You use the Security Settings extension in the Group Policy snap-in to define security configurations for computers and groups. This lesson introduces the security configuration settings.
After this lesson, you will be able to
Estimated lesson time: 10 minutes
A security configuration consists of security settings applied to each security area supported by Microsoft Windows 2000. You use the Security Settings extension in the Group Policy snap-in to configure the following security areas for a nonlocal GPO:
Account policies apply to user accounts. This security area contains attributes for the following policies.
IMPORTANT
Account policies should not be configured for organizational units (OUs) that do not contain any computers, as OUs that contain only users will always receive account policy from the domain.
When setting account policies in Active Directory directory services, keep in mind that Windows 2000 only allows one domain account policy: the account policy applied to the root domain of the domain tree. The domain account policy becomes the default account policy of any Windows 2000 workstation or server that is a member of the domain. The only exception to this rule is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers contained in the OU, as is the case with a Domain Controllers OU.
These policies pertain to the security settings on the computer used by an application or user. Local policies are based on the computer you are logged on to and the rights you have on that particular computer. This security area contains attributes for the following policies:
Local policies, by definition, are local to a computer. When these settings are imported to a GPO in Active Directory, they affect the local security settings of any computer accounts to which that GPO is applied.
The event log security area defines attributes related to the Application, Security, and System event logs. These attributes are maximum log size, access rights for each log, and retention settings and methods (see Figure 21.1).
Event log size and log wrapping should be defined to match your business and security requirements. To take advantage of group policy settings, you may consider implementing these event log settings at the site, domain, or OU level.
Figure 21.1 Event log settings
The Restricted Groups security area provides an important new security feature that acts as a governor for group membership. Restricted Groups automatically provides security memberships for default Windows 2000 groups that have predefined capabilities, such as Administrators, Power Users, Print Operators, Server Operators, and Domain Admins. You can later add any groups that you consider sensitive or privileged to the Restricted Groups security list.
For example, the Power Users group is automatically part of Restricted Groups, since it is a default Windows 2000 group. Assume it contains two users: Alice and Bob. Using the Active Directory Users and Computers console, Bob adds Charles to the group to cover for him while he is on vacation. However, no one remembers to remove Charles from the group when Bob comes back from vacation. In actual deployments, over time, these situations can add up, resulting in extra members in various groups who should no longer have these rights. Configuring security through Restricted Groups can prevent this situation. Because only Alice and Bob are listed in the Restricted Groups node for Power Users, when group policy settings are applied, Charles is removed from the group automatically.
Configuring Restricted Groups ensures that group memberships are set as specified. Groups and users not specified in Restricted Groups are removed from the specific group. In addition, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups specified in the Member Of column. For these reasons, Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.
The system services area is used to configure security and startup settings for services running on a computer.
The Security properties for the service determine what user or group accounts have permission to read/write/delete/execute, as well as inheritance settings, auditing, and ownership permission.
The startup settings are
If you choose to set system service startup to Automatic, perform adequate testing to verify that the services can start without user intervention. You should track the system services used on a computer. For performance optimization, set unnecessary or unused services to Manual.
The registry area is used to configure security on registry keys. The file system area is used to configure security on specific file paths. You can edit the Security properties of the registry key or file path defining what user or group accounts have permission to read/write/delete/execute, as well as inheritance settings, auditing, and ownership permission.
The public-key policies area is used to configure encrypted data recovery agents, domain roots, and trusted certificate authorities.
The IP security policies area is used to configure network Internet Protocol (IP) security.
In this lesson you were introduced to the security configuration settings in a nonlocal GPO. This included security settings for account policies and local policies and configuring event logs. The lesson also introduced the used of restricted groups and explained the use of system services and the registry area when configuring for security. The lesson ended with explanations of the uses of public key and IP Security policies.