|
Security Technologies FAQPublished: June 13, 2002
Establishing and Troubleshooting Trusts| Q. | How do I set up a trust from one Windows domain to another domain? | | | | A. | All domains within a Windows domain automatically trust each other. To trust a domain outside your forest open AD Domains and Trusts and right click on your domain and select Properties. You will be able to the list of existing trusts. To set up a trust with another domain: 1. | Click New. | 2. | Enter the name of the other domain. | 3. | Select the type of trust. | 4. | Enter Trust password. |
Do the same on the other domain to set up both sides of a trust. For more information, refer to HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT 4.0 Domain (Q306733) and HOW TO: Establish Trusts with a Windows NT-based Domain in Windows 2000 (Q308195) in the Microsoft Knowledge Base on the Product Support Services site. | | Q. | The Trust does not seem to be working properly. How do I troubleshoot it? | | | | A. | Use Nltest.exe or the Domains and Trusts user interface to validate the trust and reset it. See How to Use NLTEST to Force a New Secure Channel (Q156684). | | Q. | I have two forests and a lot of trusts between the domains in them. Can I just set up a trust between the two forests? | | | | A. | No. This is not possible in Windows 2000. | | Q. | I had to perform a clean install on a Windows 2000-based server. I used the same user names and now I keep getting 'Error #5513' stating the SID was lost when the domain was reconfigured. The message tells me to 'Reestablish the trust relationship'. I cannot find out how to accomplish that using Active Directory. Any suggestions? | | | | A. | You can use Netdom to delete the old external trust and establish a new one. See HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller (Q260575) on the Microsoft Product Support Services site for information on how to use Netdom to do this. | Q.
A. | |
Firewalls| Q. | How do I make Trust, file sharing, FRS and other Windows services work across a firewall? | | | | A. | Most Windows services use dynamic remote procedure call (RPC) ports. This means a random port is assigned to the service when it starts up. You can restrict the range of RPC ports as specified in Q154596 or you can use IPSec to tunnel traffic through your firewall. Certain services such as Active Directory replication allow you to control the port on which the service runs through a registry key. See also Using IPSec to Lock Down a Server and Windows XP product documentation. | | Q. | How do I allow joining of machines through firewalls? | | | | A. | Typically the ports needed to open are DNS(53), Netlogon dynamic RPC port, SMB(445), Kerberos(88), LDAP(389), and NTP(123). Since the netlogon port is dynamic, the best solution is to use IPSec or another tunneling protocol to tunnel the traffic through the firewall. Alternatively you can restrict the range of ports as described in Q154596. See also How to Enable IPSec Traffic Through a Firewall (Q233256). | Q.
A. | |
Group Policy| Q. | What's the difference between Local Security Policy, Domain Controller Security Policy, and Domain Security Policy? | | | | A. | Local Security Policy affects only that computer. Domain Controller Security Policy affects only domain controllers in that domain. Domain Security Policy affects all computers in the domain. Domain Controller Security Policy settings take precedence over Domain Security Policy settings. | | Q. | Can I use Group Policy to control which programs users can run? How? | | | | A. | Yes. Use the User Configuration\Administrative templates\System\Run only specified Windows applications setting. | | Q. | Can I use Group Policy to control who can set registry keys on a group of machines? How? | | | | A. | Yes. Use Computer Configuration\Windows settings\Security settings\Registry. | | Q. | I'm trying to apply a security template to my Windows 2000 Professional PC in a workgroup. However, when I try to apply the template through the Security Configuration and Analysis snap-in (and secedit), none of the password policies are applied. Why? What should I do? | | | | A. | After doing an analysis using the Security Configuration and Analysis snap-in, the settings not applied may offer this message: "This setting affects the database only. It does not change the computer setting."
There is, however, a way to apply these settings without individually changing every policy through local security policy. First, configure the computer using the snap-in. Now right-clicking the menu item will set these items. Since the machine is a member of a workgroup and not a domain, there is no higher level Group Policy object (GPO) to overwrite the settings. It's important to note that these templates can make many changes, so if after applying one you have a compatibility issue, it can be somewhat time-consuming to find which setting caused it. The Local Security Settings snap-in will let you make changes as needed. Keep in mind that most of the settings changed by the Local Security Settings snap-in will be immediately reflected on the box. There are some exceptions under the Local Policies\Security Options that may require a reboot to go into effect. | | Q. | How can I control the membership of the Administrator group on all machines in the domain? | | | | A. | You can set the restricted groups feature in Group Policy to control the membership of the Local Administrators group. But remember that this will change the membership completely to what you specify—meaning, there is no way just to add users to the group. | Q.
A. | |
Authorization| Q. | I am trying to add a user to a group and it keeps telling me that the domain controller is not available even though I know it is. What do I do? | | | | A. | Try this command line: net localgroup administrators /add domain\user Replace domain with your domain name and user with appropriate values. | Q.
A. | |
Authentication| Q. | Can I set up my network to use only Kerberos? | | | | A. | No. This is not supported. | | Q. | I lost my administrator password. Can you help me recover it? | | | | A. | | • | If you know the passwords for any accounts on the machine, try to log in using those accounts to see if any of them are administrators. If so, use that account to reset the password on the original administrator account.
You can simplify this by logging on with any account for which you know the password, and then looking at the membership of the administrators group using the Local Users and Groups tool in the Computer Management snap-in (run Compmgmt.msc or right-click My Computer and click Manage). Focus on trying to remember the passwords for those accounts, or finding anyone who knows the passwords for those accounts. | | • | If that didn't work, consider reinstalling. One thing to consider is whether you are using EFS encryption anywhere—if so, you won't be able to get back into your files if you reinstall, unless you exported the recovery agent key ahead of time. | | • | If your machine has another copy of Windows on it, try booting to that copy to recover your data. If you have access problems ("access denied") then you can log into the second copy as an administrator and use the Advanced Security dialog box to take ownership of those files and directories. | | • | If you need immediate access to your data and don't have a second copy of Windows on your machine, or if you feel that a reinstall might endanger your data, then you should perform a "parallel install"™install a second copy of Windows on the same machine and use that installation to recover your data to a network drive or somewhere else. | | • | In Windows 2000, if you reset the Administrator's password and the Administrator account was the recovery agent, you will still be able to access the files, even if you did not export the EFS recovery key. In Windows 2000, if you reset the Administrator password and a domain account was the recovery agent, you will not be able to access the files unless you had previously exported the EFS recovery key.
In Windows XP, if you reset the Administrator password, you will not be able to regain access to the files unless you had previously exported the EFS recovery key. | | • | Consider using a password-recovery service. (Caveat emptor.) | | • | Yes, there are other ways and tools to break into a Windows-based computer if you have physical access, but those won't be discussed here. |
| | Q. | If I call Microsoft Support will they help me crack my admin password? | | | | A. | Not beyond what's outlined above. | | Q. | Can Microsoft refer me to specific tools or companies for password cracking or recovery? | | | | A. | No. | | Q. | Why not? | | | | A. | There are legal liability issues involved with helping someone break into a system. | | Q. | How do I stop my username from being displayed in the logon dialog box when I reboot? | | | | A. | In windows 2000: 1. | Open Local Security Settings. | 2. | Select Local Policies. | 3. | Click Security Options. | 4. | Select Do not display last user name in logon screen. |
| | Q. | An account is being locked out repeatedly. What should I do? | | | | A. | Options for resolution: | • | Check that the user is not logged on to multiple machines. | • | Especially if the user has recently changed his/her password on one of them. | | • | If some are Windows 95, Windows 98, or Windows Me on a Windows 2000 domain, account lockouts are a known issue. |
| | • | Check that users don't have any mapped network drives at the time they change their password. | | • | Check account lockout policy in Domain or Local Group Policy | | • | Check event viewer logs. |
| | Q. | How do I decrypt my files after I have re-installed my operating system? | | | | A. | You can't; you must have backed up your files first. See the Data Protection and Recovery in Windows XP white paper. | | Q. | Can I use EFS with smart cards? | | | | A. | No. | | Q. | How do I secure file shares on my computer? | | | | A. | There are a many things you can do to proactively secure file-shares in your network in a managed environment, as listed below. Detection is done for the most part using NetShare APIs (Microsoft is working on a tool to do this but it won't be available until later this year). | • | New share ACLs. When a new share is created (including file share and print share), a default security descriptor is assigned to the share (in Windows 2000, default share ACL is full control for everyone). If the shared folder/printer/CD does not support an ACL (such as a non-NTFS volume), the security descriptor on a share is the only way to control access. Thus, defining a secure default security descriptor is very important for a secure file server.
The default security descriptor is stored in registry by SRV service, under LanManServer\DefaultSecurity\SrvsvcDefaultShareInfo, registry type REG_BINARY. Note: this setting change requires a reboot to take effect. The change affects all new shares to be created and existing shares with the old default security descriptor. By default, on a clean-installed computer, SrvsvcDefaultShareInfo is not defined, which is equivalent to full control for everyone. | | • | Share creation restrictions. Access to share operations such as creating a share, changing share information, and deleting a share, are controlled by security descriptors. On a server, administrators can decide who can/cannot perform certain share operations. For example, on a file server, administrators should be able to delegate or remove Power Users to create file shares. The ability to create/delete shares is controlled by a ACE in the security descriptor, where Power Users can be added/removed from the security descriptor to allow or deny the ability.
The security descriptors are stored in the registry by SRV service, under LanManServer\DefaultSecurity, as following:
| • | SrvsvcShareFileInfo, REG_BINARY: Permission to control access on file share operation. | | • | SrvsvcSharePrintInfo, REG_BINARY: Permission to control access on print share operation. | | • | SrvsvcShareAdminInfo, REG_BINARY: Permission to control access on admin share operation. |
Note that this setting change requires a restart of the service to take effect. | | • | Session duration. After a network session is established (between RSR and SRV), it can be automatically disconnected if it has been idle for some time, or it can be connected all the time if requested. For a secure network environment, a session should be disconnected shortly after it becomes idle.
There is a LanManServer setting to control how long it allows a session to be idle. The setting is stored in the registry, under LanManServer\Parameters\AutoDisconnect, REG_DWORD. The default is 15 minutes. If the value is set to 0, it means that the session will be connected forever. | | • | Hiding shares. LanManServer provides a setting that can hide itself from being browsed on the network. When this setting is enabled, the server cannot be browsed (but still can be pinged). This adds another level of security to protect the server. The setting is defined as a registry value in LanManServer\Parameters\Hidden, REG_DWORD. Value 0x1 means the server is hidden and 0 means not hidden. |
| Q.
A. | |
|
