Lesson 6: Configuring Security Options

The Security Options node lives under the Local Policies node. Close to 40 additional security options are available here that allow you to increase the effective security on your computer. In this lesson, you learn about a few of these available options.

After this lesson, you will be able to

• Configure Security Options

Estimated lesson time: 15 minutes

Shutting Down the Computer Without Logging On

By default, Windows 2000 Professional doesn't require a user to be logged on to the computer before it can be shut down. Security Options allow you to disable this feature and force users to log on to the computer before it can be shut down. You access Security Options using the Group Policy snap-in, just as you did to configure the Account Policies settings. Once you open the Group Policy snap-in, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select Security Options.

Figure 7.11 shows the Local Security Policy Setting dialog box for the Allow System To Be Shut Down Without Having To Log On option. This option is either enabled, which is the default, or disabled.

Figure 7.11 Setting the Allow System To Be Shut Down Without Having To Log On option

Clear Virtual Memory Pagefile When System Shuts Down

By default, Windows 2000 Professional doesn't clear the virtual memory pagefile when the system is shut down. In some organizations, this is considered a breach of security because the data in the pagefile might be accessible to users who aren't authorized to have access to that information. To enable this feature and clear the pagefile each time the system is shut down, open the Group Policy snap-in, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select Security Options. Right-click Clear Virtual Memory Pagefile When System Shuts Down and then click Security (see Figure 7.12). This feature is either enabled or disabled.

Figure 7.12 Setting the Clear Virtual Memory Pagefile When System Shuts Down option

Disable Ctrl+Alt+Del Requirement For Logon

By default, Windows 2000 Professional doesn't require users to press Ctrl+Alt+Del to log on to the computer. To increase security on your computers, you can disable this feature. By forcing users to press Ctrl+Alt+Del, you are using a key combination recognized only by Windows to ensure that you are giving the password only to Windows and not to a Trojan horse program waiting to capture your password. You set this option using the Group Policy snap-in. You should disable this option and force users to use Ctrl+Alt+Del (see Figure 7.13).

Figure 7.13 Setting the Disable Ctrl+Alt+Del Requirement For Logon option

Do Not Display Last User Name In Logon Screen

By default, Windows 2000 Professional displays the last user name to log on to the computer in the Windows Security or Log On To Windows dialog box. In some situations, this is considered a security risk because an authorized user can see a valid user account displayed on the screen, making it much easier to break into the computer.

To prevent the last user name from being displayed, in the Group Policy snap-in, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies in the console tree, and then click Security Options. In the details pane, right-click Do Not Display Last User Name In Logon Screen, click Security, and then disable this feature. This feature is either enabled or disabled (see Figure 7.14).

Figure 7.14 Disabling the Do Not Display Last User Name In Logon Screen option

Practice: Configuring Security Settings

In this practice, you configure Security Options on your computer.

Exercise 1: Configuring Security Settings

1. Log on to your computer as Administrator.
2. Click Start, point to Programs, point to Administrative Tools, and then click Group Policy.
3. In the Group snap-in's console tree, double-click Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
4. Configure your computer so that the following conditions apply:
   • Users must log on to shut down the computer.
   • Users must press Ctrl+Alt+Del to log on to the computer.
   • Windows 2000 will not display the user account last logged on the computer in the Windows Security dialog box.
5. Log off.

   Notice that you are prompted to press Ctrl+Alt+Del to log on.

6. Press Ctrl+Alt+Del.

   Notice that the Log On To Windows dialog box appears with the User Name box blank and the Shutdown options dimmed. (Click Options if you cannot see the Shutdown button.)

Lesson Summary

Some computers require more security than others. In this lesson, you learned that Security Options in the Group Policy Local Security Policy snap-ins allow you to improve the effective security on any of your computers that require more security. For example, you can prevent an unauthorized user from shutting down your computer by forcing users to log on before they can shut down the computer.

You also learned that you can prevent a Trojan horse application from stealing user passwords by forcing users to press Ctrl+Alt+Del before they can log on. Windows recognizes the Ctrl+Alt+Del key combination, so only Windows picks up the keystrokes entered in for user name and password. You can also increase security by not displaying a valid user name, the last user account that logged on, in the Windows Security or Log On To Windows dialog box. These options and the other Security Options available help you to increase security on your network.