user can perform through the network is change; if the user obtains a lower permission level than change (for example, read) through the "Security" attribute page ), in this case, the highest access permission that the user can perform through the network is subject to the permission level obtained through the "Security" attribute page. If the permission is not obtained through the "Security" attribute page, this directory cannot be opened through the network and cannot be accessed.

As a planning method, the sharing permission is generally reserved as the default setting, that is, every user can have full control & 127 ;, then, use the directory or file permission to perform security control (only applicable to NTFS volumes) as needed ).

Finally, the directory on the fat volume can only be restricted by the sharing permission, and the directory on the NTFS Volume can be not only restricted by the sharing permission, you can also restrict the permissions of files on NTFS volumes ).

VII. Conclusion hotspot Network

The information on the network is very valuable and therefore must be protected. The larger the network, the stricter the security requirements, and the security of each user's data must be ensured. Windows NT 4.0 provides comprehensive, convenient, and advanced security management methods to ensure that users without specific permissions cannot access any resources, and these secure operations are transparent, it can not only prevent unauthorized users from intruding into the network, but also prevent authorized users from doing what they should not, thus ensuring the efficient and secure normal operation of the entire network system.