Lesson 3:Configuring Security Options

Previous page
Table of content
Next page

Under the Local Policies node, there is a Security Options node. There are close to 60 additional security options grouped into the following categories: accounts, audit, devices, domain controller, domain member, interactive logon, Microsoft network client, network access, network security, recovery console, shutdown, system cryptography, and system objects. In this lesson, you learn about a few of these available options.

After this lesson, you will be able to

  • Configure security options

Estimated lesson time: 15 minutes

Renaming the Administrator Account

You cannot delete the Administrator account, but you should rename the built-in Administrator account to provide a greater degree of security. You should use a name that does not identify it as the Administrator account to make it difficult for unauthorized users to break into the account. One of the account settings allows you to enter an account name to automatically rename the Administrator account.

To automatically rename the administrator account, access the security options using the Group Policy snap-in, expand Local Policies, and then select Security Options. Right-click Accounts: Rename The Administrator Account and then click Properties. Type in the new name you wish to use for the Administrator account and click OK.

To automatically rename the Guest account, use Accounts: Rename Guest Account.

A security option that is important in securing your computer is the Interactive Log: Number Of Previous Logons To Cache option. This allows you to determine the number of times users can log on to a Windows domain using cached account information. Logon information can be cached locally, so if a domain controller is not available, the user can still log on to the domain. This setting determines the number of times a user can log on using that cached information. The default is 10 times. Setting this value to 0 disables the local caching of this information. A second option is the Network Logon: Do Not Allow Stored User Names And Passwords To Save Passwords Or Credentials For Domain Authentication option. Enabling this option prevents the storing of user names and credentials.

Shutting Down the Computer Without Logging On

By default, Windows XP Professional does not require a user to be logged on to the computer to shut it down. One of the account settings allows you to force users to log on to the computer before it can be shut down. Access the security options using the Group Policy snap-in, just as you did to configure Account Policy. Once you start the Group Policy snap-in, expand Local Policies and then select Security Options.

Right-click Shutdown: Allow System To Be Shut Down Without Having To Log On, and then click Properties. Figure 13.5 shows the Properties dialog box for the Shutdown: Allow System To Be Shut Down Without Having To Log On setting. This setting is either enabled, which is the default, or disabled. To force users to have to log on to shut down the system, select Disabled.

Your computer must be a member of a domain or you must turn off the use of the Welcome screen to use this setting.

Figure 13.5 Setting the Allow System To Be Shut Down Without Having To Log On setting

Clearing the Virtual Memory Pagefile on Shutdown

By default, Windows XP Professional does not clear the virtual memory pagefile when the system is shut down. In some organizations this is considered a breach of security because the data in the pagefile might be accessible to users who are not authorized to view that information. To enable this feature and clear the pagefile each time the system is shut down, start the Group Policy snap-in, expand Local Policies, and then select Security Options. Right-click Shutdown: Clear Virtual Memory Pagefile and then click Properties. As shown in Figure 13.6, this feature is either enabled or disabled. By default, it is disabled. To force Windows XP Professional to clear the pagefile when the system is shut down, select Enabled.

Figure 13.6 Setting the Clear Virtual Memory Pagefile option

Disabling Ctrl+Alt+Delete Requirement for Logon

Windows XP Professional allows you to configure your computer so that users are required to press Ctrl+Alt+Delete to log on to the computer. By forcing users to press Ctrl+Alt+Delete, you are using a key combination recognized only by Windows. This ensures that you are giving the password only to Windows and not to a Trojan horse program waiting to capture your password.

If you are in an environment where security is not a concern, you can leave the default setting of Not Defined or you can enable the Interactive Logon: Do Not Require Ctrl+Alt+Del option. With either of these settings, users will not have to use this key combination to log on to the computer. To require users to press this key combination to log on, start the Group Policy snap-in, expand Local Policies, and then select Security Options. Right-click Interactive Logon: Do Not Require Ctrl+Alt+Del and then click Properties and click Disabled. Disable this setting if security is a concern.

Your computer must be a member of a domain or you must turn off the use of the Welcome screen to use this setting.

Preventing the Display of the Last User Name in Logon Screen

By default, Windows XP Professional displays the last user name to log on to the computer in the Windows Security dialog box. In some situations this is a security risk because an unauthorized user can see a valid user account name displayed on the screen. This makes it much easier to break into the computer.

Enable Interactive Logon: Do Not Display Last User Name to prevent the last user name from being displayed in the Windows Security dialog box. In the Group Policy snap-in, click the Local Policies node in the console pane, and then click Security Options. In the details pane, right-click Interactive Logon: Do Not Display Last User Name, click Properties, and then select Enabled to enable this feature, which is either enabled or disabled (see Figure 13.7).

Figure 13.7 Disabling the Do Not Display Last User Name In Logon Screen option

Your computer must be a member of a domain or you must turn off the use of the Welcome screen to use this setting.

Practice: Configuring Security Settings

In this practice, you configure the security setting that automatically renames the Guest account on your computer. Then you turn off the Welcome screen and configure some additional security settings on your computer.

Run the SecuritySettings file in the Demos folder on the CD-ROM accompanying this book for a demonstration of configuring security settings.

Exercise 1: Configuring the Accounts: Rename the Guest Account Security Setting

In this exercise, you use the custom MMC console containing the Group Policy snap-in you created and saved with the name Local Group Policy to automatically rename the Guest account.

To configure and test the Accounts: Rename The Guest Account security option

  1. Log on to your computer as Fred or with a user account that is a member of the Administrators group.
  2. Click Start and click Run. In the Open text box, type mmc, and then click OK.
  3. On the File menu, click Open and click the Local Group Policy MMC console you created in the first practice in this chapter.
  4. In the Group Policy snap-in's console tree, click Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, and Security Options.
  5. Configure your computer so that the Guest account is automatically renamed Fox.
  6. Start the User Accounts tool and verify that the Guest account is now named Fox.

Exercise 2: Turning off Use of the Welcome Screen

In this exercise, you turn off the use of the Welcome screen.

To turn off the Welcome screen

  1. Click Start and then click Control Panel.
  2. Click User Accounts.
  3. Click Change The Way Users Log On Or Off.

    Windows XP Professional displays the Select Logon And Logoff Options window.

  4. Clear the Use The Welcome Screen check box.

    Windows XP Professional also clears the Use Fast User Switching check box.

  5. Click Apply Options, close all open windows, and then log off Windows XP Professional.

    Notice that the Welcome Screen is not displayed and that the Welcome To Windows dialog box requiring you to press Ctrl+Alt+Delete is displayed.

Exercise 3: Configuring Additional Security Settings

In this exercise, you configure some additional security settings.

  1. Press Ctrl+Alt+Delete.

    The Log On To Windows Screen is displayed and the name of the last user to log on to the computer is automatically filled in.

  2. Click Options.

    Notice that Shut Down is available.

  3. Log on as Fred or with a user account that is a member of the Administrators group.
  4. Use the Group Policy snap-in and configure your computer so that the following conditions are true:
    • Windows XP Professional will not display the user account last logged on the computer in the Windows Security dialog box.
    • Users must log on to shut down the computer.
  5. Log off Windows XP Professional.
  6. Verify that the name of the user account last logged on is not displayed.
  7. Verify that users must log on to shut down the computer; the Shut Down button is no longer available.
  8. Log on to the computer and enable the use of the Welcome screen.
  9. Log off Windows XP Professional.

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."

  1. How can you require a user to be logged on to the computer to shut it down? (Discuss using the Welcome screen and using Ctrl+Alt+Delete to log on.)
  2. By default Windows XP Professional does not clear the virtual memory pagefile when the system is shut down. Why can this be considered a security breach and what can you do to resolve it?
  3. Why does forcing users to press Ctrl+Alt+Delete improve security on your computer?
  4. By default, Windows XP Professional displays the last user name to log on to the computer in the Windows Security dialog box. Why is this considered a security risk and what can you do to resolve it?
  5. How can you disable the Welcome screen in Windows XP Professional?

Lesson Summary

  • The security options in the Local Security Policy snap-in allow you to improve the effective security on any of your computers that require it.
  • If you have disabled the Welcome screen, you can prevent an unauthorized user from shutting down your computer by forcing users to log on before they can shut down the computer.
  • If you have disabled the Welcome screen, you can force users to press Ctrl+Alt+Delete before they can log on to prevent a Trojan horse application from stealing user passwords.
  • The Ctrl+Alt+Delete key combination is recognized by Windows and ensures that only Windows picks up the keystrokes entered for user name and password.
  • You can also increase security by not displaying a valid user name for the last user account that logged on in the Windows Security dialog box.

Previous page
Table of content
Next page
MCSE Microsoft Windows XP Professional
70-270: MCSE Guide to Microsoft Windows XP Professional (MCSE/MCSA Guides)
ISBN: 0619120312
EAN: 2147483647
Year: 2002
Pages: 128
Authors: Ed Tittel, James Michael Stewart
BUY ON AMAZON
Systematic Software Testing (Artech House Computer Library)
C++ GUI Programming with Qt 3
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Data Structures and Algorithms in Java
101 Microsoft Visual Basic .NET Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy