|
|
Philadelphia Computer Tech Support
|
|
|
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 -
11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -
Administrators group should be kept to a bare minimum precisely because they do have so much power. Ideally, people who are in the
Administrators group should also have another account that they use normally. They should use the account in the Administrators group
only when they need to perform these functions.
• Configure system parameters such as password policy and audit functions.
• Install Service Packs and Hotfixes.
• Upgrade the operating system.
• Install hardware drivers.
• Install system services.
Users Group
The Users group is the most restrictive group available in Windows 2000. The default security settings prevent members of the Users
group from modifying machine-wide registry settings, program files, and operating system files. Members of the Users group are also
prevented from installing applications that can be run by other members of the Users group.
Power Users Group
The Power Users group in Windows 2000 has more system access than the Users group but less system access than the Administrators
group. Power Users can install applications to a Windows 2000 system as long as the application does not need to install any system
services. Only the Administrators group can add system services. Power Users can also modify system-wide settings such as Power
Configuration, Shares, Printers, and System Time. However, Power Users cannot access other users’ data that is stored on NTFS
partitions. Power Users can add user accounts, but they cannot modify or delete any account they did not create, nor can they add
themselves to the Administrators group. Power Users can create local groups and remove users from local groups they have created.
The Power Users group has much power on a system, and in Windows 2000 it is also backward compatible to the default security
settings for the Users group in Windows NT 4.0.
Configuring Security During Windows 2000 Setup
The default security settings for Windows 2000 are put in place during the beginning of the GUI-mode portion of setup if the
installation is a clean install or if it is an upgrade from a Windows 95 or Windows 98 system. However, if the upgrade is being
performed on an existing Windows NT system, the existing security settings are not modified. Of course, for file system settings to be
applied you must be using NTFS and not the FAT file system. To see the security settings that are applied during Windows 2000 setup,
go to %windir%\Inf and locate these files:
• defltdc.inf—Domain Controller security settings
• defltsv.inf—Server security settings
• defltwk.inf—Professional security settings
Each of these files contains all the default security settings that are applied to the system, depending on the type of system that is being
installed. Be warned that it does look cryptic, so you may not be able to make sense out of the settings. Here is a small portion of the
security settings from the defltsv.inf file:
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 -
11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -
|
|
|
|
|
|
|
|
| |
|
|
|