Windows 7 : Managing and Applying LGPOs (part 3) - Using Local Policies

3. Using Local Policies

Account policies are used to control logon procedures. When you want to control what a user can do after logging on, you use local policies. With local policies, you can implement auditing, specify user rights, and set security options.

To use local policies, first add the Local Computer Policy snap-in to the MMC. Then, from the MMC, follow this path to access the Local Policies folders: Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies. Figure 5 shows the three Local Policies folders: Audit Policy, User Rights Assignment, and Security Options. You will look at each of those in the following sections.

Figure 5. Accessing the Local Policies folders

3.1. Setting Audit Policies

Audit policies can be implemented to track the success or failure of specified user actions. You audit events that pertain to user management through the audit policies. By tracking certain events, you can create a history of specific tasks, such as user creation and successful or unsuccessful logon attempts. You can also identify security violations that arise when users attempt to access system management tasks for which they do not have permission.

Real World Scenario: Auditing Failed Attempts As an IT manager, you have to make sure that you monitor failed attempts to access resources. A failed attempt to access a resource usually means that someone tried to access the resource and they were denied due to insufficient privileges. Users who try to go to areas for which they do not have permission usually fall into two categories: hackers and people who are just curious to see what they can get away with. Both are very dangerous. If a user is trying to access an area in which they do not belong, make sure to warn the user about the attacks. This is very common on a network and needs to be nipped in the bud immediately.

When you define an audit policy, you can choose to audit success or failure of specific events. The success of an event means that the task was successfully accomplished. The failure of an event means that the task was not successfully accomplished.

By default, auditing is not enabled, and it must be manually configured. Once auditing has been configured, you can see the results of the audit in the security log using the Event Viewer utility.

Figure 6 shows the audit policies, which are described in Table 3.

Figure 6. The audit policies

Table 3. Audit policy options

Policy	Description
Audit Account Logon Events	Tracks when a user logs on or logs off either their local machine or the domain (if domain auditing is enabled)
Audit Account Management	Tracks user and group account creation, deletion, and management actions, such as password changes
Audit Directory Service Access	Tracks directory service accesses
Audit Logon Events	Audits events related to logon, such as running a logon script, accessing a roaming profile. And accessing a server
Audit Object Access	Enables auditing of access to files, folders, and printers
Audit Policy Change	Tracks any changes to the audit policies, trust policies, or user rights assignment policies
Audit Privilege Use	Tracks users exercising a user right
Audit Process Tracking	Tracks events such as activating a program, accessing an object, and exiting a process
Audit System Events	Tracks system events such as shutting down or restarting the computer as well as events that relate to the security log in Event Viewer

After you set the Audit Object Access policy to enable auditing of object access, you must enable file auditing through NTFS security or print auditing through printer security.

Complete Exercise 5 to configure audit policies and view their results.

Exercise 5: Configuring Audit Policies Open the LGOP MMC shortcut. Expand the Local Computer Policy snap-in. Expand the folders as follows: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. Open the Audit Account Logon Events policy. Check the Success and Failure boxes. Click OK. Open the Audit Account Management policy. Check the Success and Failure boxes. Click OK. Log off of your Administrator account. Attempt to log back on as your Administrator account with an incorrect password. The logon should fail (because the password is incorrect). Log on as an administrator. Select Start, right-click Computer, and choose Manage to open Event Viewer. From Event Viewer, open the Security log by selecting Windows Logs => Security. You should see the audited events listed with a Task Category of Credential Validation.

In the next section, we will look at how to configure user rights on a Windows 7 machine.

3.2. Assigning User Rights

The user rights policies determine what rights a user or group has on the computer. User rights apply to the system. They are not the same as permissions, which apply to a specific object.

An example of a user right is the Back Up Files And Directories right. This right allows a user to back up files and folders even if the user does not have permissions that have been defined through NTFS file system permissions. The other user rights are similar because they deal with system access as opposed to resource access.

Figure 7 shows the user rights policies, which are described in Table 4.

Figure 7. The user rights policies

Table 4. User Rights Assignment Policy Options

Right	Description
Access Credential Manager As A Trusted Caller	Used to back up and restore Credential Manager.
Access This Computer From The Network	Allows a user to access the computer from the network.
Act As Part Of The Operating System	Allows low-level authentication services to authenticate as any user.
Add Workstations To Domain	Allows a user to create a computer account on the domain.
Adjust Memory Quotas For A Process	Allows you to configure how much memory can be used by a specific process.
Allow Log On Locally	Allows a user to log on at the physical computer.
Allow Log On Through Terminal Services	Gives a user permission to log on through Terminal Services. Does not affect Windows 2000 computers prior to SP2.
Back Up Files And Directories	Allows a user to back up all files and directories regardless of how the file and directory permissions have been set.
Bypass Traverse Checking	Allows a user to pass through and traverse the directory structure, even if that user does not have permissions to list the contents of the directory.
Change The System Time	Allows a user to change the internal time and date on the computer.
Change The Time Zone	Allows a user to change the time zone.
Create A Pagefile	Allows a user to create or change the size of a page file.
Create A Token Object	Allows a process to create a token if the process uses an internal API to create the token.
Create Global Objects	Allows a user to create global objects when connected using Terminal Server.
Create Permanent Shared Objects	Allows a process to create directory objects through Object Manager.
Create Symbolic Links	Allows a user to create a symbolic link.
Debug Programs	Allows a user to attach a debugging program to any process.
Deny Access To This Computer From The Network	Allows you to deny specific users or groups access to this computer from the network. Overrides the Access This Computer From The Network policy for accounts present in both policies.
Deny Log On As A Batch Job	Allows you to prevent specific users or groups from logging on as a batch file. Overrides the Log On As A Batch Job policy for accounts present in both policies.
Deny Log On As A Service	Allows you to prevent specific users or groups from logging on as a service. Overrides the Log On As A Service policy for accounts present in both policies.
Deny Log On Locally	Allows you to deny specific users or groups access to the computer locally. Overrides the Log On Locally policy for accounts present in both policies.
Deny Log On Through Terminal Services	Specifies that a user is not able to log on through Terminal Services. Does not affect Windows 2000 computers prior to SP2.
Enable Computer And User Accounts To Be Trusted For Delegation	Allows a user or group to set the Trusted For Delegation setting for a user or computer object.
Force Shutdown From A Remote System	Allows the system to be shut down by a user at a remote location on the network.
Generate Security Audits	Allows a user, group, or process to make entries in the security log.
Impersonate A Client After Authentication	Enables programs running on behalf of a user to impersonate a client.
Increase A Process Working Set	Allows the size of a process working set to be increased.
Increase Scheduling Priority	Specifies that a process can increase or decrease the priority that is assigned to another process.
Load And Unload Device Drivers	Allows user to dynamically unload and load device drivers. This right does not apply to Plug And Play drivers.
Lock Pages In Memory	Allows an account to create a process that runs only in physical RAM, preventing it from being paged.
Log On As A Batch Job	Allows a process to log on to the system and run a file that contains one or more operating system commands.
Log On As A Service	Allows a service to log on in order to run.
Manage Auditing And Security Log	Allows a user to enable object access auditing for files and other Active Directory objects. This right does not allow a user to enable general object access auditing in the Local Security Policy.
Modify An Object Label	Allows a user to change the integrity level of files, folders, or other objects.
Modify Firmware Environment Variables	Allows a user to install or upgrade Windows. It also allows a user or process to modify the firmware environment variables stored in NVRAM of nonx86-based computers. This right does not affect the modification of system environment variables or user environment variables.
Perform Volume Maintenance Tasks	Allows a user to perform volume maintenance tasks such as defragmentation and error checking.
Profile Single Process	Allows a user to monitor nonsystem processes through performance-monitoring tools.
Profile System Performance	Allows a user to monitor system processes through performance-monitoring tools.
Remove Computer From Docking Station	Allows a user to undock a laptop through the Windows 7 user interface.
Replace a Process Level Token	Allows a process, such as Task Scheduler, to call an API to start another service.
Restore Files And Directories	Allows a user to restore files and directories regardless of file and directory permissions.
Shut Down The System	Allows a user to shut down the Windows 7 computer locally.
Synchronize Directory Service Data	Allows a user to synchronize Active Directory data.
Take Ownership Of Files or Other Objects	Allows a user to take ownership of system objects, such as files, folders, pr inters, and processes.

In Exercise 6, you'll apply a user rights policy.

Exercise 6: Applying User Rights Open the LGOP MMC shortcut. Expand the Local Computer Policy snap-in. Expand the folders as follows: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Open the Log On As A Service user right. Click the Add User Or Group button. The Select Users Or Groups dialog box appears. Click the Advanced button, and then select Find Now. Select a user. Click OK. Click OK in the Select Users Or Groups dialog box. In the Log On As A Service Properties dialog box, click OK.

In the next section, we will look at how users can install resources on Windows 7 without being an administrator by using User Account Control.