Windows Server 2003 Implement the Principle of Least Privilege

  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |

Implement the Principle of Least Privilege: The Microsoft Principle of Least Privilege, simply stated, suggests that we should logon using an account that only has the privileges necessary to perform general user-related tasks, such as retrieval and saving of files, printing, etc. When a user wishes to perform administrative tasks, then the user can choose the appropriate tool from Administrative Tools, right-click and choose Run As. This allows the user to run the administrative tool with administrative privileges, while only having their "normal" user rights for all other tasks. Once the tool is closed, the user's computer, if accessed when the user is away from their desk, will not allow inappropriate access to network resources.

Of course, users are supposed to lock their desktops when away from their desk, but this provides an additional level of security for your network.

Pop Quiz Questions:
1. What are the names of the two templates that were introduced with Windows Server 2003?
2. What is the Security.inf template used for on a Windows Server 2003?
3. What is the principle behind the least privilege?
4. How are security templates grouped on a Windows 2003 Domain Controller?
5. If you need to reset the security settings for the root volumes of a machine which template can be used?

Pop Quiz Answers:
1. Security.inf and Rootsec.inf.
2. The Security.inf template represents the default security settings applied during installation of the operating system, including the file permissions for the root of the system drive.
3. When logging onto a machine always use an account with the least number of elevated privileges. Use the RunAs command to use elevated privileges.
4. Templates for domain controllers (and workstations) are grouped either secure or high secure templates.
5. The rootsec template can be used to reset the security settings for the root volumes of the computer.

Install and Configure Software Update Infrastructure: To help centralize the deployment of patches and fixes, Microsoft has released Software Update Services (SUS). With SUS, an organization can have a single internal server serve as a central point for downloading and then updating all other servers and workstations. Use multiple servers to provide fault tolerance and load balancing for this service in larger implementations. Not only can this provide efficiencies in the update process, since most of the updates can be delivered across high-speed infrastructure, but it can also provide better control over who updates and what updates can and are applied throughout the network.

SUS has components that need to reside on the server, and components that need to be present at the client's. Use Internet Explorer on the server to administer SUS. To administer client behavior use the Group Policy MMC. Clients then connect to the SUS server and pull updates based upon the settings that are in effect at the server and those applied through Group Policy.

Install and Configure Software Update Services (SUS)
The installation of Software Update Services (SUS) is a two-step process. Use the link listed on the Web Resources page at

Click the SUS Server Component to begin the download. On the SUS Server Component download site, follow the on-screen instructions to download and install Software Update Server. Once the SUS server component installs, open the program by using the shortcut located in Start | Programs | Administrative Tools for administration. Configuration of the SUS server begins with naming the server. Microsoft uses NetBIOS to find default clients. SUS is configurable to use the Microsoft DNS to find clients as well. 

Since most SUS servers will reside behind a proxy server of some sort, the next step is to configure the proxy settings, which are very similar to the settings in Internet Explorer. If your network supports automatic proxy server configuration, select automatically detect proxy server settings. If your network does not support automatic proxy server configuration, select Use the following proxy server to access the Internet. To bypass the proxy server for local addresses, select the Bypass proxy server for local addresses check box.

If your proxy server requires a user ID and password to access the Internet, select the Use the following user credentials to access the proxy server check box, and then enter the proxy authentication user ID and password. Lastly, if your proxy server requires credentials but uses basic authentication, select the Allow basic authentication when using proxy server check box.

You will also specify from where downloads should come, directly from Microsoft or from another SUS in your intranet. It is Synchronize Content in the administrative tool. This area of the configuration also allows for scheduling of the synchronization process.
Next, specify what to approve for client machines. The packages may be marked as Approved or Not Approved, or may show a status of New, Updated or Temporarily Unavailable. A New, Not Approved or Temporarily Unavailable package will not be available for download by clients. An Approved package is available for download, and may change its status to Updated if the SUS server synchronizes with its source and changes the content prior to download.

An SUS server needs to be minimally a Pentium III 700 MHz, with 512 Mb of RAM, and must have the system partition formatted as NTFS. Additionally, the installation of the SUS components must be in an NTFS partition. A Windows 2000 server with SP2 or any Windows Server 2003 will support SUS, and you will also need IE 5.5 and IIS 5.0 or later.

Install and Configure Automatic Client Update Settings:
The client components for SUS are contained in Windows 2000 SP 3, Windows XP SP 1, in all Windows 2003 installations and as an msi file. For Windows 2000 SP 3 or later, no additional component installation is necessary. Older client operating system machines can either download the necessary components from the Microsoft public Web site, or create a package from the msi file and Group Policy for distribution internally. The recommended way to configure SUS behavior for Windows 2000 and Windows XP clients is through Group Policy. Group Policy settings always take precedence over local settings.

In Group Policy, select Computer Configuration | Administrative Templates | Windows Components | Windows Update  Double-clicking on Configure Automatic Updates will open the initial configuration dialog, Once enabled, you have to choose from three options (2, 3 or 4) for the notification behavior. If option 4 is chosen, then the update can be scheduled. This is the primary configuration for client settings. The other major setting is the next setting, Specify intranet Windows update service location. This allows you to tell the client the server from which to download updates, and also where to send statistics relating to downloads. 

Deborah Timmons is a Microsoft Certified Trainer and Microsoft Certified Systems Engineer. She came into the Microsoft technical field after six years in the adaptive technology field, providing technology and training for persons with disabilities. She is the President and co-owner of Integrator Systems Inc.

Rate this Article:
  • Article Word Count: 1107
  • |
  • Total Views: 847
  • |
  • permalink
  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |