Appendix D - User and Group Accounts

  • Article

Windows 2000 Built-In Users and Groups

Description

Stand Alone Professional

Stand Alone Servers

Domain Controller

Default Members

Applicability to Security Target Requirements and/or Rationale for Changes

Local User Accounts

Default Local user accounts.

          

Administrator

Built-in account for administering the computer/ domain.

  

check

  

check

  

check

  

Use of this account by more than one authorized administrator violates FAU_GEN.2, User Identity Association which states that each auditable event must be associated with the identity of the user that caused the event.

Requirement:

Assign roles to authorized administrators by placing their user accounts in administrative groups appropriate to their level of responsibility. This ensures that all administrative actions can be tracked in audit logs to specific user accounts. Rename the Administrator account and secure the password for emergency use only.

Guest

Built-in account for guest access to the computer/ domain.

  

check

  

check

  

check

  

Misuse of this account can violate FAU_GEN.2, User Identity Association, FIA_UAU.2, Authentication, and FIA_UID.2, User Identification Before Any Action.

This account is disabled on all systems by default.

Requirement:

This account must remain disabled.

TsInternet User

User account used by Terminal Services. It is used by the Terminal Services Internet Connector License. When Internet Connector Licensing is enabled, a Windows 2000-based server accepts 200 anonymous-only connections. Terminal Services clients are not prompted with a logon dialog box; they are logged on automatically with the TsInternet User account.

    

check

  

check

  

Use of this account by more than one user violates FAU_GEN.2, User Identity Association.

Requirement:

Terminal Services is not an objective of the TOE and accounts that support anonymous access are not to be allowed. Therefore, disable this account.

krbtgt

Key distribution service center account. Windows 2000 Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service.

      

check

  

Use of this account by more than one user violates FAU_GEN.2, User Identity Association.

This account is disabled on Domain Controllers by default.

Requirement:

Unlike other user accounts, the krbtgt account cannot be used to log on to the domain and in fact, cannot be enabled

Global Groups

When a domain is created, Windows 2000 creates the following built-in global groups in the Active Directory store to group common types of user accounts for use throughout the domain.

        

Global groups provide the ability to assign users to authorized administrator and authorized user roles with unique domain-level access restrictions based on the global group to which the user is assigned. Global groups support the FMT_SMR.1, Security Roles TOE Security Functional Requirement.

Cert Publishers

Enterprise certification and renewal agents. Includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.

      

check

None

Windows 2000 Cert Server is not in the Evaluated Configuration

DnsUpdate Proxy

DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).

      

check

None

The TOE will support FQDN and does not require membership in this group.

Requirement:

Do not add accounts to this group

Domain Admins

This group is only available on Windows 2000 servers acting as Domain Controllers. Its members are allowed administrative privileges for the entire domain. By default, this group has the local Administrator account on the Domain Controller as its member.

      

check

Administrator

Supports assignment of administrative role with control within a specific domain.

Requirement:

Do not add non-administrative accounts (users) to this group.*

Domain Computers

All servers and workstations joined to the domain, excluding domain controllers.

      

check

None

Supports assignment of user role supporting access to domain-computer- specific resources.

Domain Controllers

Group account for all Domain Controllers in the domain.

      

check

DC_Name

Supports assignment of user role supporting access to domain-controllers- specific resources

Domain Guests

This group is only available on Windows 2000 servers acting as Domain Controllers. Members of this group are only allowed to access the system from across the network and have very limited privileges by default and initially only contains the Guest user account for the domain.

      

check

Guest

Guest/anonymous accounts can violate FAU_GEN.2, User Identity Association, FIA_UAU.2, Authentication, and FIA_UID.2, User Identification Before Any Action.

Requirement:

Do not use this group. Remove all accounts including Guest from this group.

Domain Users

This group is only available on Windows 2000 servers acting as Domain Controllers. In a domain environment, the Administrator account and all new user accounts are automatically included as members of this group. This group is also a member of the Users local group for the domain and for every Windows computer in the domain.

      

check

Administrator

Guest

Krbtgt

TsInternet User

(all new users are added by default)

Supports assignment of user role supporting access to domain resources.

Guest/anonymous accounts can violate FAU_GEN.2, User Identity Association, FIA_UAU.2, Authentication, and FIA_UID.2, User Identification Before Any Action.

Requirement:

Remove the Guest, and TsInternet User accounts.

Enterprise Admins

Provides administrative control over the entire network. By default, the Domain Controller's Administrator account is a member. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains.

      

check

Administrator (Domain Controller)

Supports assignment of administrative role with control over the entire network.

Group Policy Creator Owner

Members in this group can modify group policy for the domain. The group that is authorized to create new Group Policy objects in Active Directory.

      

check

Administrator

Supports assignment of administrative role designated to maintain domain level group policies.

Requirement:

Do not add non-administrative accounts to this group.*

Schema Admins

Designated administrators of the Active Directory schema. The group is authorized to make schema changes in Active Directory.

      

check

Administrator

Supports assignment of administrative role designated to administer the Active Directory Schema.

Requirement:

Do not add non-administrative accounts to this group.*

Domain Local Groups

Domain local groups provide users with privileges and permissions to perform tasks specifically on the domain controller and in the Active Directory store.

        

Domain local groups provide the ability to assign users to authorized administrator and authorized user roles with unique Domain Controller access restrictions based on the domain local group to which the user is assigned. Domain local groups support the FMT_SMR.1, Security Roles TOE Security Functional Requirement.

Account Operators

This group is only available on Windows 2000 servers acting Domain Controllers. It allows its members to administer user and group accounts for systems and domains. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.

      

check

None

Supports assignment of administrative role designated to manage user accounts within a domain.

Requirement:

Do not add non-administrative accounts to this group.*

Administrators

Members can perform all administrative tasks on all domain controllers and the domain itself.

      

check

Administrator

Domain Admins

Enterprise Admins

Supports assignment of administrative role with full administrative access rights to all domain controllers and resources within a domain.

Requirement:

Do not add non-administrative accounts to this group.*

Backup Operators

Members can back up and restore files on all domain controllers by using Windows Backup, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.

      

check

None

Misuse of this account can violate FDP_ACF.1(a), Discretionary Access Control.

A member of the Backup Operators group can extract files and directories for which the user would normally not have access. Membership in this group permits users to open any file for backup purposes; however, once the file has been opened for read access it can be redirected by the Backup Operator to any location.

By default, users are allowed to backup and restore files for which they have the appropriate file and directory permissions without requiring membership in the Backup Operators group.

The Administrator account already has full backup rights.

Requirement:

Do not add non-administrative accounts to this group.*

DnsAdmins

DNS administration group. This group has Full Control over a DNS Server and its zones.

      

check

None

Supports assignment of administrative role responsible for administering DNS.

Requirement:

Do not add non-administrative accounts to this group.*

Guests

The Guest group offers limited access to resources on the system. Members cannot make permanent changes to their desktop environment. Some services automatically add users to this group when they are installed. For example, IIS adds anonymous user accounts to the Guests built-in group.

      

check

Guest (local)

Domain Guests

TsInternet User

Guest/anonymous accounts can violate FAU_GEN.2, User Identity Association, FIA_UAU.2, Authentication, and FIA_UID.2, User Identification Before Any Action.

Requirement:

Do not use this group. Remove all accounts including Guest from this group.

Pre-Windows 2000 Compatible Access

A backward compatibility group that allows read access on all users and groups in the domain.

      

check

None

Requirement:

Backward compatibility with pre-Windows 2000 systems is not an objective of the TOE. Therefore, do not add users to this group.

Print Operators

A built-in group that exists only on domain controllers. Members can set up and manage network printers on domain controllers. Members of this group are given the rights to create, change, and delete printer shares within the domain. Members can also log on to systems locally and shut them down.

      

check

None

Supports assignment of administrative role responsible for managing print services within a domain.

Recommendation:

This is an administrative function, therefore only add authorized administrators to this group.

Replicator

Supports file replication on Domain Controllers. It is used by the File Replication service on domain controllers. Members can configure file replication services. The directory replicator service is used to automatically copy files, such as user logon scripts, between Windows 2000-based computers.

      

check

None

Can be used in support of requirements identified in para 6.1.5.3, TFS Data Replication Consistency. Supports assignment of administrative role responsible for administering directory replication services within a domain.

Requirement:

Do not add non-administrative accounts to this group.*

RAS and IAS Servers

Servers in this group can access remote access properties of users.

      

check

None

  

Server Operators

This group is only available on Windows 2000 Servers acting as Domain Controllers. Members of this group can perform server management tasks such as creating, changing, and deleting shared printers, shared directories, and files. They can also back up and restore files, lock the server console and shutdown the system. They cannot modify system policies or start and stop services.

      

check

  

Supports assignment of administrative role responsible for server maintenance.

Requirement:

Do not add non-administrative accounts to this group.*

Users

This group provides the user with the necessary rights to operate the computer as an end user, such as running applications and managing files. By default, Windows 2000 adds all new local user accounts to the Users group.

      

check

Authenticated Users

Domain Users

INTERACTIVE

(all new local users are added by default)

Supports assignment of user role supporting access to resources on the domain controller.

Requirement:

Do not accounts with potential for unauthenticated access (such as Guest) to this group.

Local Groups

All stand-alone Windows 2000 Servers, member servers, and Professional workstations have built-in local groups. These built-in local groups provide members with the capability to perform tasks on the specific computer to which the group belongs.

        

Local groups provide the ability to assign users to authorized administrator and authorized user roles with unique local access restrictions based on the local group to which the user is assigned. Local groups support the FMT_SMR.1, Security Roles TOE Security Functional Requirement.

Administrators

Members of the Administrators group are allowed complete control over the entire computer. When a member server or a computer running Windows 2000 joins a domain, the Domain Admins group is added to the local Administrators group.

  

check

  

check

  

Stand-alone:

Administrator

Domain Members:

Administrator

Domain Admins

Supports assignment of administrative role with full administrative access rights to all local resources on a computer.

Requirement:

Do not add non-administrative accounts to this group.*

Backup Operators

Members can use Windows Backup to back up and restore the computer regardless of file system security.

  

check

  

check

  

None

Misuse of this account can violate FDP_ACF.1(a), Discretionary Access Control.

A member of the Backup Operators group can extract files and directories for which the user would normally not have access. Membership in this group permits users to open any file for backup purposes, however, once the file has been opened for read access it can be redirected by the Backup Operator to any location.

By default, users are allowed to backup and restore files for which they have the appropriate file and directory permissions without requiring membership in the Backup Operators group.

The Administrator account already has full backup rights.

Requirement:

Do not add non-administrative accounts to this group.*

Guests

The Guest group offers limited access to resources on the system. Members cannot make permanent changes to their desktop environment.

By default, the Guest user account for the computer is a member. This account is disabled by default.

  

check

  

check

  

Stand-alone Professional:

Guest

Stand-alone Server:

Guest

TsInternet User

Domain Members:

Add Domain Guests

Guest/anonymous accounts can violate FAU_GEN.2, User Identity Association, FIA_UAU.2, Authentication, and FIA_UID.2, User Identification Before Any Action.

Requirement:

Do not use this group. Remove all accounts including Guest from this group.

Power Users

Membership provides users with the ability to create and modify local user accounts on the computer and share resources, without giving the user complete control over the computer.

  

check

  

check

  

None

Supports assignment of user role supporting elevated user rights on a specific computer.

This group provides administrative level privileges such as management of local user accounts and local resource management. Membership in this group by users who are not authorized administrators violates FMT_MTD.1(c), Management of User Attributes, FMT_MTD.1(d), Management of Authentication Data (for user created accounts), FMT_MTD.1(e), Management of Account Lockout Duration (for user created accounts), Management of Minimum Password Length (for user created accounts), and FMT_SMR.1, Security Roles to the extent that users would be privileges generally associated with an authorized administrator role.

Requirement:

Do not add non-administrative accounts to this group.*

Replicator

Members can configure file replication services. The directory replicator service is used to automatically copy files, such as user logon scripts, between Windows 2000-based computers.

  

check

  

check

  

None

Can be used in support of requirements identified in para 6.1.5.3, TFS Data Replication Consistency. Supports assignment of administrative role responsible for administering directory replication services within a computer.

Requirement:

Do not add non-administrative accounts to this group.*

Users

This group provides the user with the necessary rights to operate the computer as an end user, such as running applications and managing files. By default, Windows 2000 adds all new local user accounts to the Users group. When a member server or a computer running Windows 2000 joins a domain, the Domain Users global group, the Authenticated Users special group, and the INTERACTIVE special group are added to the local Users group.

  

check

  

check

  

Stand-alone:

Authenticated Users

INTERACTIVE

(all new local users are added by default)

Domain Members:

Authenticated Users

Domain Users

INTERACTIVE

(all new local users are added by default)

Supports assignment of user role supporting access to local resources on the computer.

Requirement:

Do not add accounts with potential for unauthenticated access (such as Guest) to this group.

System Groups

System groups do not have specific memberships that can be modified. Each is used to represent a specific class of users or to represent the operating system itself. These groups are created by Windows 2000 systems automatically, but are not shown in the group administration GUIs.

          

Anonymous Logon

Includes any user account that Windows 2000 did not authenticate.

  

check

  

check

  

check

All unauthenticated users.

Misuse of this account can violate FAU_GEN.2, User Identity Association, FIA_UAU.2, Authentication, and FIA_UID.2, User Identification Before Any Action.

Requirement:

Do not grant resource permissions or user rights to this account.

Authenticated Users

Includes all users with a valid user account on the computer or in Active Directory services.

  

check

  

check

  

check

All authenticated users.

Supports FAU_GEN.2, User Identity Association, FIA_UAU.2, Authentication, and FIA_UID.2, User Identification.

Recommendation:

Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.

BATCH

A group that includes all users logged on through a batch queue facility.

  

check

  

check

  

check

    

CREATOR OWNER

Includes the user account for a user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is the owner of the resource. This group is created for each sharable resource on Windows 2000 Server or Professional. A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.

  

check

  

check

  

check

Members of this group are users who create or take ownership of resources.

Supports FDP_ACF.1(a), Discretionary Access Control Functions through assignment of object owner attributes.

CREATOR GROUP

A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator.

  

check

  

check

  

check

    

DIALUP

Includes any user who currently has a dial-up connection.

  

check

  

check

  

check

All dial-in users.

Requirement:

Dial-up service support is not an objective of the TOE. Therefore, do not grant resource permissions or user rights to this account.

ENTERPRISE DOMAIN CONTROLLER

A group that includes all domain controllers in a forest that uses an Active Directory service.

      

check

    

Everyone

Includes all users who access the computer. Windows 2000 will authenticate a user who does not have a valid user account as Guest. The user automatically gets all rights and permissions assigned to the Everyone group.

A group that includes all users, even anonymous users and guests.

  

check

  

check

  

check

Members of this group include all users accessing Windows 2000 Server or Professional locally, through the network, or through RAS. This includes authenticated and unauthenticated users. In essence, every user who accesses the system is a member of the Everyone group.

Misuse of this account can violate FAU_GEN.2, User Identity Association, FIA_UAU.2, Authentication, and FIA_UID.2, User Identification Before Any Action.

Requirement:

Do not assign resource permissions or user rights to this account. Use Authenticated Users or specific user accounts and groups where necessary

INTERACTIVE

Includes the user account for the user logged on locally at the computer. Members of the Interactive group gain access to resources on the computer at which they are physically located.

  

check

  

check

  

check

This group includes all users who log into Windows 2000 Server or Professional locally. Users who are connected across a network are not members of this group.

  

NETWORK

Includes any user with a current connection from another computer on the network to a shared resource on the computer.

  

check

  

check

  

check

This group includes all users who are connected to resources across a network, but does not include those who are connected interactively.

  

PROXY

This SID is not used in Windows 2000.

      

check

    

RESTRICTED

This SID is not used in Windows 2000.

      

check

    

SELF

A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.

      

check

    

SERVICE

A group that includes all security principals logged on as a service.

  

check

  

check

  

check

    

SYSTEM

Account used by the operating system to run services, utilities, and device drivers. This account has unlimited power and access to resources that even Administrators are denied, such as the Registry's SAM.

  

check

  

check

  

check

  

This account is used by Windows 2000 to execute security services such as TSF protection functions that are beyond the control of authorized administrators.

TERMINAL SERVER USER

    

check

  

check

  

check

  

Requirement:

Terminal service support is not an objective of the TOE. Therefore, do not grant resource permissions or user rights to this account.

* It is not necessary to remove the corresponding group from DACLs of secured objects as long as this requirement is met.