Windows basics

25 ottobre 2018 1
Summary

 Permissions & rights

 Accounts
 Groups
 Domains, trees & forests
Permissions & rights

 A right is the ability to perform an

action
► Rights include the ability to log on to a
computer, print to a printer, open a file, or
create a user account
 Default rights: Automatically
assigned by the operating
system. Include ability to log on
and run certain programs
Permissions & rights

 A policy is a collection of rights

assigned to a user or computer
► Through policies, administrators can
control the allocation of rights
Permissions & rights

 A permission is a type of right

 Permissions allow or deny access
to a particular object. Objects
include files, folders, and printers.
Permissions also include the
ability to modify and delete objects
► e.g. To edit a document, a user needs to be
able to access it and to modify it
Permissions & rights

 Permissions also include the ability

to execute an object, usually an
application file
► For example: You allow one group of users
to execute a certain application, but deny
access to another group of users
Permissions & rights

 Folders have special permissions

such as list and create. Without
these permissions a user cannot
view files in a folder or create new
files in that folder
Permissions & rights

 Windows rights
► Windows rights are assigned using group
policy.
► Group policies can be assigned on the
domain level, the LAN level, and to specific
collections of users on the basis of their
organizational unit
Permissions & rights

 Windows rights (continued)

► Windows allows multiple users and groups
to be assigned different permissions to
an object. This list of permissions is known
as an ACL (Access Control List).
Permissions & rights

 Windows rights (continued)

Accounts

 An account represents an
individual identity to the operating
system
 There are several account types
► User accounts: assigned to people
► System accounts: assigned to services
► Computer accounts: assigned to
computers
Accounts

 Individual accounts can be

assigned rights, though it is good
practice to assign rights to groups
and then add user accounts to the
group.
 The list of accounts is known as
the account database
Accounts

 Local accounts
►A local account is stored in a single
computer's account database
(%systemroot%\system32\config\SAM and
SYSTEM)
► A local account can only be assigned rights
on the computer which hosts it
► Local accounts are managed by a local
administrator
• A local administrator can assign rights on the
local machine to a centralized account
Accounts
 Centralized accounts
► Centralized accounts are located in
databases such as Active Directory
(%SYSTEM ROOT%\NDTS\ntds.dit file)
► A centralized account can be assigned
rights to any resource located within the
domain
► Centralized accounts are managed by
centralized administrators
• A centralized administrator cannot assign rights
on the local computer unless they have also
been assigned local administrator rights on the
computer
Accounts

 Password caching
► Centralized users authenticate themselves
on a Domain Controller (DC) using
LM/NTLM/NTLMv2/kerberos. However the
DC sometimes goes offline or the network
cable is unplugged; in this situation, the
Local Security Authority System Service
(LSASS) uses password cache entries from
the registry to perform offline logon
► It may be possible to use tools such as
cachedump in order to obtain cached
credentials (not in cleartext though!)
Accounts

 Privileged accounts
► Local System
• It is a predefined local account used by the
service control manager.
• It has the highest privileges on the local
machine (even more than an Administrator)
► Local
administrator
► Domain administrator
Groups

 Groups are collections of accounts

 Some built-in groups have special
rights assigned to them
► e.g. Any user that is a member of the
Administrators group on Windows Server
2003 has Administrator rights
Groups

 Windows groups
► Domain Local Group. Used to assign rights
and permissions to a group of users within
a domain. Only visible to one domain.
► Global Groups. Visible to all domains in
forest, can only contain users from one
domain.
► Universal Groups. Visible to all domains in
the forest. Can contain users from any
domain in the forest.
Domains, trees & forests

 What is a domain?
►A domain contains a group of network
resources (computers, printers, etc) that
can be accessed and administered with a
common set of rules
► One server, known as the primary domain
controller, manages the master user
database for the domain
Domains, trees & forests

 What is a tree?
►A tree is a group of domains that have the
same DNS name; for example, abc.com
(the top domain), sales.abc.com and
support.abc.com (the child domains)
 What is a forest?
►A forest is a collection of trees, which can
be treated as one administrative unit