Lesson 1: Security Configuration Overview - MCSE Training Kit, Microsoft Windows 2000 Active Directory Services [Electronic resources] نسخه متنی

Lesson 1: Security Configuration Overview

You use the Security Settings extension in the Group Policy snap-in to define
security configurations for computers and groups. This lesson introduces the
security configuration settings.

After this lesson, you will be able to

Recognize security configuration settings in a GPO

Estimated lesson time: 10 minutes

Security Configuration Settings

A security configuration consists of security settings applied to each security area supported by Microsoft Windows 2000. Using the Security Settings extension in the Group Policy snap-in, the following security areas may be configured for a nonlocal GPO:

Account policies

Local policies

Event log

Restricted groups

System services

Registry

File system

Public key policies

IP security policies

Account Policies

Account policies apply to user accounts. This security area contains attributes for

Password Policy. For domain or local user accounts, determines settings for passwords such as enforcement and lifetimes.

Account Lockout Policy. For domain or local user accounts, determines when and for whom an account will be locked out of the system.

Kerberos Policy. For domain user accounts, determines Kerberos-related settings, such as ticket lifetimes and enforcement.

IMPORTANT
Account policies should not be configured for organizational units (OUs) that do not contain any computers, as OUs that contain only users will
always receive account policy from the domain.

When setting account policies in Active Directory, keep in mind that Windows 2000 only allows one domain account policy: the account policy applied to the root domain of the domain tree. The domain account policy will become the
default account policy of any Windows 2000 workstation or server that is a member of the domain. The only exception to this rule is when another account policy is defined for an OU. The account policy settings for the OU will affect the local policy on any computers contained in the OU, as is the case with a Domain Controllers OU.

Local Policies

These policies pertain to the security settings on the computer used by an application or user. Local policies are based on the computer you are logged on to and the rights you have on that particular computer. This security area contains
attributes for

Audit Policy. Determines which security events are logged into the security log on the computer (successful attempts, failed attempts, or both). (The security log is a part of the Event Viewer console.)

User Rights Assignment. Determines which users or groups have logon or task privileges on the computer.

Security Options. Enables or disables security settings for the computer, such as digital signing of data, Administrator and Guest account names, floppy drive and CD-ROM access, driver installation, and logon prompts.

Local policies, by definition, are local to a computer. When these settings are
imported to a GPO in Active Directory, they will affect the local security settings of any computer accounts to which that GPO is applied.

Event Log

The event log security area defines attributes related to the Application, Security, and System event logs: maximum log size, access rights for each log, and retention settings and methods (see Figure 13.1).

Event log size and log wrapping should be defined to match your business and security requirements. You may consider implementing these event log settings at the site, domain, or OU level, to take advantage of group policy settings.

Figure 13.1 Event log settings

Restricted Groups

The Restricted Groups security area provides an important new security feature that acts as a governor for group membership. Restricted Groups automatically provides security memberships for default Windows 2000 groups that have
predefined capabilities, such as Administrators, Power Users, Print Operators, Server Operators, and Domain Admins. You can later add any groups that you consider sensitive or privileged to the Restricted Groups security list.

For example, the Power Users group is automatically part of Restricted Groups, since it is a default Windows 2000 group. Assume it contains two users: Alice and Bob. Bob adds Charles to the group, through the Active Directory Users and Computers console, to cover for him while he is on vacation. However, no one remembers to remove Charles from the group when Bob comes back from vacation. In actual deployments, over time, these situations can add up, resulting in extra members in various groups who should no longer have these rights. Configuring security through Restricted Groups can prevent this situation. Because only Alice and Bob are listed in the Restricted Groups node for Power Users, when group policy settings are applied, Charles is removed from the group automatically.

Configuring Restricted Groups ensures that group memberships are set as specified. Groups and users not specified in Restricted Groups are removed from the specific group. In addition, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups specified in the Member Of column. For these reasons, Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.

System Services

The system services area is used to configure security and startup settings for
services running on a computer.

The Security properties for the service determine what user or group accounts have permission to read/write/delete/execute, as well as inheritance settings,
auditing, and ownership permission.

The startup settings are

Automatic. Starts a service automatically at system start time.

Manual. Starts a service only if manually started.

Disabled. The service is disabled so it cannot be started.

If you choose to set system service startup to Automatic, perform adequate
testing to verify that the services can start without user intervention. You should track the system services used on a computer. For performance optimization, set unnecessary or unused services to Manual.

Registry and File System Areas

The registry area is used to configure security on registry keys. The file system area is used to configure security on specific file paths. You can edit the Security properties of the registry key or file path: what user or group accounts have
permission to read/write/delete/execute, as well as inheritance settings, auditing, and ownership permission.

Public Key Policies

The public key policies area is used to configure encrypted data recovery agents, domain roots, and trusted certificate authorities.

IP Security Policies

The IP security policies area is used to configure network Internet Protocol (IP) security.

Lesson Summary

In this lesson you were introduced to the security configuration settings
in a nonlocal GPO.