Authentication policies and other security policies can be applied to stand-alone computers, as well as member computers and domain controllers, by using the Security Configuration Manager Tools. The Security Configuration Manager tools consist of:
Local Security Policy
Security Settings extension to Group Policy
Security Templates snap-in
Security Configuration and Analysis snap-in
Secedit.exe command-line tool
To set or modify individual security settings on individual computers, use Local Security Policy. To define security settings that are enforced on any number of computers, use the Security Settings extension to Group Policy. To apply several settings in batch, use Security Templates to define the settings, and then apply those settings by using Security Configuration and Analysis or Secedit.exe, or import the template that contains your settings into Local or Group Policy. Figure 15-5 shows the Group Policy snap-in with the Security Settings extensions expanded.
Figure 15-5: Group Policy snap-in
Note | For more information about working with Group Policy, see Managing Desktops in this book. For more information about security-related Group Policy, see Authorization and Access Control in this book. |
The following security policy options are logon options and authentication options that can be configured on a computer running Windows XP Professional. This section does not include security policy options that impact other areas of desktop security management.
Account policies affect Windows XP Professional computers in two ways. When applied to a local computer, account policies apply to the local account database that is stored on that computer. When applied to domain controllers, the account policies affect domain accounts for users logging on from Windows XP Professional computers that are joined to that domain.
Domain-wide account policies are defined in the Default Domain Group Policy object (GPO). All domain controllers pull the domain-wide account policy from the Default Domain GPO regardless of the organizational unit in which the domain controller exists. Thus, while there might be different local account policies for member computers in different organizational units, there cannot be different account policies for the accounts in a domain.
By default, all computers that are not-domain controllers will also receive the default domain account policy for their local accounts. However different account policies might be established for local accounts on computers that are not domain controllers by setting an account policy at the organizational unit level. Account policies for stand-alone computers can be set using Local Security Policy.
To modify the following password policy settings, open Local Security Policy or Group Policy and go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy.
Maximum password age. The number of days a password can be used before the user must change it. Changing passwords regularly is one way to prevent passwords from being compromised. Typically, the default varies from 30 to 42 days.
Enforce password history. The number of unique, new passwords that must be associated with a user account before an old password can be reused. When used in conjunction with Minimum password age, this setting prevents reuse of the same password over and over. Most IT departments set a value greater than 10.
Minimum password age. The number of days a password must be used before the user can change it. The default value is zero, but it is recommended that this be reset to a few days. When used in conjunction with similarly short settings in Enforce password history, this restriction prevents reuse of the same password over and over.
Minimum password length. The minimum number of characters a user s password can contain. The default value is zero. Seven characters is a recommended and widely used minimum.
Passwords must meet complexity requirements. The default password filter (Passfilt.dll) included with Windows 2000 Server and Windows XP Professional requires that a password have the following characteristics:
Does not contain your name or user name.
Contains at least six characters.
Contains characters from each of the following three groups: uppercase and lowercase letters (A, a, B, b, C, c, and so on), numerals, symbols (characters that are not defined as letters or numerals, such as !, @, #, and so on).
This policy is disabled by default.
Tip | It is strongly recommended that you enable this policy setting. |
Account lockout policy options disable accounts after a set number of failed logon attempts. Using these options can help you detect and block attempts to break passwords. To modify lockout policy settings, launch Local Security Policy or Group Policy and go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
Account lockout threshold. The number of failed logon attempts before a user account is locked out. A locked out account cannot be used until an administrator resets it, or until the account lockout duration expires. You can set values between 1 and 999 failed logon attempts, or you can specify that the account is never locked out by setting the value to 0.
This setting is disabled in the Default Domain Group Policy object and in Local Security Policy for workstations and servers. You must change this to enable lockout after a specified number of attempts.
Unsuccessful attempts to log on to workstations or member servers that have been locked using either CTRL+ALT+DEL or password-protected screen savers do not count as failed logon attempts under this policy setting. Failed attempts to log on remotely do count.
Account lockout duration. The number of minutes (from 1 to 99999) an account remains locked out before it unlocks. By setting the value to 0, you can specify that the account remains locked out until an administrator unlocks it. By default, this policy is not defined because it has meaning only when an account lockout threshold is specified.
Reset account lockout counter after. Determines how many minutes (1 to 99999) must elapse after a failed logon attempt before the counter resets to 0 bad logon attempts. This value must be less than or equal to the account lockout duration. Typically, a reset time of 30 minutes is sufficient because the purpose of an account lockout is to delay an attack on a password.
To manually reset an account that has been locked out, open the user s property sheet in Active Directory Users and Computers. On the Account tab, clear the Account is Locked Out check box. Even though it is a good practice to reset the user s password at the same time, changing the password does not unlock the account.
Kerberos policy does not apply to local account databases because the Kerberos authentication protocol is not used to authenticate local accounts. Therefore, the Kerberos policy settings can be configured only by means of the default domain GPO, where it affects domain logons performed from Windows XP Professional computers.
For information about Kerberos policy, see Authentication in the Distributed Systems Guide.
In Local Security Policy and Group Policy, three categories of security policy are located under Computer Configuration\Windows Settings\Security Settings\Local Policies:
Audit Policy
User Rights Assignment
Security Options
Note | For information about Audit Policy see Auditing and Troubleshooting in this chapter. |
User rights are typically assigned on the basis of the security groups to which a user belongs, such as Administrators, Power Users or Users. The policy settings in this category are typically used to allow or deny users permission to access to their computer based on the method of access and their security group memberships.
In the Local Security Settings and Group Policy snap-ins, the following policy options that affect user rights based on their method of accessing the computer are located under the Computer Configuration\Windows Settings\Security Settings \Local Policies\User Rights Assignment extension:
Note | The User Rights Assignment extension includes additional policy options that are not listed here. |
Access this computer from the network. Allows a user to connect to the computer over the network. By default, permissions are granted to members of the Administrators, Everyone, and Power Users groups.
Deny access to this computer from the network. A user cannot connect to the computer over the network. By default, permissions are not granted to anyone who connects to the computer from the network.
Allow logon through Terminal Services. Allows a user to connect to the computer by means of a terminal services session.
Deny logon through Terminal Services. A user cannot connect to the computer by means of a terminal services session.
Log on as a batch job. Allows a user to log on by means of a batch-queue facility. For example, when a user submits a job by using the task scheduler, the task scheduler logs that user on as a batch user instead of as an interactive user. This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. By default, only the LocalSystem account has permissions to be logged on as a batch job.
Deny logon as a batch job. Certain accounts cannot log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies. This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. By default, no users are prevented from logging on as a batch job.
Log on as a service. Certain service accounts can register a process as a service. This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. By default, no user or computer accounts have permissions to log on as a service. By default, only System, LocalService, and NetworkService have the right to log on as a service.
Deny logon as a service. A security principal cannot log on as a service to establish a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right.
Log on locally. Allows certain users to log on at the computer. This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. The default groups that have this right on Windows XP Professional are Administrators, Backup Operators, Power Users, Users, and Guest.
Deny logon locally. Certain users cannot log on at the computer. This policy setting supercedes the Log on locally policy setting if an account is subject to both policies. This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. By default, no accounts are denied local logon permission.
You might want to set the following security options in order to modify logon-related behaviors:
Interactive logon
Microsoft network server
Network access
Network security
Recovery console
Shutdown
The following policy options are located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
Note | The Security Options extension includes additional policy options that are not listed here. |
Do not display last user name. Determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box. If this policy is disabled, the name of the last user to log on is displayed. This policy is defined in Local Computer Policy, where it is disabled by default.
Do not require CTRL+ALT+DEL. Determines if a user must press CTRL+ALT+DEL to log on. If this policy is enabled, a user is not required to press CTRL+ALT+DEL to log on. This policy is disabled by default on workstations and servers that are joined to a domain. It is enabled by default on stand-alone workstations.
Caution | Not having to press CTRL+ALT+DEL leaves the user s password vulnerable to interception. Requiring CTRL+ALT+DEL before logging on ensures that the user is communicating by means of a trusted path when entering a password. |
Message text for users attempting to log on. Specifies message text that appears when a user logs on. This text is often used for legal reasons, such as to warn users against misusing company information or to tell them that their actions might be audited. For servers, this policy is enabled, but no default text is specified. This policy is defined by default, but no default text is specified.
Message title for users attempting to log on. Allows the specification of a title to appear in the title bar of the window that contains the message for users attempting to log on. For servers, this policy is enabled, but no default text is specified. This policy is defined by default, but no default text is specified.
Number of previous logons to cache (in case a domain controller is not available). Windows 2000 Server and Windows XP Professional store previous user s logon information locally so that a subsequent user can log on even if a domain controller is unavailable. This setting determines how many unique previous logons are cached. If a domain controller is unavailable and a user s logon information is stored, the user is prompted by the message: A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available. If a domain controller is unavailable and a user s logon information is not stored, the user is prompted by this message: The system cannot log you on now because the domain DOMAIN_NAME is not available. In this policy setting, a value of 0 disables logon storing. Any value above 50 stores only 50 logon attempts. For servers, this policy is defined by default in Local Computer Policy, and the default value is 10 logons.
Prompt user to change password before expiration. Determines how far in advance the operating system warns users that their password is about to expire. Advanced warning gives the user time to construct a strong password. The default value is 14 days.
Require domain controller authentication to unlock. If a computer is locked, a user must authenticate against a domain controller in order to unlock the computer. Otherwise cached credentials can be used.
Smart card removal behavior. Allows you to configure one of three consequences if a smart card is removed in the middle of a session: Lock workstation, Force Logoff, and No action.
Allow anonymous SID/Name translation. Makes it possible for anonymous users to translate SIDs into user names and user names into SIDs. This policy is disabled by default.
Do not allow anonymous enumeration of SAM accounts. Prevents anonymous users from generating a list of accounts in the SAM database. This policy is enabled by default.
Do not allow anonymous enumeration of SAM accounts and shares. Prevents anonymous users from generating a list of accounts and shares in the SAM database. This policy is disabled by default.
Do not allow Stored User Names and Passwords to save passports or credentials for domain authentication. Prevents Stored User Names and Passwords from saving passport or domain authentication credentials after a logon session has ended. This policy is disabled by default.
Sharing and security model for local accounts. Allows you to choose between the Guest only security model or the Classic security model. In the Guest only model, all attempts to log on to the local computer from across the network will be forced to use the Guest account. In the Classic security model, users who attempt to log on to the local computer from across the network authenticate as themselves. This policy does not apply to computers that are joined to a domain. Otherwise, Guest only is enabled by default.
Let Everyone permissions apply to Anonymous users. Restores Everyone permissions to users logging on anonymously. In Windows 2000, Anonymous logons received Everyone permissions by default. This default behavior was removed in Windows XP Professional.
Do not store LAN Manager hash value on next password change. Clears the LAN Manager hash value the next time a password is changed. This policy is disabled by default.
Force logoff when logon time expires. Determines whether to disconnect users who are connected to the local computer outside their valid logon hours. This setting affects the Server Message Block (SMB) component of a Windows 2000 server. When this policy is enabled, client sessions with the SMB server are disconnected when the client s logon hours expire. If this policy is disabled, an established client session can continue after the client s logon time expires.
LAN Manager Authentication Level. Determines which challenge/response authentication protocol is used for network logons. These policy options affect the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The following options are available:
Send LM & NTLM responses. Clients use LM and NTLM authentication, and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
Send LM & NTLM - use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
Send NTLM response only. Clients use NTLM authentication only, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
Send NTLMv2 response only. Clients use NTLMv2 authentication only, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
Send NTLMv2 response only\refuse LM. Clients use NTLMv2 authentication only, and use NTLMv2 session security if the server supports it; domain controllers refuse LM and accept only NTLM and NTLMv2 authentication.
Caution | The more restrictive NTLM settings are, the more they can affect the ability of clients running Windows XP Professional to communicate over the network with clients running Windows NT 4.0 or earlier. |
Minimum session security for NTLM SSP based (including secure RPC) clients. Allows you to configure the following options for Windows XP Professional clients:
Require message integrity
Require message confidentiality
Require NTLMv2 session security
Require 128-bit encryption
Allow system to be shut down without having to log on. Determines whether a computer can be turned off without logging on. When this policy is enabled, the Shut Down command is available on the logon screen. When this policy is disabled, the option to turn off the computer does not appear on the logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right to turn off the system. By default, this option is enabled on workstations and disabled on servers in Local Computer Policy.