Lesson 2: Configuring Security Options

The Security Options node lives under the Local Policies node. Close to 40 additional security options are available here that allow you to increase the effective security on your computer. In this lesson, you will learn about a few of these available options.

After this lesson, you will be able to

Configure Security Options.

Estimated lesson time: 15 minutes

Shutting Down the Computer Without Logging On

By default, Windows 2000 Professional doesn't require a user to be logged on
to the computer to shut it down. Security Options allow you to disable this feature and force users to log on to the computer before it can be shut down. You access Security Options using the Group Policy snap-in, just as you did to configure the Account Policies settings. Once you open the Group Policy snap-in, expand Local Computer Policy, expand Computer Configuration, expand
Windows Settings, expand Security Settings, expand Local Policies, and then
select Security Options.

Figure 17.4 shows the Local Security Policy Setting dialog box for the Allow System To Be Shut Down Without Having To Log On option. This option is
either enabled, which is the default, or disabled.

Figure 17.4 Setting the Allow System To Be Shut Down Without Having To Log On option

Clear Virtual Memory Pagefile When System Shuts Down

By default, Windows 2000 Professional doesn't clear the virtual memory pagefile when the system is shut down. In some organizations, this is considered a breach
of security because the data in the pagefile might be accessible to users who aren't authorized to that information. To enable this feature and clear the pagefile each time the system is shut down, open the Group Policy snap-in, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select Security Options. Right-click Clear Virtual Memory Pagefile When System Shuts Down and then click
Security (see Figure 17.5). This feature is either enabled or disabled.

Figure 17.5 Setting the Clear Virtual Memory Pagefile When System Shuts Down option

Disable CTRL+ALT+DEL Requirement For Logon

By default, Windows 2000 Professional doesn't require users to press Ctrl+Alt+Delete to log on to the computer. To increase security on your com-
puters, you can disable this feature. By forcing users to press Ctrl+Alt+Delete, you are using a key combination recognized only by Windows to ensure that you are giving the password only to Windows and not to a Trojan horse program waiting to capture your password. You set this option using the Group Policy snap-in. You should disable this option, forcing users to use Ctrl+Alt+Delete
(see Figure 17.6).

Figure 17.6 Setting the Disable CTRL+ALT+DEL Requirement For Logon option

Do Not Display Last User Name In Logon Screen

By default, Windows 2000 Professional displays the last user name to log on to the computer in the Windows Security or Log On To Windows dialog box. In some situations, this is considered a security risk because an unauthorized user can see a valid user account displayed on the screen, making it much easier to break into the computer.

To enable this option and prevent the last user name from being displayed, in the Group Policy snap-in, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies in the console tree, and then click Security Options. In the details pane, right-click Do Not Display Last User Name In Logon Screen, click Security, and then disable this feature. This feature is either enabled or disabled (see Figure 17.7).

Figure 17.7 Disabling the Do Not Display Last User Name In Logon Screen option

Practice: Configuring Security Settings

In this practice, you will configure Security Options on your computer.

To configure and test Security Options

Log on to your computer as Administrator.

Click Start, point to Programs, point to Administrative Tools, and then click Group Policy.

In the Group Policy snap-in's console tree, double-click Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

Configure your computer so that the following conditions are true:

Users must log on to shut down the computer.

Users must press Ctrl+Alt+Delete to log on to the computer.

Windows 2000 will not display the user account last logged on the computer in the Windows Security dialog box.

Close the Group Policy console, save changed settings, and log off.

Notice that you are prompted to press Ctrl+Alt+Delete to log on.

Press Ctrl+Alt+Delete.

Notice that the Log On To Windows dialog box appears with the User Name box blank and the Shutdown option dimmed. (Click Options if you cannot see the Shutdown button.)

Lesson Summary

Some computers require more security than others do. In this lesson, you learned that Security Options in the Group Policy Local Security Policy snap-ins allow you to improve the effective security on any of your computers that require more security. For example, you can prevent an unauthorized user from shutting down your computer by forcing users to log on before they can shut down the computer.

You also learned that you can prevent a Trojan horse application from stealing user passwords by forcing users to press Ctrl+Alt+Delete before they can log on. Windows recognizes the Ctrl+Alt+Delete key combination, so only Windows picks up the keystrokes entered in for user name and password. You can also
increase security by not displaying a valid user name, the last user account that logged on, in the Windows Security or Log On To Windows dialog box. These options and the other Security Options available help you to increase security on your network.