switchport Security

70-648, NAP, DHCP, IPNG, IPv4, IPV6, DNS, Global Names, WDS, Server Core, WAS, Server Manager, OCSP, WBAdmin, Group Policy, BitLocker, Active Directory, switch module, route module, firewall module, auto secure, network, router ospf, authentication, drupal.org

Monday, December 24, 2007

Server Management in Windows.Server.2008 ServerCore - Part 3

Well, you've just finished installing ServerCore (I did 3 days ago with RC1, x86...huhuh) and what's the next thing to do?

We customize.

What's in here?
-Creating Local Users on Server Core
Creating Local Groups on Server Core
-Permissions management in ServerCore

Creating Local Users on Server Core
As of now, I have no ideas as to why you'd want to create plain user account on ServerCore, aside from the fact that you'll use that account for day-to-day normal use on the server and using "runas" when you need to administer something on the server.

C:\>net user /?
The syntax of this command is:

[username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
username [/TIMES:{times | ALL}]

Example: Creating an account named Polly Ester, whose logon id is polly, is enabled, and is required to change her password when she logs on to the machine and is the administrator's wife.

net user Polly * /add /active:yes
/comment:"Added account for messing up my life" /expires:aug 8 2008 /fullname:"Polly Ester" /passwordchg:yes

Creating Groups on Server Core
We talked about users. Now, let's look at groups. Groups are a very handy way to easen up access management to resources. Instead of adding each user to a resource, group them together and add the group to the resource and apply permissions on the group.

C:\>net localgroup /?
The syntax of this command is:

[groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
groupname name [...] {/ADD | /DELETE} [/DOMAIN]

Example: Add Buster from the MISNET domain and local user Polly to the localgroup Unfair in the server's local database.

net localgroup Unfair misnet\Buster Polly /add

Permissions management in ServerCore
Now that we know how to add users and groups, how can we add users or groups to resources to control their access permissions?

There are so many Access Control methods but I'll describe 3 - Role-based, Mandatory, and Discretionary access control.

Role-based Access Control
This is easy to distinguish and use to assign permissions to users or groups. The permissions are based on the group whose role is descriptive of its name.

For example, if we have a Contributors role, they can most certainly upload content to either a file server or a collaboration server. If the name is Viewer, it seems they only have read-only permissions.

Mandatory Access Control
Windows Vista and Windows Server 2008 is a Class B-ready operating system based on the Rainbow series specification. It's an old defunct standard but I guess they'll be advertising it for CC standards.

Note: Fun read ---> http://www4.osnews.com/comments/17788

Note: Fun read but nothing about MAC ---> http://cgi.galion.lib.oh.us/instruction/windows/versions.htm

C:\Users\administrator>whoami /all


User Name SID
============================= =============================================
misnet-rodc-2k8\administrator S-1-5-21-2944278768-2424685623-3432543248-500


Group Name Type SID Attributes
===================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group

Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group


Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled

Notice the one's in Yellow? Correct, that's only on Vista and Server 2008. That gives you an idea of what the Mandatory Access control level of the user is. For the administrators, MAC works by having them run as plain users. They still get elevation confirmation through Consent.exe - this runs UAC.

I haven't encountered a version of UAC for the CLI by the way. Well, runas works fine with me. It seems that when you install an application as an administrator, you can install it right away. But I'm using a workgroup joined machine. So, what happens when you join it to the domain?

Hmm? :)

Note: S-1-16-12288 refers to the Mandatory integrity label for the Administrator, or administrator-level accounts. If you convert that to Hex it'll give you 3000 as a value. The 0x4000 value corresponds to the System (process). System files have no MIL. And as such, they default to user integrity label of 2000.

My friend who works for GeekSquad told me about folder names you can't actually use in the system.

I was very puzzled.

This turns out to be part of the code of Windows. The items com1, con, lpt1, nul, prn, and others are reserved by the operating system to refer to devices when it makes calls to it.

Try this trick.

[Open up the cmd prmpt]

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>md con
The directory name is invalid. <-- This gets to be the error.

C:\Users\Administrator>md .\con\
<-- Sweet!

[Try browsing it.]

C:\>cd con
The system cannot find the path specified.

C:\>cd C:\con
The system cannot find the path specified.

C:\>cd C:\con
The system cannot find the path specified.

C:\>cd .\con\
The directory name is invalid.

Now, browse the folder using Windows Explorer. ^___^

Solves your problem.

And it's a safe way to protect your files even from people who connect to your computer through administrative shares but just not through remoting.

Discretionary Access Control

I really wasnn't able to wait to get to this one. I felt like it was eternity.

It's referred to as Discretionary because you - the one controlling everything - get to give what permissions users or groups need. Ain't that fun?

And how exactly are we gonna go about this matter?

Simple. Use iCacls.


No comments: