Windows NT/2000 Security: A Matter of Control

By Tom Smith

Sometimes providing a base level of enterprise network security can be as straightforward as giving employees just the access level they require to do their jobs -- and nothing more.

But it's not necessarily that simple to put in practice. Just ask Wake Forest University Baptist Medical Center, Winston-Salem, N.C., which identified the need to reduce the number of IT staff that had domain administrator and account operator access to its Windows NT servers.

Domain administrators have effectively complete access to the network, which means they can assign permissions and create user and group accounts, among other administration functions. Account operators have the ability to create a user account, unlock an account, or force a password change.

"We were forced to give a lot of IT staff domain administrator rights, and we didn't want to do that because it created a hole in our security structure," said Kamie Bullins, senior network systems analyst for the medical center.

The problem arose because NT's domain technology provides limited options for setting up network access rights. So a user that needed some administrative rights, but rights that still fell shy of an account operator, for example, often got those higher level rights by default because it wasn't possible to configure more limited access, Bullins explained.

The medical center purchased Trusted Enterprise Manager software from Avatier Corp. to delegate more granular access controls for its IT staff and employees more broadly. The medical center has more than 10,000 users, so its experiences in bolstering access rights and security in a Windows server-based network are valuable for any organizations managing large number of NT/Windows 2000 servers and user accounts.

With Trusted Enterprise Manager, "we were able to delegate rights using up to 25 different selections," or effectively, 25 levels of access, Bullins explained. With NT's domain technology, by contrast, only a "handful" of account types were possible, she added.

The impact was dramatic. At the start of the Trusted Enterprise Manager deployment, Wake Forest University Baptist Medical Center had 40 domain administrators as well as a large number of account operators. It's been able to eliminate most account operators and ultimately expects to have fewer than five domain administrators, Bullins said.

Scalability was a key element of the medical center's selection of a security and management product. Trusted Enterprise Manager, which runs on a backup NT domain controller, uses a SQL Server database, giving it greater scalability than some competing products that ran on non-relational databases such as Microsoft Access. That level of scalability was important in a distributed network of more than 10,000 users.

Wake Forest University Baptist Medical Center was also seeking reporting tools to track data on different users and groups, such as information on individuals that joined or left groups, their last log-on and log-off, and so on.

The process of actually determining and assigning access rights to certain individuals was a relatively straightforward one. Bullins and her colleagues created a spreadsheet listing the 25 access levels and met with individual group managers to determine the appropriate access rights for employees within their groups. The access rights are created on a central server, then propagated out to other servers in the network.

By delegating more granular access rights to each user, the medical center was also able to eliminate nearly 3,000 user network accounts that were no longer in use, creating significant administrative and resource efficiencies. "That's good for security too because we don't have accounts floating out there," Bullins said. "We found accounts that were active and disabled and accounts that had never been used."

Trusted Enterprise Manager will continue to be used as the medical center effects a transition from the domain structure in NT to Windows 2000 and Microsoft's Active Directory. It provides a single view of Active Directory and domain users, and allows administrators to assign and delegate rights for many users at once, rather than doing so individually.

While Active Directory by itself also supports a higher level of access rights granularity, Bullins said the medical center will continue to rely on Trusted Enterprise Manager because of the reporting functions it provides. A forthcoming release from Avatier, version 5.0, also features more Active Directory-specific functionality, Bullins said.