Windows 2000 Policies
Types of Policies
- Account policy - Determines how passwords are validated and how unsuccessful login attempts are handled. Account policies can be set for Organizational Units, domain, domain controllers, and local computers. Three types of account policies:
- Password policy - Determines how often the user must change passwords and various password requirements.
- Account lockout policy - Determines when accounts are locked when failed logon attempts occur.
- Kerberos policy - Windows 2000 domain controller computers are key distribution centers (KDC) for the Kerberos security protocol which us used for authentication.
- User Rights policy - Determines what users and groups can perform specific actions on the system.
- Audit policy - Determines the amount and type of security logging that Windows NT performs.
- System policy - Helps Administrators manage users that are using Windows 95, 98, or NTcomputers. It can be used to provide a uniform environment for large numbers of users.
- User System Policy
- Individual User Policy
- Default User Policy - Applies to users without individual user policies. There are initally no restrictions to this policy. The policy overwrites the Windows registry HKEY_CURRENT_USER section.
- Group system Policy
- Computer system Policy
- Individual Computer system Policy
- Default Computer system Policy
- Group policy - This policy, which is new with Windows 2000, applies to all members of the group they are set for, unless the member has an individual policy. Groups are listed by priority in the System Policy Editor's, Group Priority dialog box. When a user is in multiple groups, the highest priority group's policy applies. Applies to only Windows 2000 computers and/or their users, or both. Consists of:
- Group Policy Object in Active Directory.
- Files and folders that are created when the group policy object is created.
System Policy Priorities
Policy settings may be applied to any computer or user on the domain from the System Policy Editor.
- Individual User - HKEY_CURRENT_USER registry portion is modified. Settings for one user are changed.
- Group - Policies applied to groups. One group may have a higher profile priority than another, for the case when a user belongs to multiple groups. This is set using the "Options" menu with "Group Priority". If the user does not have an individual policy, this is applied.
- Default user - HKEY_CURRENT_USER registry portion is modified. Settings for any domain user that logs on from any computer are changed. If the user does not have an individual policy, this is applied
- Individual Computer - (Non Windows 2000 computers) HKEY_LOCAL_MACHINE registry portion is modified. Policies apply to a specific computer.
- Default computer - HKEY_LOCAL_MACHINE registry portion is modified. Settings are changed for all domain computers are changed. If the computer does not have an individual computer policy, this is applied
Policy settings are determined by precidence as listed above. For example, user settings override all other group, and default user policies. Group policies override Default user policies. System (computer) policies override user and group policies. Specific computer policy overrides default system policy. Group policy priority may be specified from the System Policy Editor when a user is a member of multiple groups.
System Policy Editor
System policy settings for all users on the domain set using the System Policy Editor are merged with local profiles. User logon restrictions are set in the user manager for domains. A policy may be set to automatically log users off during restricted logon hours. To start the System Policy Editor, click "Start", "Run", and type "poledit" in the text box.
The System Policy Editor is available on Windows 2000 Server type systems. Installation of the ADMINPAK will make it available on Windows 2000 Professional computers.
The following policy files are used for the following systems:
- NTCONFIG.POL - For NT
- CONFIG.POL - Windows 95/98
They must be created on the operating system on which they are intended for use. They are not used on Windows 2000.
Account policy and lockout Options
The three main groupings are "Password restrictions", "Account lockout", and "Kerberos". The first four items below are under "Password restrictions"
- Password policy
- Enforce password history - Determines the number of passwords that must be used before an old password can be reused.
- Maximum password age - If 0, passwords never need to be changed.
- Minimum password age - If 0, passwords can be changed whenever the users want to. This can prevent users recycling back to their original password.
- Minimum password length - Values are 0 to 14 characters. Of 0, passwords are not required.
- Passwords must meet complexity requirements - Uppercase, lowercase, numeric, and special characters may be required.
- Store password using reversible encryption for all users - One way encryption is more secure, and reversible encryption is used for users on Apple computers.
- Account lockout policy
- Account Lockout Threshold - Number of consecutive unsuccessful logon attempts before the account is locked. If 0, the account is not locked due to bas logon attempts.
- Account Lockout Duration - Determines how long accounts remain locked. This is "Not Defined" or from 0 to 99,999 minutes. If "Not Defined" user accounts are never locked out. If 0, the account is locked out until the administrator re-enables the account.
- Reset Acount Lockout After - Specifies how long between bad logon attempts before the account lockout threshold counter is reset. Possible values are "Not Defined" or 1 to 99,999. If "Not Defined" user accounts are never locked out.
- Kerberos policy
- Enforce user logon restrictions
- Maximum lifetime for service ticket
- Maximum lifetime for user ticket
- Maximum lifetime for user ticket renewal
- Maximum tolerance for computer clock synchronization
Account policy changes become effective when the user logs off and back on again.
Setting Account Policies
- Organizational Units - In Administrative Tools, select "Active Directory Users and Computers".
- Domain - In Administrative Tools, select "Domain Security Policy". The ADMINPAK must be installed on the computer.
- Domain controllers - In Administrative Tools, select "Domain Controler Security Policy". The ADMINPAK must be installed on the computer.
- Local computers - From the Control Panel, "Administrative Tools" applet, double click "Local Security Policy".
User Rights Policies
- Shutdown the computer from a remote location - Administrators, Power users.
- Access to the computer via the network - Administrators, Power users, everyone
- Use the computer locally - All users
- Backup or restore directories and files - Administrators, backup operators
- Change time - Administrators, Power users.
- Delete or add device drivers - Administrators
- Change the security logging policy - Administrators
- Shut the system down - All users except guests
- Take file ownership - All operators
The Event Viewer allows viewing of events specified by the audit policy
Auditing must be enabled in the Audit Policy window by checking the "Audit these Events" box from the User Manager. The event viewer allows the following types of event information to be viewed.
- System - Logs system errors, driver errors, binding errors, or service failures.
- Security - Bad logon attempts.
Each message has an event ID number. A maximum size of logs and writing over of event logs can be set depending on available disk space.