Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 Version 3.7
Tivoli SecureWay Security Manager Supplement for Windows 2000 (October, 2000) Copyright Notice Copyright IBM Corporation 2000 All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any machine-readable documentation for your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document is not intended for production and is furnished as is without warranty of any kind. All warranties on this document are hereby disclaimed, including the warranties of merchantability and fitness for a particular purpose. U.S. Government Users Restricted Rights-Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corporation. Trademarks IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, AS/400, Cross-Site, NetView, OS/2, OS/390, OS/400, Policy Director, RACF, RS/6000, SecureWay, S/390, Tivoli Certified, Tivoli Enterprise, Tivoli Ready, and TME are trademarks or registered trademarks of International Business Machines Corporation or Tivoli Systems Inc. in the United States, other countries, or both. Lotus is a registered trademark of Lotus Development Corporation. Microsoft, Windows, Windows NT, Windows 2000, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Novell, NetWare, NetWare Directory Services, and NDS are trademarks of Novell, Inc. Other company, product, and service names may be trademarks or service marks of others. Notices References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.
Contents Preface... vii Who Should Read This Guide... vii Prerequisite and Related Documents... vii What This Guide Contains... vii Conventions Used in This Guide... viii Platform-specific Information... ix Icons... ix Accessing Publications Online... x Ordering Publications... x Providing Feedback about Publications... xi Contacting Customer Support... xi Chapter 1. Introduction... 1 Why Manage Windows 2000 Security Information from Tivoli?.... 2 Tivoli SecureWay Security Manager and Native Security... 2 Windows 2000 Native Mode and Mixed Mode Domains... 3 Security Management and User Administration... 5 Chapter 2. Installing... 7 Software Requirements... 8 Hardware Requirements.... 8 Installing with Tivoli Software Installation Service.... 8 Installing Tivoli SecureWay Security Manager for Windows 2000... 9 Desktop... 9 Command Line... 12 Chapter 3. Adding Security Records... 13 Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 iii
Creating a Group Record.... 14 General Considerations... 14 Defining Windows 2000-specific Group Attributes... 15 Specifying a Windows 2000-specific Group Name... 15 Assigning Windows 2000 SAM Group Names... 16 Assigning Windows 2000 Users to a Group Record... 17 Setting Access Times.... 18 Command Line Examples... 20 Creating a Resource Record.... 20 Permissions and Inheritance in Windows 2000... 21 Defining Resource Attributes... 23 Creating a Windows 2000 Resource Record... 24 Setting Default Access Permissions and Permission Inheritance... 26 Setting Network Access Permissions... 27 Setting Default Access Audit Permissions and Permission Inheritance 29 Setting Shared Directory Properties... 30 Command Line Examples... 31 Creating a Role Record... 32 General Considerations... 33 Windows 2000-specific Role Attributes... 33 Specifying a Windows 2000-specific Role Name... 34 Assigning a SAM Logon Name... 35 Defining a Windows 2000 Group List... 35 Defining a Windows 2000 Resource Access List... 36 Setting Windows 2000 Resource Access Rights... 37 Defining a Windows 2000 TME Resource Access List... 39 Setting Windows 2000 TME Resource Access Rights.... 40 Auditing Windows 2000 Resource Access... 42 Auditing Windows 2000 TME Resource Access.... 43 iv Version 3.7
Command Line Examples... 45 Chapter 4. Populating and Distributing Security Profiles... 47 Populating from an Windows 2000 Endpoint... 47 Populating Group Records... 47 Populating Role Records... 48 Populating Resource Records.... 50 Distributing to a Windows 2000 Endpoint... 52 Appendix A. Resource Types... 55 Windows 2000 Resource Type Attribute Support... 55 Resource Access Permissions.... 56 DIRECTORY... 57 FILE... 59 REGISTRY... 60 PRINTER... 62 SHARE.... 63 Appendix B. Attributes... 65 Profile Level Attributes... 65 Group Attributes... 66 Resource Attributes... 67 Role Attributes... 72 Appendix C. Messages... 75 Index... 77 Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 v
vi Version 3.7
Preface Tivoli SecureWay Security Manager for Windows 2000 provides centralized role-based security administration for Windows 2000 endpoints. Who Should Read This Guide The target audience for this guide is system administrators who are responsible for maintaining security in an Windows 2000 environment. Users of the guide should have some knowledge of: Basic security principles The Microsoft Windows 2000 operating system Prerequisite and Related Documents The following books are a prerequisite for this guide: Tivoli SecureWay Security Manager User s Guide The following books are related to this guide: Tivoli Management Framework User s Guide Tivoli Management Framework Planning and Installation Guide Tivoli Management Framework Reference Manual What This Guide Contains This guide contains the following sections: Introduction provides an overview of Tivoli SecureWay Security Manager for Windows 2000 and defines its main components. Installing describes how to install the product from the Tivoli desktop and from the command line. Adding Security Records describes how to add security records using Tivoli SecureWay Security Manager for Windows 2000. Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 vii
Preface Populating and Distributing Security Profiles describes how to populate and distribute user profiles from and to the Windows 2000 endpoint. Resource Types describes the resource types supported by Tivoli SecureWay Security Manager for Windows 2000. Attributes describes the attributes of the wcrtsec and wmodsec commands related to the Windows 2000 endpoints. Messages describes the error messages issued by Tivoli SecureWay Security Manager for Windows 2000. Conventions Used in This Guide The guide uses several typeface conventions for special terms and actions. These conventions have the following meaning: Bold Italics Monospace Commands, keywords, file names, authorization roles, URLs, or other information that you must use literally appear like this, in bold. Names of windows, dialogs, and other controls also appear like this, inbold. Variables and values that you must provide appear like this, in italics. Words and phrases that are emphasized also appear like this, in italics. Code examples, output, and system messages appear like this, in a monospace font. This guide uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows NT command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. viii Version 3.7
Preface Note: When using the bash shell on a Windows NT system, you can use the UNIX conventions. Many procedures in this guide include icons in the left margin. These icons provide context for performing a step within a procedure. For example, if you start a procedure by double-clicking on a policy region icon, that icon appears in the left margin next to the first step. If the fourth step of the procedure instructs you to open another icon, that icon appears in the left margin next to the fourth step. Platform-specific Information For a list of the supported platform versions, see the the Tivoli SecureWay Security Manager User s Guide. For more detailed and up-to-date information, see the Tivoli SecureWay Security Manager Release Notes. Icons The following icons represent security resources: security profile system policy records group records resource records role records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 ix
Preface Security profile resources are created in the context of a profile manager. After initial distribution of a user or group profile, the profile icon appears in the view dialog of subscribers. Accessing Publications Online The Tivoli Customer Support Web site (http://www.tivoli.com/support/) offers a guide to support services (the Customer Support Handbook); frequently asked questions (FAQs); and technical information, including release notes, user s guides, redbooks, and white papers. You can access Tivoli publications online at http://www.tivoli.com/support/documents/. The documentation for some products is available in PDF and HTML formats. Translated documents are also available for some products. To access most of the documentation, you need an ID and a password. To obtain an ID for use on the support Web site, go to http://www.tivoli.com/support/getting/. Resellers should refer to http://www.tivoli.com/support/smb/index.html for more information about obtaining Tivoli technical documentation and support. Business Partners should refer to Ordering Publications for more information about obtaining Tivoli technical documentation. Ordering Publications Order Tivoli publications online at http://www.tivoli.com/support/prodman/html/pub_order.html or by calling one of the following telephone numbers: U.S. customers: (800) 879-2755 Canadian customers: (800) 426-4968 x Version 3.7
Providing Feedback about Publications We are very interested in hearing about your experience with Tivoli products and documentation, and we welcome your suggestions for improvements. If you have comments or suggestions about our products and documentation, contact us in one of the following ways: Send e-mail to pubs@tivoli.com. Fill out our customer feedback survey at http://www.tivoli.com/support/survey/. Contacting Customer Support Preface If you need support for this or any Tivoli product, contact Tivoli Customer Support in one of the following ways: Submit a problem management record (PMR) electronically from our Web site at http://www.tivoli.com/support/reporting/. For information about obtaining support through the Tivoli Customer Support Web site, go to http://www.tivoli.com/support/getting/. Submit a PMR electronically through the IBMLink system. For information about IBMLink registration and access, refer to the IBM Web page at http://www.ibmlink.ibm.com. Send e-mail to support@tivoli.com. Customers in the U.S. can call 1-800-TIVOLI8 (1-800-848-6548). Customers outside the U.S. should refer to the Tivoli Customer Support Web site at http://www.tivoli.com/support/locations.html for customer support telephone numbers. When you contact Tivoli Customer Support, be prepared to provide the customer number for your company so that support personnel can assist you more readily. Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 xi
Preface xii Version 3.7
1 1. Introduction Introduction Tivoli SecureWay Security Manager provides you with a single point of control for managing Windows 2000, Windows NT, UNIX, NetWare, OS/2, OS/400, and OS/390 security information. When you add Tivoli SecureWay Security Manager for Windows 2000 to your installation, you add the ability to manage, create, modify, and delete security information for Windows 2000 endpoints from a single, common interface (either graphical or command line). Tivoli SecureWay Security Manager for Windows 2000 upgrades Tivoli s security management product to include new dialog options as well as new attributes that allow you to manage Windows 2000 security data. Tivoli SecureWay Security Manager provides role-based distributed client/server security management that integrates, exploits, and extends the functionality of the Tivoli systems management disciplines and existing system and application-specific security products. The Tivoli Management Agent (TMA) serves as a communication vehicle to endpoints on a variety of platforms-windows 2000, Windows NT, UNIX, NetWare, OS/2, OS/400, and OS/390-and allows you to populate security information from and distribute security information to those endpoints. See Chapter 1 of the Tivoli SecureWay Security Manager User s Guide for information about the following: Tivoli SecureWay Security Manager and its features The concepts of system policy, group, resource, and role Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 1
Introduction The integration with Tivoli Distributed Monitoring and Tivoli Enterprise Console The authorization roles The notification group Why Manage Windows 2000 Security Information from Tivoli? Currently, to manage Windows 2000 security information, you or your administrator must log on to a Windows 2000 system. While this in itself is not a problem, it is limiting. When you are logged onto a system, you are limited to managing the security information associated to that operating system type. In addition, to manage Windows 2000 security, you or your administrator must be an expert in all aspects of Windows 2000 security information. This effort ties up valuable resources. After you have installed Tivoli SecureWay Security Manager into your existing Tivoli installation, you can manage Windows 2000, Windows NT, UNIX, NetWare, OS/2, OS/400, and OS/390 security information from a single location. This reduces the number of user interfaces you must learn in order to secure your business. In addition, the administrator managing your security information does not need to be an expert on any of the platforms-tivoli Framework and Tivoli SecureWay Security Manager provide this expertise. While you will need an expert system administrator to set up specific aspects of your security installation, you no longer need this expert to perform the daily tasks of security management. Tivoli SecureWay Security Manager and Native Security The following diagram illustrates the relationship between Tivoli SecureWay Security Manager and the security systems on some of the supported endpoint types. 2 Version 3.7
Introduction 1. Introduction The security profile contains the definitions of all groups, resources, roles, and system-wide policies, each of which is stored in its own type of record. Records are stored in a system-independent format that allows profile records to be distributed across an enterprise that contains many different system types. Windows 2000 Native Mode and Mixed Mode Domains Windows 2000 domains can operate in either native mode or mixed mode. In native mode, all domain controllers must run Windows 2000 servers. Clients and member servers can still be running previous versions of Windows such as Windows NT, Windows 98, or Windows 95. In mixed mode, Windows NT 4.0 domain controllers may be present in the domain, along with clients and member Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 3
Introduction servers still running previous versions of Windows such as Windows NT, Windows 98, or Windows 95. Mixed mode is the default mode when a domain is created. This first release of the Tivoli SecureWay Security Manager for Windows 2000 endpoint supports mixed mode contraints only. Tivoli SecureWay Security Manager for Windows 2000 runs in native mode Windows 2000 domains, but follows the mixed mode rules. A native-mode domain provides all Windows 2000 group features, which include: Universal groups available as security groups and distribution groups Full group nesting Conversion between security groups and distribution groups Conversion of global groups and domain local groups to universal groups A mixed mode domain imposes the following conditions: Global security groups can contain only user accounts. Domain local security groups can contain other global groups and user accounts. Universal security groups cannot be created. Universal distribution groups can be created. Only distribution groups can be nested. No conversion of scope or type is allowed. Tivoli SecureWay Security Manager will not support distribution groups in the first release of the Windows 2000 endpoint. Also, it will not provide system policy support using group policy objects in native mode. Tivoli SecureWay Security Manager will support local and global groups and follow mixed mode domain rules for group membership. It will map TME group records to Active Directory global groups, and will map TME role records to Active Directory domain local groups on domain controllers and to local SAM groups 4 Version 3.7
Introduction on servers and workstations. This mapping will continue until native mode support is provided in a future release of the Tivoli SecureWay Security Manager for Windows 2000 endpoint. Security Management and User Administration Tivoli SecureWay Security Manager is integrated with Tivoli Framework and Tivoli SecureWay User Administration. Installing Tivoli SecureWay User Administration helps simplify the process of adding users to a security group, but the product is not required. In environments where Tivoli User Administration is installed, the Tivoli users defined in profiles are available as potential members of a security group s member list. To add a member to a security group from the desktop, you select the user profile in which the potential member is defined and double-click on the user s name. 1. Introduction Adding users to a user profile creates a situation in which the order the user and security profiles are distributed is important. A user profile containing a new user must be distributed before the security profile that contains the group to which the user is associated. Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 5
6 Version 3.7
2 Installing Tivoli SecureWay Security Manager for Windows 2000 contains the following major components that are installed separately: Tivoli SecureWay Security Manager for Windows 2000, Version 3.7, Server This product must be installed on all Windows 2000 TMRs and managed nodes from which you manage Windows 2000 gateways and endpoints. Tivoli SecureWay Security Manager for Windows 2000, Version 3.7, Gateway This product must be installed on systems that will serve as a gateway to endpoints. When you distribute to, or populate from, an endpoint, the files that are required for that type of endpoint are sent from the gateway to the endpoint. 2. Installing Before attempting to install Tivoli SecureWay Security Manager for Windows 2000, make certain that you read the following sections: Software Requirements on page 8 Hardware Requirements on page 8 In addition, you should read the Tivoli SecureWay Security Manager Release Notes. The release notes include any changes to the installation procedure as well as solutions to known problems. Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 7
Installing Software Requirements You must have the following products installed before attempting to install Tivoli SecureWay Security Manager for Windows 2000: Tivoli Management Framework, Version 3.6.3 Tivoli SecureWay Security Manager, Version 3.7 Hardware Requirements For information about the hardware requirements for this application, see the Tivoli SecureWay Security Manager Release Notes. Installing with Tivoli Software Installation Service Tivoli Software Installation Service (SIS) is a product that can install multiple Tivoli products on multiple systems in parallel. This Java-based product can, therefore, install more products on more systems in much less time than the Framework s install facility. SIS performs product prerequisite checks and, if defined, user-specified prerequisite checks, ensuring as few install failures as possible. In most cases, failures now occur only when machines are turned off or removed from the network. SIS also creates an install repository (IR) into which you can import the installation image of one or more Tivoli products. You can import only those interpreter types needed in your environment, which saves you disk space and import time. The IR is then the source of all your Tivoli installations. You can even share a single IR across multiple TMRs. Tivoli recommends you upgrade the Framework install facility in your current Tivoli installation by installing SIS. If you are installing Tivoli for the first time, install SIS on the first managed node running an SIS-supported operating system. Once installed, you should use SIS to install other Tivoli products. See the Tivoli Software Installation Service User s Guide for instructions on how to install SIS in your Tivoli installation and how to install products using SIS. 8 Version 3.7
Installing Tivoli SecureWay Security Manager for Windows 2000 Installing You can install the Tivoli SecureWay Security Manager components from either the Tivoli desktop or the command line. Desktop Use the following steps to install the Tivoli SecureWay Security Manager components from the Tivoli desktop: 1. Select the Install -> Install Product... option from the Desktop menu to display the Install Product dialog. 2. Installing Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 9
Installing 2. If the product you want to install is not already displayed, click the Select Media... button to display the File Browser dialog. The File Browser dialog enables you to identify or specify the path to the installation media. If you already know the path to the CD-ROM image: a. Enter the full path in the Path Name field. b. Click the Set Path button to change to the specified directory. c. Click the Set Media & Close button to save the new media path and return to the Install Product dialog. The dialog now contains the product that is available for installation. If you do not know the exact path to the CD-ROM image: a. From the Hosts scrolling list, choose the host on which the install media is mounted. Choosing a host updates the Directories scrolling list. 10 Version 3.7
Installing b. From the Directories scrolling list, choose the directory containing the install media. c. Click the Set Media & Close button to save the new media path and return to the Install Product dialog. The dialog now contains the product that is available for installation. 3. From the Select Product to Install scrolling list, select one of the following: Tivoli SecureWay Security Manager for Windows 2000, Version 3.7, Server Must be installed on the TMR servers and managed nodes. Tivoli SecureWay Security Manager for Windows 2000, Version 3.7, Gateway Must be installed on all the machines that will serve as a gateway for the Windows 2000 endpoints that you want to manage. 2. Installing 4. To specify the TMR servers or gateways on which you want to install the selected component, use the arrow keys to move the machine names between the Clients to Install On scrolling list and the Available Clients scrolling list. 5. Click the Install button to begin the component installation. The installation process prompts you with a Product Install dialog. This dialog provides the list of operations that will take place during the installation process. It also warns you of any problems that you may want to correct before you install the component. 6. Click the Continue Install button to begin the installation process and display the Product Install status dialog. The Product Install status dialog presents status information as the installation proceeds. When the installation is complete, the Product Install dialog will return a completion message. 7. Click the Close button to close the dialog. Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 11
Installing 8. Repeat the steps 3 on page 11 through 7 on page 11 until you have installed the Tivoli SecureWay Security Manager components on all the machines where you have to install them. Command Line The following example command installs the Tivoli SecureWay Security Manager components. See the Tivoli Framework Reference Manual for more information about the winstall command. winstall ccdrom_dir icomp_name node1 node2 where: c cdrom_dir Specifies the path to the CD-ROM image. i comp_name Specifies the index file from which the Tivoli SecureWay Security Manager component is installed. The comp_name argument can be any of the following: SECW2K.IND Installs the Tivoli Server install pack. SECW2KGW.IND Installs the Tivoli Gateway install pack. node1 node2 Specifies the names of the TMR servers or gateways to install the component on. If no machine is specified, the installation runs on all the clients of the current region. 12 Version 3.7
3 Adding Security Records After you have installed Tivoli SecureWay Security Manager for Windows 2000, you can work with the security profiles as described in the Tivoli SecureWay Security Manager User s Guide. Most of the procedures described in the guide are also valid when you manage security profiles for Windows 2000 endpoints. This chapter describes managing security profiles for Windows 2000 endpoints, and it lists general considerations that can be useful in managing these profiles. Group, resource, and role record types are supported. System policy records are not supported in the current release of the Tivoli SecureWay Security Manager for Windows 2000 endpoint. The following procedures are described in this chapter: Creating a group record Creating a resource record Creating a role record See Populating from an Windows 2000 Endpoint on page 47 and Distributing to a Windows 2000 Endpoint on page 52 for information about populating and distributing security profiles. 3. Adding Security Records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 13
Creating a Group Record Creating a Group Record Tivoli SecureWay Security Manager groups map to global groups in a Windows 2000 Active Directory. Windows 2000 global groups can only be created on Windows 2000 domain controllers. The procedures described here for creating a group record are similar to the procedures described in Chapter 5 of the Tivoli SecureWay Security Manager User s Guide. This section lists general considerations about creating a group record for a Windows 2000 endpoint, and it describes Windows 2000-specific Tivoli SecureWay Security Manager GUI group record actions and subactions, which correspond to Windows 2000-specific Tivoli SecureWay Security Manager CLI command attributes. This section also provides examples of using the command attributes from the CLI. For additional information and definitions of command attributes, see Attributes on page 65. General Considerations Before creating a group record for a Windows 2000 endpoint, consider the following: Global groups are stored in Active Directory and replicated to domains controllers within a domain. To avoid data collisions and unnecessary replication of group records, Tivoli SecureWay Security Manager requires you to specify the domain and domain controller where Active Directory updates should occur. Distinguished names identify where global groups are created in Active Directory. Tivoli SecureWay Security Manager requires the canonical name format for global groups, for example: secw2k/tivoli/group1 Note: Tivoli SecureWay Security Manager does not create containers objects. Therefore, the container secw2k/tivoli must exist in Active Directory before group1 can be created. The down-level SAM account name of a global group should contain fewer than 20 characters and must be unique within a domain. 14 Version 3.7
Creating a Group Record Defining Windows 2000-specific Group Attributes When you create a security record, you specify values for the attributes that define the record. From the graphical user interface (GUI), you set attribute values by clicking choices and entering data in text fields as described in the following sections of this chapter. The GUI dialog that displays the records of a particular record type for a profile also displays the attribute values for each record. From the command line interface (CLI), you set attribute values as described in Attributes on page 65. In addition to the general group attributes, you can use the following GUI subactions to define Windows 2000-specific group attributes, which are listed in parentheses: Group Names (W2KName) W2K Special Group Names (W2KSamName) W2K User List (W2KUserMembers) W2K Login Times (W2KLoginTimes) Notes: 1. Users assigned to a group must be in canonical name format. 2. Group names must be in canonical name format. Specifying a Windows 2000-specific Group Name To specify a Windows 2000-specific group name different from the value entered in the Group Name field in the Group Record Properties dialog, perform the following steps: 3. Adding Security Records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 15
Creating a Group Record 1. When you click Add Record in a Security Group Records dialog, the Group Record Properties dialog is displayed. 2. If it is not already displayed, select Edit Group Names from the Actions option list to display the Group Names group box. 3. Enter a group name in canonical format in the W2K field.canonical format is shown in the following example: secw2k.com/users/thisisagroup Assigning Windows 2000 SAM Group Names To assign a logon name that will support clients and servers from previous versions of Microsoft Windows operating systems, perform the following steps in the Group Record Properties dialog: 16 Version 3.7
Creating a Group Record 1. Select Edit Group Names from the Actions option list. 2. Select the W2K Special Group Names attribute in the subaction list. The following group box is displayed. 3. Enter a logon name that contains no more than 20 characters, and that is unique within the domain. If a longer name is entered, it will be truncated. Note: If a SAM name is not specified, the common name of the W2KName distinguished name is used. For example, if the distinguished group name is secw2k.com/users/thisisagroup, the common name is ThisIsAGroup. 4. Click the Create or the Save button (depending on whether you are creating a new record or editing an existing record) to add the SAM name to the record. Assigning Windows 2000 Users to a Group Record To assign Windows 2000 users to a group record, perform the following steps in the Group Record Properties dialog: 1. Select Edit Member List from the Actions option list. 2. Select the W2K User List attribute. The following group box is displayed. 3. Adding Security Records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 17
Creating a Group Record 3. Select an endpoint from the Endpoints subaction list. A list of users defined for that endpoint are displayed in the Available Users list. 4. Double-click a user or login name to add the selected user to the group record you are defining. The distinguished name is displayed in the Selected Users list. You can also select a user name and click the right-arrow button to move users to the Selected Users list. Notes: a. The buttons and type-in field below the Available Users list provide options for browsing, select all, clear selections, and search. b. The buttons and type-in field below the Selected Users list provide options for adding a type-in distinguished user name in canonical format, and for deleting names selected from the list. 5. Repeat steps 3 and 4 until you have listed the Tivoli-defined users that are to be members of the group record. Setting Access Times Tivoli SecureWay Security Manager allows you to define when logins are allowed for group members. You can allow users to login on any day and at any time, or you can restrict the access times to specific days and time spans. Access times must be specified in 24 hour notation. To set access times, perform the following steps in the Group Record Properties dialog: 1. Select Edit Login Time Restrictions from the Actions list 18 Version 3.7
Creating a Group Record 2. Select W2K Login Times from the subaction list to display the W2K Login Times group box. 3. Click the days in which users can access the resources defined in the resource record. The procedure for setting global access time restrictions is the same. You can select one or more days of the week as well as the following buttons: All Days Enables users to access the resources on any day. Week Days Enables users to access the resources on Monday, Tuesday, Wednesday, Thursday, and Friday. Clear Disables logins on all days. This option is frequently used to cancel previous selections. 4. Select the times in which the resource can be accessed. To allow access at all hours, click the Anytime check box. Otherwise, select the times from the Start Time and Stop Time pop-up menus. For terminal resources, specify the time offset and direction of the terminal relative to the processor to which it is attached. You need only perform this step if the terminal is not in the same time zone as the processor, and you are also specifying access time restrictions to limit access to the terminal to specific time periods. If you do not specify a direction from the Direction pop-up menu, then any values you select from the hours and minutes pop-up menus will be ignored. 3. Adding Security Records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 19
Creating a Group Record Note: Use the wcrtsec and wmodsec commands to specify minutes that cannot be selected from the pop-up menu. Command Line Examples This section provides examples of how to set W2K attributes for a group record: 1. The following example creates a group called ThisIsAGroup in Active Directory in the Tivoli organization unit folder in the secw2k.com domain, and assigns Tim Martin and Fred Durkin as user members. Fred Durkin is assigned to the built in Users folder in the secw2k.com domain and Tim Martin is assigned to the Dev organizational folder in the secw2k.com domain. It also sets the login time restrictions to weekdays at anytime, and provides a informational description of the group. wcrtsec Group s W2KName= secw2k.com/tivoli/thisisagroup \ -s W2KUserMembers= secw2k.com/dev/tim Martin, \ secw2k.com/users/fred Durkin \ -s W2KLoginTimes= days(weekdays) time(anytime) \ -s Description= This is a global group \ -s W2KSamName=ThisIsAGroup @sp ThisIsAGroup Note: The path to the group record (secw2k.com/tivoli) must exist at the endpoint when distributing. The user members Tim Martin and Fred Durkin must also exist at the endpoint when distributing. 2. The following example creates a group named Staff in the microsoft.com domain in the Dev organization, and assigns a user member from a user profile named Ed Smothers. wmodsec Group s W2KName= microsoft.com/dev/staff \ -s TMEUserMembers= up:ed Smothers \ -s W2KSamName=Staff @sp Staff Creating a Resource Record The procedures described here for creating a resource record are similar to the procedures described in Chapter 5 of the Tivoli SecureWay Security Manager User s Guide. This section lists considerations about creating various types of resource records for a Windows 2000 endpoint, and it describes 20 Version 3.7
Creating a Resource Record Tivoli SecureWay Security Manager GUI actions and subactions, which correspond to Tivoli SecureWay Security Manager CLI command attributes. This section also provides examples of using the command attributes from the CLI. For exadditional information and definitions of command attributes, see Attributes on page 65. Permissions and Inheritance in Windows 2000 Windows 2000 improves file system security primarily by enabling finer-grained control over permissions, and by providing more flexible propagation and blocking features. Now you can grant or deny access for any permission. As before, explicitly granting a permission to a user specifically gives them the authorization to perform the actions associated with that permission. The Windows 2000 improvement is that you can explicitly deny a permission to a user, thereby actively revoking the authorization to perform the actions associated with that permission. Permissions will still automatically propagate down through the directory tree by default. In Windows NT 4, the only way to block inheritance of permissions from a higher level folder was to assign different permissions to the object. In Windows 2000, you can block this inheritance of permission settings by setting a flag on a child object. Resources of type DIRECTORY, FILE, REGISTRY, and PRINTER support finer-grained control over permissions, and the new Windows 2000 improvements in propagation and blocking features. Resources of type SHARE support finer-grained control over permissions, but do not support inheritance of permissions. For a listing of the permissions and apply flags available for each resource type supported in Tivoli SecureWay Security Manager for Windows 2000, see Resource Types on page 55. 3. Adding Security Records Setting Permissions and Inheritance in the GUI In the Tivoli SecureWay Security Manager for Windows 2000 GUI, you can set permissions to Allow or Deny access by clicking checkboxes in the Allow and Deny columns for each permission. If the object is a container object such as a DIRECTORY, you can specify which child objects inherit these permissions by setting apply flags from a pull down list. For example, the GUI apply flags for the DIRECTORY resource type are: Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 21
Creating a Resource Record Files only Subfolders and files only Subfolders only This folder and files This folder and subfolders This folder only (The Recurse check box unchecks if this flag is selected.) This folder, subfolders, and files The default apply flag is to apply permissions to the container object itself. When applying permissions to child objects, if you leave the Recurse check box unchecked, inherited permissions are applied only to child objects in the container. If you check the Recurse check box, permissions are recursed through the directory tree to other containers and their children. You can allow or block inheritance of parent permissions to child objects for DIRECTORY, FILE, and REGISTRY resource records by clicking Allow inheritable permissions from parent to propagate to this object checkbox. Also, when defining DIRECTORY, FILE, and REGISTRY resource records, you can check or uncheck the Allow inheritable permissions from parent to propagate to this object checkbox to accept or block inheritance from a parent object. Setting Permissions and Inheritance in the CLI In the Tivoli SecureWay Security Manager for Windows 2000 CLI, denied permissions are prepended with the x symbol. For example, xread or xr, means deny read, whereas Read or R means allow read. If you do not specify the recurse flag, the permissions apply to objects and containers within the current container only. If you specify the recurse flag, the permissions recurse the directory tree based on the apply flags. You can set the InheritPerms and InheritAuditPerms attributes to T or F to accept or deny inheritance from a parent object (if not specified, default is T). For a listing of the permissions and CLI apply flags available for each resource type supported in Tivoli SecureWay Security Manager for Windows 2000, see Resource Types on page 55. 22 Version 3.7
No Access on the DefAccess attribute in Tivoli SecureWay Security Manager for Windows 2000 removes the Everyone group from the discretionary access control list (DACL) of the object. This enables an administrator to remove the Everyone group from the DACL and still allow other groups access to the resource. Tivoli SecureWay Security Manager for Windows 2000 does not allow you to deny No Access. Notes: 1. The recurse keyword is not valid unless used with the apply keyword. 2. The recurse keyword is not valid if applied to the container object only. The following example is invalid: apply(folder) recurse Defining Resource Attributes Creating a Resource Record In addition to general attributes described in Chapter 5 of the Tivoli SecureWay Security Manager User s Guide, you can use the following GUI fields, subactions, and checkboxes to define Windows 2000 resource attributes, which are listed in parentheses: Resource Name (Name) Description (Description) Default Access (DefAccess) Inherit Parent Access Permissions (InheritPerms) Interactive Access (IacAccess) Network Access (NwAccess) Operating System Access (SysAccess) Authenticated Users Access (AuAccess) Creator Owner Access (CoAccess) Access Audit Control (ResAccessAudit) Inherit Parent Audit Permissions (InheritAuditPerms) 3. Adding Security Records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 23
Creating a Resource Record Interactive Access Audit Control (IacAccessAudit) Network Access Audit Control (NwAccessAudit) Operating System Access Audit Control (SysAccessAudit) Authenticated Users Access Audit Control (AuAccessAudit) Creator Owner Access Audit Control (CoAccessAudit) Share Path (SharePath) User Limit (UserLimit) Notes: 1. When you specify the name of a FILE or DIRECTORY resource record, use a fully qualified path (<drive>:<\path\object>) as shown in the following example: C:\security\pwfile 2. When you define special groups for resource types that support apply and recurse options, you can now set these options for each special group. Creating a Windows 2000 Resource Record Perform the following steps to specify resource name, description, and resource type for a Windows 2000 resource record: 24 Version 3.7
Creating a Resource Record 1. When you click Add Record in a Security Resource Records dialog, the Resource Record Properties dialog is displayed. 2. Select W2K from the EndPoint Type pulldown menu. 3. If it is not already displayed, select Edit Resource Type from the Actions option list to display the Resource Type group box. 4. Click DIRECTORY to select the resource type 5. Enter a fully qualified Windows 2000 directory name in the Resource Name field. 6. Enter a description of the resource in the Description field. 3. Adding Security Records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 25
Creating a Resource Record Setting Default Access Permissions and Permission Inheritance The default access permissions for the resources defined in a resource record are applied when a user attempts to access a resource, but the role access permissions for that user do not explicitly allow it. To set the default access permission for a resource record, perform the following steps in the Resource Record Properties dialog: 1. Select Edit Default Access from the Actions option list. 2. Click Default Access in the subaction list to display the Resource Default Access group box. Note: The file system options and default access permissions that are displayed depend on the selected resource type. See Resource Types on page 55 for a list of the options and access rights supported for each resource type. 26 Version 3.7
Creating a Resource Record 3. Click the Allow or Deny column for each access right that you want to set for the resource. 4. To apply the selected access rights to all children of the resource, click the Recurse Subdirectories checkbox and select how you want to apply permissions from the Apply Access Permissions pulldown list. Note: The Recurse Subdirectories checkbox will uncheck itself if you select This folder only from the Apply Access Permissions pulldown list. This is true of all resource types that support recurse, if you apply to the container object only. 5. Click the Allow inheritable permissions from parent to propagate to this object checkbox to accept inheritance from a parent object. Setting Network Access Permissions To set the network access permission for a resource record, perform the following steps in the Resource Record Properties dialog: 1. Select Edit Default Access from the Actions option list. 3. Adding Security Records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 27
Creating a Resource Record 2. Click Network Access in the subaction list to display the Resource Network Access group box. Note: The file system options and default access permissions that are displayed depend on the selected resource type. See Resource Types on page 55 for a list of the options and access rights supported for each resource type. 3. Click the Allow or Deny column for each access right that you want to set for the resource. 4. To apply the selected access rights to all children of the resource, click the Recurse Subdirectories checkbox and select how you want to apply permissions from the Apply Access Permissions pulldown list. Note: The Recurse Subdirectories checkbox will uncheck itself if you select This folder only from the Apply Access 28 Version 3.7
Creating a Resource Record Permissions pulldown list. This is true of all resource types that support recurse, if you apply to the container object only. Setting Default Access Audit Permissions and Permission Inheritance To set the default access audit permissions for a resource record, perform the following steps in the Resource Record Properties dialog: 1. Select Edit Audit Control from the Actions option list. 2. Click Access Audit Control in the subaction list to display the Resource Access Audit Control group box. 3. Adding Security Records Note: The file system options and default access permissions that are displayed depend on the selected resource type. See Resource Types on page 55 for a list of the options and access rights supported for each resource type. Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 29
Creating a Resource Record 3. Click the Success or Failure column for each access right that you want to audit. 4. To apply the selected audit configuration to children of the resource, click the Recurse Subdirectories checkbox and select a recursion level from the Apply Access Permissions pulldown list. Note: The Recurse Subdirectories checkbox will uncheck itself if you select This folder only from the Apply Access Permissions pulldown list. This is true of all resource types that support recurse, if you apply to the container object only. 5. Click the Allow inheritable permissions from parent to propagate to this object checkbox to accept audit permission inheritance from a parent object. Setting Shared Directory Properties To set the share properties for a SHARE resource record, perform the following steps in the Resource Record Properties dialog: 1. Select Edit Resource Type from the Actions option list. 2. Click to select the SHARE resource type. 3. Click SHARE Properties in the subaction list to display the SHARE Properties group box. 4. Enter the fully qualified path to the shared directory in the SHARE Path field. 30 Version 3.7
Creating a Resource Record 5. Either click the Maximum Allowed checkbox to allow the maximum number set for the system, or enter a number in the Allowed Users field. Command Line Examples This section provides examples of how to set W2K attributes for a resource record: 1. The following example gives everyone Read access to the directory c:/bin and all of its subdirectories and files, and also audits failed attempts to read directory c:/bin and all of its subdirectories and files. wcrtsec Resource s DefAccess= perms(r) \ apply(folder,subfolders,files) recurse \ -s ResAccessAudit= Failure perms(r) \ apply(folder,subfolders,files) recurse \ @sp W2K:DIRECTORY:c:/bin 2. The following example gives everyone Read & Execute permission to all the files directly contained in the directory c:/myexecutables. wcrtsec Resource s DefAccess= perms(r,x) apply(files) \ @sp W2K:DIRECTORY:c:/MyExecutables Note: The permissions set in the previous example apply only to the files contained within the directory, not to the directory itself. In Windows 2000, this is called an inherit only ACE. An inherit only ACE is inherited by child objects that allow inheritable permissions to propagate to it. 3. The following example protects the directory c:/foo from inheriting audit and access permissions from its parent, which is directory c:/, and gives everyone Read access. wcrtsec Resource s DefAccess= perms(r) \ s InheritPerms=False \ @sp W2K:DIRECTORY:c:/FOO 4. The following example denies everyone read access to the file database.txt and protects it from inheriting parent permissions. 3. Adding Security Records Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000 31