Windows 2000 Group Policy

Previous page
Table of content
Next page

Windows 2000 Group Policy

Group Policies in Windows 2000 are a set of configuration settings that the administrator can apply to one or more objects on a computer, or multiple computers, in a domain. Unlike in Windows NT where you had to use several different utilities to control security settings, Windows 2000 centralizes the control of these settings under Group Policy. Group Policies can be used to control the user experience by customizing what they can and cannot do, and what security features are enabled.

Group Policy in Windows 2000 is vastly superior to the policies that were available in Windows NT. For example, in Windows 2000 the policies are not permanent. If you decide to disable or remove a policy, the computer is restored to the state it was in before you applied the policy.

In Windows NT, when you made a change in the system policy it resulted in a physical change to the Registry of the computer. To change the settings once they were applied meant that you had to apply a different set of changes to specifically undo the first set. This tattooing of the Registry meant that even if a policy was applied at the domain level, it would still be in effect if the computer was removed from the domain.

In addition, there are far more options available via policy in Windows 2000. There are hundreds of options available via Group Policy in an Active Directory domain. Even when working with a standalone member server using Local Computer Policy, there are still many options available, including assigning startup or logoff scripts, system configuration, and password policy.

Policies can be controlled at various levels, including at the local system, domain, OU, or site level. Policies are always applied in a specific order, with the order in which they are applied governing the effective settings. For example, the policy order used in Windows 2000 is

  1. Windows NT 4.0 Policies (a.k.a. System Policies)

  2. Local Group Policies

  3. Site Group Policies

  4. Domain Group Policies

  5. OU Group Policies

Because of this hierarchy, if there are conflicting settings in different policies, the policy that was applied last has precedence. A popular acronym that is used to remember this order of precedence is LSDOU, for Local, Site, Domain, and OU.

This inheritance of policy settings can be blocked by an administrator or user with the appropriate permissions, so that a policy that was configured at the site level can be prevented from being applied to a particular OU. This is called blocking inheritance . The administrator also has the option to prevent this from occurring by selecting the No Override option when applying the policy.

Local Computer Policy

There are two types of group policy available in a Windows 2000 environment: Local Computer Policy, which is applied to a single computer, and Domain Group Policy, which can be applied at the domain, site, or OU level. Every Windows 2000 computer has its own Local Computer Policy object, regardless of whether or not it's a member of an Active Directory domain.

There are some limitations with Local Computer Policy objects. For example:

  • You can have only one Local Computer Policy object. All local users will receive the same settings.

  • Fewer settings are available.

  • Software installation is not available.

  • Folder redirection is not available.

To access the Local Computer Policy object for a computer, key in gpedit.msc in the Run dialog. This opens the Group Policy MMC, shown in Figure 8.8, showing the available configuration settings for the local object.

Figure 8.8. The Group Policy MMC, showing the Local Computer Policy object settings.

graphics/08fig08.jpg

As you can see in Figure 8.8, group policy objects are divided into two nodes, Computer Configuration and User Configuration . In a domain, OU, or site, you can make some settings common to a machine, while other settings will vary by user. However, remember that in a local object the user settings apply to all users, so you can make your settings at either node because the result will always be the same. Computer settings are applied at startup, whereas user settings are applied at logon, with the default refresh interval for both settings set to 90 minutes.

The configuration settings listed under Administrative Templates on both nodes are similar to those settings that are available via the System Policy Editor. The other settings in the Computer Configuration and User Configuration areas are new to Windows 2000, or were only available at the domain level, such as some of the security settings that were previous configured in Windows NT 4.0 via User Manager.

The Security Settings subnode that is shown in the Group Policy MMC under the Computer Configuration node is also available from the Start menu as the Local Security Settings MMC, as shown in Figure 8.9. To open the MMC, click Start, Administrative Tools, Local Security Settings. If you are working from a domain controller, you will also see Domain Security Settings and Domain Controller Security settings.

Figure 8.9. The Local Security Settings MMC, showing the available policy object settings.

graphics/08fig09.jpg

The two most commonly used nodes under Security Settings are Account Policies and Local Policies.

Account Policies

Account policies are used to configure the settings for password and account lockout policy. These settings were configured in the User Manager utility in Windows NT 4.0.

The password policy settings allow you to customize the password requirements to require stronger passwords. The available settings are

  • Enforce Password History This setting allows you to configure a specific number of passwords that will be remembered by the computer. This prevents users from reusing passwords. The default is one password.

  • Maximum Password Age This sets the length of time a password can be used before the system requires the user to change to a new one. The default is 42 days.

  • Minimum Password Age This sets the length of time that a password must be used before a user can change it. The default is 0 days.

  • Minimum Password Length This sets the minimum length for a password. Seven to eight characters is typically an optimum length. The default is 0 characters .

  • Passwords Must Meet Complexity Requirements This invokes the requirements that are specified by the passfilt .dll file. The requirements are

    • Passwords must be at least 6 characters long.

    • Passwords may not contain your username or any part of your full name .

    • Passwords must contain characters from at least three of the following four classes: A-Z, a-z, 0-9, or punctuation marks.

    The default is disabled.

  • Store Password Using Reversible Encryption For All Users in the Domain Specifies whether Shiva Password Authentication Protocol (SPAP) is used. The default is disabled.

The account lockout settings allow you to lockout a user account after several sequential failed logons . The available settings are

  • Account Lockout Duration This setting allows you to specify the length of time that the account will be disabled. After this time period expires , the user will be able to log on again. The default is not defined.

  • Account Lockout Threshold This setting allows you to specify the number of times that a user can attempt to log on before the account is disabled. The default is 0, which means this setting is turned off.

  • Reset Account Lockout Counter After This setting allows you to specify the length of time before the lockout counter is reset. For example, say the counter is set to 10 minutes and the lockout threshold is set to 3. If the user attempts to log on twice and fails, if they wait ten minutes, the counter will be reset and they will be able to try three times before they are locked out.

Local Policies

The Local Policies node of the Local Security Settings MMC has three subnodes: Audit Policy, User Rights Assignment, and Security Options. These items allow you to specify who has access to the computer, specify how much access, and audit specific events.

Audit Policy

The Audit Policy is used to configure which events will be recorded in the Security log. This allows you to track events, such as failed logon attempts. Auditing is not enabled by default, and must be enabled for the selected items. To turn auditing on, double-click one of the items in the right pane of the MMC as shown in Figure 8.10. Then select the desired action and click OK.

Figure 8.10. The Local Security Settings MMC, showing how to configure audit settings.

graphics/08fig10.jpg

The available audit types are

  • Audit Account Logon Events

  • Audit Account Management

  • Audit Directory Service Access

  • Audit Logon Events

  • Audit Object Access

  • Audit Policy Change

  • Audit Privilege Use

  • Audit Process Tracking

  • Audit System Events

Each policy can be configured to audit successes, failures, or both. Just about any activity involving a Windows 2000 object can be audited . When planning an audit policy, it's important to not only audit the accesses of resources, but also to audit user account management tasks. All entries are saved to the security log, and will provide you with a summary of the computer operations, showing which tasks were attempted and by whom. Not only does this help to detect unauthorized access, but it can also point out users who don't know what they're doing.

A typical entry in the security log will show the following items:

  • The time and date that the event occurred

  • The event performed

  • The user account that performed the event

  • The success or failure of the event

Except for the Audit Object Access selection, all of the other selections will begin recording audit events to the security log immediately after they are enabled. The Audit Object Access selection is used to allow you to audit specific objects, such as files, folders, or other resources, and needs to be specifically turned on for each object that you want to audit.

To turn auditing on for a specific object

  1. From the Properties window of the desired object, select the Security tab.

  2. Click the Advanced button.

  3. Select the Auditing tab.

  4. Click the Add button.

  5. From the Add Users or Groups dialog box, select the user or group that you want to record their access of the object. Click OK.

  6. From the Auditing Entry for dialog box, as shown in Figure 8.11, select the actions that you wish to audit.

    Figure 8.11. The Disk Properties dialog box, showing how to configure audit settings.

    graphics/08fig11.jpg

  7. Click OK three times when finished.

After the settings are saved, every time the specified action is taken on the object by the chosen user or group, an audit event will be written to the security log.

graphics/note_icon.gif

To audit files and folders, you must be using the NTFS file system.


User Rights

User Rights are used to assign various privileges to specific user accounts and/or groups. Some of the default user rights assignments are shown in Figure 8.12.

Figure 8.12. User Rights Assignment, showing some of the available settings.

graphics/08fig12.jpg

As you can see, several specific rights, such as the ability to back up files and directories or change the system time, are already assigned to certain groups. For example, you must be a member of the local administrators group to shut down a computer remotely.

Unlike Account policies, which are usually set at the domain level and automatically override the local settings, by default User Rights are configured at the local level. The User Rights settings in the domain Group Policy are set to Not Defined by default.

Security Options

The Security Options node contains a variety of security settings, some of which are available from the Control Panel applets. Similar to User Rights, these settings are commonly set through Local Policy, because these items are set to Not Defined in the domain Group Policy.

A few of the commonly used items are

  • Allow System to Be Shut Down Without Having to Log On This item enables the shutdown button on the winlogon (Ctrl+Alt+Delete) dialog box.

  • Clear Virtual Memory Pagefile When System Shuts Down This option is important in high security environments because the pagefile contains a copy of whatever you were working on just before you shut down your system.

  • Do Not Display Last User Name in Logon Screen This is another good one. If the logon name is not displayed, an intruder will have to guess both the logon name and the password.

  • Message Text for Users Attempting to Log On This can be used to display company name, disclaimers, accepted use messages, and so on.

  • Prevent Users From Installing Printer Drivers This is enabled by default.

After you have configured the Local Computer Policy to your satisfaction, you can copy it to another computer. Just right-click the Security Settings node in the left pane of the Local Security Settings MMC, and select Export Policy, Local Policy, as shown in Figure 8.13.

Figure 8.13. The Local Security Settings MMC, showing how to export a local policy.

graphics/08fig13.jpg

After the policy is exported to a file, it can be transported to another computer. Just repeat the previous steps and select Import Policy.

graphics/note_icon.gif

When setting local security policies on a Windows 2000 computer, keep in mind that if the computer is later joined to a domain, the domain security policy will become the default security policy.



Previous page
Table of content
Next page
MCSE Windows 2000 Server Exam Cram2 (Exam 70-215)
MCSE Windows 2000 Server Exam Cram 2 (Exam Cram 70-215)
ISBN: 0789728737
EAN: 2147483647
Year: 2003
Pages: 155
Authors: Will Schmied, Lee Scales, Ed Tittel
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
The .NET Developers Guide to Directory Services Programming
SQL Hacks
Cisco Voice Gateways and Gatekeepers
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy