Sixty-four. Network security under WINOWS NT4.0Hot Network
In a network multi-user environment, the security and permission settings of the system are very important. Windows NT 4.0 provides a successful security and confidential system in the network environment. From the initial development to the widely used Windows NT 4.0, Windows NT has become increasingly mature and complete, but at the same time it makes it difficult for system managers to feel complex and difficult to master when constructing network environments and distributing permissions. The author has consulted a lot of relevant information and has repeatedly practiced it, so here is a brief analysis and introduction.
The network security of Windows NT 4.0 depends on three capabilities granted to users or groups:
·Power: Authorization to complete specific actions on the system is generally assigned to the built-in group by the system, but it can also be expanded to the group and users by the administrator.
Share: A folder that users can use through the network.
Permissions: Can grant file system capabilities to users or groups.
1. Power
Power applies to operations on system-wide objects and tasks, and is usually used to authorize users to perform certain system tasks. When a user logs into an account with some kind of authority, the user can perform tasks related to that authority.
The following lists the specific powers of users:
·Access this computer from network can allow users to access the computer through the network.
·Add workstation to a domain Allows users to add workstations to the domain.
·Backup files and directories Authorizes users to back up the computer's files and directories.
·Change the system time Users can set the computer's system clock.
·Load and unload device drive allows users to install and delete device drivers on the network.
·Restore files and directories allows users to restore previously backed files and directories.
·Shutdown the system Allows users to shut down the system.
The above powers have generally been granted to built-in groups by the system, and are rarely involved in daily maintenance. They can also be expanded to groups and users by administrators when specific needs are required.Hot Network
2. Share permissions
Sharing is only applicable to folders (directories). If the folder is not shared, then no users on the network will see it, and it will be even less accessible. Most servers on the network are mainly used to store files and directories that can be accessed by network users. To enable network users to access files and directories on NT Server servers, it is necessary to first establish a sharing of them. Share permissions establish the highest level of access to shared directories over the network.
Table 1 lists the shared permissions from the maximum limit to the minimum limit.
Table 1 Shared permissions
Share permission level allowed user actions
No Access (not accessible) No access to directories, files and subdirectories are prohibited
Read (read) �
Change
Full control (full control) The operations allowed in the "Change" permission, and also allow changes to permissions (only for NTFS volumes) and obtain ownership (only for NTFS volumes)
3. Permissions
Permissions are applicable to operations on specific objects such as directories and files (only for NTFS volumes), specifying which users are allowed to use them, and how to use them (such as granting access to a directory to a specified user). Permissions are divided into directory permissions and file permissions. Each permission level determines the ability to execute a specific task combination, which are: Read(R), Execute(X), Write(W), Delete(D), Set Permission(P), and Take Ownership(O). Tables 2 and 3 show how these tasks are associated with various permission levels.
Table 2 Directory permissions
Permission level RXWDPO Permissions
No Access �
List RX You can view the subdirectories and file names in the directory, or enter its subdirectories
Read RX
Add XW
Add and Read RXW
Change RXWD
Full control RXWDPO There are permissions to Change, and users can change the permissions and obtain the ownership of the directory.
If you have Execute(X) permission on the directory, it means you can travel through the directory and enter its subdirectory.
Table 3 File permissions
Permission level RXWDPO Permissions
No Access The user cannot access the file
Read RX The user can read the file, and if it is an application, it can run it
Change RXWD There is permission to read, and files can also be modified and deleted
Full control RXWDPO Contains the permissions of Change, and can also change permissions and obtain ownership of files
IV. Domain and delegation
Domain is the basic component of the Windows NT Server 4.0 network security system, and delegates are the basic relationship between domains in complex NT networks. In NT 4.0, through the domain delegation relationship, it provides a more flexible and simple management method for large or complex systems.
A domain refers to a group of computers that share a database and have a common security policy (commonly speaking, it refers to any group of NT servers and workstations). At least one server in a domain is designed as a primary domain controller (called a PDC) and can (in most cases should) carry one or more backup domain controllers (called a BDC) in which a central account database is maintained within a domain for all servers. The user account database can only be changed in the PDC and then automatically sent to the BDC, where the read-only backup of the user account database is retained. If the PDC has a major error and cannot run, the BDC can be turned into a PDC so that the network can continue to work normally.
In a network consisting of two or more domains, each domain works as an independent network with its own account database. The default time domains cannot communicate with each other. If some users of a certain domain need to access resources in another domain, a delegation relationship between domains needs to be established. The delegation relationship opens up communication channels between domains.
Domain A¡ ───→Domain B
Entrust
(Delegated Domain) (Trusted Domain)
Users in trusted domain B can access resources in trusted domain A.
The delegation relationship can be two-way, that is, Domain A delegate domain B and Domain B delegate domain A, so that users in Domain B can access resources in Domain A, and users in Domain A can access resources in Domain B.
V. User Group
User groups refer to a group of users with the same user rights. Organizing users in the form of groups can change the power and permissions of the entire group in just one operation, so that multiple users can more quickly and conveniently authorize access to network resources, simplifying network management and maintenance work.
Windows NT supports two types of groups:
·Global Group: Contains user accounts from the domain where the global group was created. Using the delegation relationship between domains, the global group can grant the power and permissions to resources in other delegated domains.
· Local group: can contain user accounts in the domain where the group is located and other trusted domains, or can contain global groups in the domain where the group is located and other trusted domains. Only local groups can be granted powers and permissions to resources in the domain where the group is located.
6. Network security settings
After analyzing and understanding the above knowledge, we will briefly analyze the security management work of the network.
First, consider the division of the entire NT network domain. There are 4 specific models: single-domain model, single-main domain model, multi-main domain model and fully trusted multi-main domain model. For networks that don’t have many users and do not need to be logically segmented to manage, and at the same time, it is best to use a single domain model. In this model, all servers and workstations are in the same domain, local groups and global groups are the same thing, and there is no delegate relationship that needs to be managed, but there are also some disadvantages to adopting this model, such as the performance decreases as resources increase, and the browsing speed will slow down as the server increases. If the network is large and requires high security, a multi-domain model should be used to make reasonable domain division. When dividing domains, multiple division principles can be adopted, such as division by organizational department, geographical location, etc. In the process of planning a domain, it is best to minimize the number of domains, because the complexity of network management will increase geometrically with the increase of the number of domains, and each increased domain will introduce new problems and create new difficulties. Since some users in one domain want to access resources in another domain, all possible delegates need to be established.
Secondly, establish groups (including global groups and local groups) in the domain, gather users who have similar job or resource access requirements and complete similar functions, and just authorize the group. Groups simplify management of resources because access can be controlled and allocated in a holistic manner.
Finally, share permissions and permissions are allocated. When setting these permissions, make the operation of the system as simple as possible, and assign relevant permissions to groups as much as possible, rather than to individual users. Unless necessary, do not assign permissions by files. Centralized management of permissions can simplify management and maintenance.
To access a folder (directory) for multiple users, you must first share it and add constraints to the FAT volume in the form of shared permissions, but these constraints are limited to the directory level (not the file level). Directories on NTFS volumes have the same shared permissions as those on FAT volumes, but they can also be set up using permissions, on which each directory has a "Secure" property page, which allows them to be restricted in more detail, while each file can also be restricted in permissions through the "Secure" property page of that file.
Shared permissions determine the maximum access to resources through the network. For example, if the sharing permission is set to Change, then the highest access that the user can make through the network is Change, which means that if the user obtains through the "Security" property page is higher than Change (such as Full Control), then the highest access that the user can make through the network is Change; if the user obtains through the "Security" property page is lower than Change (such as Read), then the highest access that the user can make through the network is subject to the permission level obtained through the "Security" property page; if the permission is not obtained through the "Security" property page, then the user cannot open this directory through the network and cannot access the directory.
As a plan, the shared permissions are generally reserved as the default setting, that is, each user can fully control (Full Control) and then use directory or file permissions to perform security control according to specific needs (only applicable to NTFS volumes).
Finally, it is clear that directories on FAT volumes can only be restricted through shared permissions. Directories on NTFS volumes can not only restrict shared permissions, but also restrict permissions (the files on NTFS volumes can also be restricted).
7. ConclusionHot Network
Information on the Internet is valuable and must be protected. The larger the network, the stricter the security requirements, and it is necessary to ensure that the data of each user is safe. Windows NT 4.0 provides very complete, convenient and advanced security management methods, which can ensure that users without specific permissions cannot access any resources. At the same time, these security operations are transparent, which can not only prevent unauthorized users from entering, but also prevent authorized users from doing what they should not do, thus ensuring the efficient and safe normal operation of the entire network system.