Lesson 1: Security Configuration Overview

You use the Security Settings extension in the Group Policy snap-in to define security configurations for computers and groups. This lesson introduces the security configuration settings.

After this lesson, you will be able to

  • Recognize security configuration settings in a GPO

Estimated lesson time: 10 minutes

Security Configuration Settings

A security configuration consists of security settings applied to each security area supported by Microsoft Windows 2000. You use the Security Settings extension in the Group Policy snap-in to configure the following security areas for a nonlocal GPO:

  • Account policies
  • Local policies
  • Event log
  • Restricted groups
  • System services
  • Registry
  • File system
  • Public-key policies
  • Internet Protocol (IP) security policies

Account Policies

Account policies apply to user accounts. This security area contains attributes for the following policies.

  • Password Policy. For domain or local user accounts. Determines settings for passwords such as enforcement and lifetimes.
  • Account Lockout Policy. For domain or local user accounts. Determines when and for whom an account will be locked out of the system.
  • Kerberos Policy. For domain user accounts. Determines Kerberos-related settings, such as ticket lifetimes and enforcement.


Account policies should not be configured for organizational units (OUs) that do not contain any computers, as OUs that contain only users will always receive account policy from the domain.

When setting account policies in Active Directory directory services, keep in mind that Windows 2000 only allows one domain account policy: the account policy applied to the root domain of the domain tree. The domain account policy becomes the default account policy of any Windows 2000 workstation or server that is a member of the domain. The only exception to this rule is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers contained in the OU, as is the case with a Domain Controllers OU.

Local Policies

These policies pertain to the security settings on the computer used by an application or user. Local policies are based on the computer you are logged on to and the rights you have on that particular computer. This security area contains attributes for the following policies:

  • Audit Policy. Determines which security events are logged into the security log on the computer (successful attempts, failed attempts, or both). (The security log is a part of the Event Viewer console.)
  • User Rights Assignment. Determines which users or groups have logon or task privileges on the computer.
  • Security Options. Enables or disables security settings for the computer, such as digital signing of data, Administrator and Guest account names, floppy drive and CD-ROM access, driver installation, and logon prompts.

Local policies, by definition, are local to a computer. When these settings are imported to a GPO in Active Directory, they affect the local security settings of any computer accounts to which that GPO is applied.

Event Log

The event log security area defines attributes related to the Application, Security, and System event logs. These attributes are maximum log size, access rights for each log, and retention settings and methods (see Figure 21.1).

Event log size and log wrapping should be defined to match your business and security requirements. To take advantage of group policy settings, you may consider implementing these event log settings at the site, domain, or OU level.

Figure 21.1 Event log settings

Restricted Groups

The Restricted Groups security area provides an important new security feature that acts as a governor for group membership. Restricted Groups automatically provides security memberships for default Windows 2000 groups that have predefined capabilities, such as Administrators, Power Users, Print Operators, Server Operators, and Domain Admins. You can later add any groups that you consider sensitive or privileged to the Restricted Groups security list.

For example, the Power Users group is automatically part of Restricted Groups, since it is a default Windows 2000 group. Assume it contains two users: Alice and Bob. Using the Active Directory Users and Computers console, Bob adds Charles to the group to cover for him while he is on vacation. However, no one remembers to remove Charles from the group when Bob comes back from vacation. In actual deployments, over time, these situations can add up, resulting in extra members in various groups who should no longer have these rights. Configuring security through Restricted Groups can prevent this situation. Because only Alice and Bob are listed in the Restricted Groups node for Power Users, when group policy settings are applied, Charles is removed from the group automatically.

Configuring Restricted Groups ensures that group memberships are set as specified. Groups and users not specified in Restricted Groups are removed from the specific group. In addition, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups specified in the Member Of column. For these reasons, Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.

System Services

The system services area is used to configure security and startup settings for services running on a computer.

The Security properties for the service determine what user or group accounts have permission to read/write/delete/execute, as well as inheritance settings, auditing, and ownership permission.

The startup settings are

  • Automatic. Starts a service automatically at system start time.
  • Manual. Starts a service only if manually started.
  • Disabled. The service is disabled so it cannot be started.

If you choose to set system service startup to Automatic, perform adequate testing to verify that the services can start without user intervention. You should track the system services used on a computer. For performance optimization, set unnecessary or unused services to Manual.

Registry and File System Areas

The registry area is used to configure security on registry keys. The file system area is used to configure security on specific file paths. You can edit the Security properties of the registry key or file path defining what user or group accounts have permission to read/write/delete/execute, as well as inheritance settings, auditing, and ownership permission.

Public-Key Policies

The public-key policies area is used to configure encrypted data recovery agents, domain roots, and trusted certificate authorities.

IP Security Policies

The IP security policies area is used to configure network Internet Protocol (IP) security.

Lesson Summary

In this lesson you were introduced to the security configuration settings in a nonlocal GPO. This included security settings for account policies and local policies and configuring event logs. The lesson also introduced the used of restricted groups and explained the use of system services and the registry area when configuring for security. The lesson ended with explanations of the uses of public key and IP Security policies.

MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net