IT Employment

Question

Gravatar
0 Votes
Locked

Restricted Groups

By winthrop.polk ·
I am an I&C engineer not an IT guy. But I need a quick and dirty explaination.

I am in the process of modifying the standard WinXP hisec security template to fit our needs. In the user rights section, I have assigned custom group names to each user right; we will call them group 1 through 4.

This is the first time I have modified a security template. It's taken me about a month to run get where I am. Now I have arrived at the section called restricted groups.

What is the difference between a group and a restricted group? Is this where I put my custom named groups and then assign the accutual users who are in each group?

Our systems do not have a domain controller, so everything has to be done locally.

Please feel free to ask questions if you need more information or clarification.

Thanks Peeps of the WWW

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

gravatar
Collapse -

secure*.inf & hisec*.inf templates

by CG IT In reply to Restricted Groups

think you best go here

http://support.microsoft.com/kb/321679

here:

http://support.microsoft.com/kb/823659

and MS Technet:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scedefaultpols.mspx?mfr=true

Groups are containers that you collect objects like user accounts and assign the same attributes to all who are in the group, such as rights and permissions.

When you look at the local security settings\user rights assignments of a local machine, your seeing what the different groups rights are and members of the groups can do what the group rights and permissions says they can. as an example, the user rights assignments\log on locally. You'll se a list of groups that are allow to log on locally. you can remove or add groups or invdividual user accounts to the list. Removing a group from the list, in which a user is a member of, that user will not be allowed to do what the policy says groups and users can do such as log on locally. The exception is if you put a user in a group and then also assign a security setting with an individual user in as well. Removing the group doesn't remove the user who's been placed in the setting individually.

You can create a template from a local machine using the MMC and export it. then use that template for all other machines you want. But....doing this is not for the feight of heart. It can be frustrating because what works on one machine might make something on another machine not work at all.

gravatar
Collapse -

Okay...

by winthrop.polk In reply to secure*.inf & hisec*.inf ...

I agree and understand all of this. The current point of confusion is the section called "Restricted Groups". I really just want some confirmation that my understanding is accurate before I go messing with this. I have read tons of documentation regarding the "User Rights" and "Restricted Groups" sections, but none of this ties the two sections together in a coherent way. Here is the situation:

Our network of 120+ computers does not have a domain controller (crazy I know). My boss wants me to go throught the security template hisecws, cutomize it and translate it into a text document. So I pretty much started at the top and worked my way down. When I got to the user rights section, I assigned each value to any number for 4 groups (called groups 1 through 4 for this document). I do not want to use any of the built in groups. Now that I have assigned these custom groups certain user rights, I need a place to list the actual group names and which users belong to which groups; I suspect this is what the "Restricted groups" section is for; is this correct?

Is it correct that, based on the above conditions and my desire to keep it simple, that in this section I should delete the groups already listed, "add group" 1 through 4 and assign my user names for each group here? Does this automatically create the usernames, or do I have to do this somewhere else? Is it a correct statement that the "members of" list for each group 1-4 should be left blank?

Any help is appreciated.

gravatar
Collapse -

Additional FYI

by winthrop.polk In reply to secure*.inf & hisec*.inf ...

I have previously read all 3 articles you mentioned, before you mentioned them. I understand everything there. If you have a source that explains in detail the connection between the sections "user rights" and "restricted groups" that would be incredibly useful. User rights section is self explainitory and documentation is easily understood. The Restricted groups section is a little confusing and all the documentation I read on it is a bit hard to comprehend and probably goes into more detail than I need. There also doesn't appear to be good documentation logically tied the two sections together for noobies like me.

Thanks

gravatar
Collapse -

AND the LAST question, If I get this these answered Im done.

by winthrop.polk In reply to secure*.inf & hisec*.inf ...

Of my 4 custom groups, there is one group call "operators". This will be a small group of people who will only have access to a few computers and will not be allowed to use any of the OS features. They operate the power plant. They will only be able to use the operator screen (industrial control system GUI).

The problem is that the operators do not want to have to log in to their computers during shift changes. Corporate has already agreed to this, against my recommendation, and has put cameras up as compensating measures.

So, Is it possible to allow any operator to log on using the group name rather than their user name? If they log on with there username, then they will have to log on/off during shift changes which cannot happen. However, if they just logon as the operator group, then during normal operation they will never have to log off, even during shift changes. If, during maintenance, a setting needs to be changed or software needs to be installed the admin can logon to make these changes, then log back on the operators group when done.

Thanks

gravatar
Collapse -

Restricted Groups = only in a domain environment

by CG IT In reply to AND the LAST question, If ...

Restricted Groups is a quasi-automatic way to keep members in the group and non members out of the group.

Here's a MS Technet Article on Restricted Groups

http://technet.microsoft.com/en-us/library/cc957640.aspx

btw how did you get around the 10 user networking limit in Windows?

gravatar
Collapse -

Thanks But.....

by winthrop.polk In reply to Restricted Groups = only ...

I already read that article. It really doesn't go into enough detail.

I am not sure what you mean by 10 user maximum.

gravatar
Collapse -

what didn't you get?

by CG IT In reply to Thanks But.....

restricted groups is a special containter that restricts who is a member. Only those users who are listed as members can be members. All others are automatically removed. This includes containers and members listed in members of.

typically restricted groups are used in places of high security to ensure that only those users who are members of the restricted group can access resources. There are instances where someone gains administrative access and tries to elevate privileges by being a member of certain groups. The restricted group removes those users.

Workgroup 10 user limit is a built in restriction to desktop operating systems such as Windows XP Windows 2000 and so on. Microsoft does this on purpose so that if you have more than 10 users, they want you to have to choose the server route.

So if you have a share that users use and that is stored on a Desktop machine, the desktop will only allow 10 concurrent connections.

in a workgroup with 120?? desktops, how do you get around the 10 concurrent limitation other than there are not more that 10 users connecting to a machine concurrently.

gravatar
Collapse -

I get it

by winthrop.polk In reply to what didn't you get?

Mean mean microsoft.

I am not to worried about the user limit (that I just became aware of). Largely because these 120 computers don't have many users. They tend to run them selves and if anyone logs on, it's generally only one. There are exceptions of course and there are servers in this system as well. These devices run a power plant; little user interaction is required.

This is not your traditional IT type network, but now it has to become that.

gravatar
Collapse -

humm well if it was me....

by CG IT In reply to I get it

I'd make sure USB ports were disabled or the use of USB flash drives were disabled. Floppy and CD drives were removed. Keyboards and mice removed as well as monitors that are not required except for admin work. I'd lock up the box with lock and key and not those stupid locks the cases come with.

I'd use manage infrastructure to further secure the network and isolate high security computers into protected networks.

Where possible, restrict physical access as well.

basically make it a DOD level high security
network. Pain to administer but.....

and no internet access. if there is, very very limited access to only a few particular sites and all on a proxy.

gravatar
Collapse -

yeah

by winthrop.polk In reply to I get it

We are doing all of that. But the first thing is to make sure all these computers have correct and consistent security policies.

Back to IT Employment Forum

Start or search

Related Discussions

Related Forums