64, Winows NT4.0 under the network security _ network surfing

64, the network security under the Winows NT4.0 Hot Network

In the network multiuser environment, the system security, the permission setting is very important, Windows NT 4.0 provides a successful security secrecy system under the network environment. Windows NT from the initial development to the current use of a wide range of Windows NT 4.0, its security system has become increasingly mature, complete, but also make the system's managers in the construction of network environment, the allocation of permissions, the complexity and difficult to grasp. The author consulted a lot of relevant data, and after repeated practice, in this make a brief analysis and introduction.

The network security of Windows NT 4.0 depends on three of the capabilities granted to a user or group:

• Power: The authorization to complete a specific action on a system, which is typically assigned to a built-in group, but can also be extended by an administrator to groups and users.
• Sharing: A folder that users can use over the network.
• Permissions: The ability to grant file systems to users or groups.

I. Power

Power applies to operations across system-wide objects and tasks, usually to authorize users to perform certain system tasks. When a user logs on to an account with a certain power, the user can perform the task associated with that authority.

The specific rights of the user are listed below:
· Access this computer from network enables users to access the computer over the network.
· Add workstation to a domain allows the user to add workstations to the domains.
· Backup files and directories authorize users to make backups of the computer's file and directory.
· Change the system time user can set the computer's clock.
· The Load and unload device drive allows users to install and remove device drivers on the network.
· The Restore files and directories allows users to recover previously backed up files and directories.
· Shutdown The system allows the user to shut down systems.
These powers have generally been delegated to built-in groups by the system, rarely involved in routine maintenance, and can be extended by administrators to groups and users when needed. Hot Network

Second, share permissions

The share is only available for folders (directories), and if the folder is not shared, then no one on the network will be able to see it and be more inaccessible. The vast majority of servers on the network are primarily used to store files and directories that can be accessed by network users, and for network users to access files and directories on NT Server servers, they must be shared first. Share permissions establish the highest level of shared directory access over the network.

Table 1 lists share permissions from maximum limit to minimum limit.
Table 1 Share Permissions
User actions allowed by the share permission level
No access (inaccessible) prevents access to directories and files and subdirectories within them
Read (readable) allows you to view file names and subdirectory names, change subdirectories of shared directories, and also allow you to view the data of files and run applications
Change (changes) has the allowed actions in Read permission, plus allows adding files and subdirectories to the directory, changing file data, deleting files and subdirectories
Full control has the actions allowed in the Change permission and also allows you to change permissions (for NTFS volumes only) and get ownership (NTFS volumes only)

Third, the Authority

     permissions apply to operations on specific objects such as directories and files (NTFS volumes only), specify which users are allowed to use them, and how to use them, such as granting access to a directory to a specified user. Permissions are divided into directory permissions and file permissions, and each permission level determines the ability to perform a specific combination of tasks: Read (R), execute (X), Write (W), Delete (D), Set permission (P), and  take ownership (O). Table 2 and Table 3 show how these tasks are associated with various permission levels.

Table 2 Directory Permissions
Permission level RXWDPO allowed user actions
No access users cannot access the directory
The list RX can view subdirectories and file names in the directory, or go to their subdirectories
Read RX has list permissions, and users can read files in the directory and applications in the run directory
Add XW users can append files and subdirectories
The add and read Rxw have Read and add permissions
The change rxwd has the Add and read permissions, as well as changing the contents of the file, deleting files and subdirectories
The full Control Rxwdpo have change permissions, and users can alter permissions and get ownership of the directory

If you have execute (X) permissions on the directory, you can traverse the directory and enter its subdirectories.

Table 3 File permissions
Permission level RXWDPO allowed user actions
No access user cannot access the file
The read RX user can read the file, and if the application can run
Change RXWD has Read permission and can also modify and delete files
The Full Control RXWDPO contains the permissions for the change, and also changes permissions and takes ownership of the file

IV. Domains and Delegates

The domain is the basic constituent unit of the Windows NT Server 4.0 network security System,&127; delegate is the basic relationship between domains in a complex NT network. In NT 4.0, a domain-delegated relationship provides a more flexible and easy way to manage large or complex systems.

A domain is a group of computers that share a database and have a common security policy (commonly referred to as any set of NT servers and workstations). At least one server in a domain is designed as a primary domain controller (called the PDC), and can (in most cases) have one or more backup domain controllers (called BDC), maintaining a central account database for all servers within a domain in the PDC. The user account database can only be changed in the PDC and then automatically sent to the BDC, which retains a read-only backup of the user account database in the BDC. If a significant error in the PDC fails to run, the BDC can be turned into a PDC, allowing the network to continue working properly.

In a network consisting of two or more domains, each domain works as an independent network with its own account database. The default time domain does not communicate with each other, if some users of a domain need to access resources in another domain, they need to establish a delegated relationship between domains. A delegated relationship opens a communication channel between domains.

Domain a───→ domain B
Delegate
(delegate domain) (trustee domain)
Users in the trusted domain B can access resources in the delegate domain A.

A delegate relationship can be bi-directional, domain A delegate domain B, domain B delegate domain A so that users in domain B can access resources in domain A, and users in domain A can access resources for domain B.

V. Group of users

A user group is a group of users with the same user rights. In the form of a group, users can change the entire group's rights and permissions through only one operation, which makes it easier for multiple users to authorize access to network resources and simplify the management and maintenance of the network.

Windows NT supports two types of groups:

• Global group: A user account that contains the domain from which the global group was created, using a delegate relationship between domains to grant global groups the rights and permissions of resources in other delegated domains.
• Local groups: You can include user accounts in the same group's domain and other trusted domains, or you can include global groups in the same group's domain and other trusted domains. Only local groups can be granted the rights and permissions of resources in the same domain as the group.

Vi. security settings for the network

After the analysis of the above knowledge, then a brief analysis of the network security management work.
Firstly, considering the partition of the whole NT network domain, there are 4 kinds of models: Single domain model, single master domain model, multiple master domain model and fully trusted multiple master domain model. For the user is not much, do not need to do a logical split to manage the network, at the same time need to maintain a minimum of management effort, it is best to adopt a single domain model. In this model, all servers and workstations are in one domain, local and global groups are the same, there are no delegated relationships that need to be managed, but there are some drawbacks to adopting this model, such as decreasing the performance with the increase of resources, and the speed of browsing slows down as the server increases. If the network size is large and needs a high degree of security, then a multi-domain model should be used to classify the domains reasonably. When dividing the domain, we can use a variety of dividing principles, such as division by institutional departments, geographical location and so on. In the process of planning a domain, it is best to minimize the number of domains, because the complexity of network management increases exponentially as the number of domains increases, and each additional domain introduces new problems and creates new difficulties. Because some users in one domain want to access resources in another domain, all possible delegate relationships are established.

Second, set up groups in a domain, including global and local groups, and bring together users who have similar job or resource access requirements and perform similar functions, only by delegating to the group. Groups simplify the management of resources because access can be controlled and distributed in a holistic manner.

Finally, share permissions and permissions are assigned, and when you set these permissions, make the operation of the system as simple as possible, assign the permissions to the group as much as you want, rather than assigning it to individual users, and unless necessary, do not assign permissions by file, and centralized management of permissions simplifies management maintenance.

A folder (directory) to be used by multiple users, first share, add constraints to FAT volumes as shared permissions, but these constraints are limited to the directory level (not the file level). The directory on an NTFS volume has the same share permissions as the directory on the FAT volume. However, they can also use permission settings, where each directory has a security property page, which allows more detailed permission restrictions on each file, as well as permissions on the file's Security property page.

Share permissions determine the maximum access to resources over the network. For example, if you set the share permissions to change, the maximum access that a user can do over the network is the changes, which means that if the user gets a higher level of permission through the Security property page than is changed (for example, Full Control), Then the maximum access that the user can make over the network is change; If the user obtains a lower level of permission through the Security property page than the change (for example, read), then the highest access that the user can do over the network is the level of permission obtained through the Security property page; Security property page to get permissions, the user cannot access the directory through the network.

As a plan, it is common to leave share permissions as the default, that is, each user can fully control &127, and then use directory or file permissions for security control, depending on the specific needs (NTFS volumes only).

Finally, the table of contents on a FAT volume can only be restricted by sharing permissions, and the directory on the NTFS volume is limited not only to share permissions, but also to permissions (permissions are restricted for files on NTFS volumes).

Vii. concluding remarks hotspot network

The information on the network is valuable and therefore must be protected. The larger the network, the more stringent the security requirements, and the security of each user's data must be ensured. Windows NT 4.0 provides a very sophisticated, convenient, and advanced Security management tool to ensure that users without specific permissions are not able to access any resources, while these security operations are transparent, both to prevent unauthorized users from breaking in, and to prevent authorized users from doing things that he should not do. Thus ensuring the efficient and safe operation of the whole network system.