Settings Breakdown for Windows Server 2008 and Windows Vista : Policies (part 2) - Security Settings - Account Policies, Local Policies

2 Windows Settings

The Windows Settings node is a large, high-level Group Policy node that contains settings ranging from log-on scripts to IPsec policies. The majority of the settings that fall under this node are security related. The Security Settings node and its subnodes contain essential settings that help secure domain controllers, servers, and desktops. You will want to spend time with these settings to ensure that you have covered all of the possible options that you want for protecting your network, communication on the network, and data that resides on the computers.

2.1 Remote Installation Services (User Configuration Only)

This policy is designed to control the options that users have when they initiate Remote Installation Services (RIS). The four areas of configuration, shown in Figure 3, include:

• Automatic Setup

• Custom Setup

• Restart Setup

• Tools

Figure 3. The RIS policy allows you to configure user options at the beginning of a RIS installation.

2.2 Scripts

You can configure four types of scripts using Group Policy. Two reside under the Computer Configuration section, and two reside under the User Configuration section. With scripts, you can make configurations when the “object” being targeted starts and then ends.

For example, the scripts that coincide with a computer starting and shutting down are Startup scripts and Shutdown scripts. Similarly, user accounts can have Logon scripts and Logoff scripts.

2.3 Security Settings

The Security Settings node contains many subnodes that are essential to your Active Directory domain, as well as the overall security of your network. Settings under this node and its subnodes are included in both the Default Domain Policy and the Default Domain Controllers Policy. The important subnodes that you will find under the Security Settings node include Account Policies, User Rights Assignment, Restricted Groups, and Software Restriction Policies. You will notice that under the Computer Configuration section, the Security Settings node has many more settings than it does under the User Configuration section.

2.3.1 Account Policies (Computer Configuration Only)

This node and its subnodes contain some of the most important security settings for your Active Directory domain and for the computers that are joined to the domain. Within this node, you will find the three important security nodes that control user account passwords, lockout policy, and Kerberos policy settings.

• Password Policy This node and its settings control the passwords for user accounts. The Default Domain Policy uses these settings to establish the default password policy for all domain user accounts, as well as for local user accounts on domain member computers.

  
  

• Account Lockout Policy This node and its settings control how the system reacts when users forget their passwords. You can control how many log-on attempts users have and how long they are locked out of the system if they fail to remember their passwords.

• Kerberos Policy Although it is not a standard practice to alter the settings under this node, you can modify nearly every aspect of the Kerberos ticket-granting process with these settings.

2.3.2 Local Policies (Computer Configuration Only)

The settings under the Local Policies node in a GPO are designed to target the settings that reside on every computer. They are called “local” policies because these settings reside locally on each and every computer on the network. In some situations, a grouping of computers (for example, all computers in the HR department) must have the exact same settings that fall under these nodes. In other cases, different groupings of computers (for example, Web servers versus Microsoft Exchange servers) must have different settings. Group Policy in conjunction with Active Directory structuring can make the implementation of these scenarios easy to deploy.

• Audit Policy These settings allow you to track activity to Event Viewer. The available options are numerous, including tracking account management, computer tasks (such as logon using Terminal Services or performance of a backup), file access, and user logon. The list of audit policy settings includes:

  • Audit account log-on events

  • Audit account management

  • Audit directory service access

  • Audit log-on events

  • Audit object access

  • Audit policy change

  • Audit privilege use

  • Audit process tracking

  • Audit system events

• User Rights Assignment Management of a computer occurs at the computer and is controlled by user rights. The ability to log on locally, log on over the network, back up files, generate security audits, and much more is controlled by user rights. The full list of user rights includes the following:

  • Access this computer from the network

  • Act as part of the operating system

  • Add workstations to domain

  • Adjust memory quotas for a process

  • Allow logon through Terminal Services

  • Back up files and directories

  • Bypass traverse checking

  • Change the system time

  • Create a pagefile

  • Create a token object

  • Create global objects

  • Create permanent shared objects

  • Debug programs

  • Deny access to this computer from the network

  • Deny logon as a batch job

  • Deny logon as a service

  • Deny logon locally

  • Deny logon through Terminal Services

  • Enable computer and user accounts to be trusted for delegation

  • Force shutdown from a remote system

  • Generate security audits

  • Impersonate a client after authentication

  • Increase scheduling priority

  • Load and unload device drivers

  • Lock pages in memory

  • Log on as a batch job

  • Log on as a service

  • Log on locally

  • Manage auditing and security log

  • Modify firmware environment values

  • Perform volume maintenance tasks

  • Profile single process

  • Profile system performance

  • Remove computer from docking station

  • Replace a process level token

  • Restore files and directories

  • Shut down the system

  • Synchronize directory service data

  • Take ownership of files and other objects

• Security Options With nearly 80 settings under this node, you have many options to choose from to help secure your domain controllers, servers, and desktops. The settings under this node are primarily for prohibiting access to the computer, as well as for communicating with other computers over the network. The settings are divided into subcategories, which include the following:

  • Accounts

  • Audit

  • DCOM

  • Devices

  • Domain controller

  • Domain member

  • Interactive logon

  • Microsoft network client

  • Microsoft network server

  • Network access

  • Network security

  • Recovery console

  • Shutdown

  • System cryptography

  • System objects

  • System settings

  • User Account Control

• Event Log These settings allow you to control the three primary logs in Event Viewer: Application, Security, and System. These three logs can be managed in the following ways:

  • By size of log

  • By retention method

  • By days to retain log

  • By access to log