Introduction

When Microsoft released Windows NT, the goal was to provide an operating system suitable for the business environment. As such, NT included features that were not present in Microsoft's consumer operating systems (the Windows 9 x/ME line). One feature was added security; unlike previous Microsoft operating systems, NT supported mandatory logon and file level permissions.

Windows 2000 took security several steps further, providing for file encryption (EFS), IP Security (IPSec) support, Kerberos authentication, and more. Weaknesses in NT's security were evaluated and addressed. In this book, we cover many of Windows 2000's built-in security features. While Windows 2000 includes enhanced security capabilities on many fronts, and while default settings have been tightened up in regard to some security issues, it is important to know where you're starting from when you set out to fine-tune the security level of your Windows 2000 computers. When it comes to security, there is no "one size fits all" solution; different organizations have different security needs. This chapter discusses the Windows default security settings. We will provide you with information on what you can expect "out of the box" in regard to Windows' access controls, and how you can tweak these default settings to fit your specific situation.

One of the weaknesses in Windows NT 4.0 is inherent in the default access permissions assigned to the built-in groups for the file system and the Registry. Windows 2000 addresses that weakness by refining the permissions granted to these groups. In the next section, we...