On This PageWindows 2000 Security PoliciesThis subsection explains the various security policy tools and their order of precedence with respect to application of security policies. By default, Group Policies are inherited and cumulative, and affect all computers in an Active Directory container. Group Policies are administered through the use of Group Policy Objects (GPOs), which are data structures attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units (OUs). These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2) Site, (3) Domain, (4) OU, with the later policies being superior to the earlier applied policies. Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy object is applied. When a computer is joined to a domain with the Active Directory and Group Policy implemented, a Local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified. Account policies (i.e., password, lockout, Kerberos) are defined for the entire domain in the default domain Group Policy Object (GPO). Local policies (i.e., audit, user rights, and security options) for Domain Controllers (DCs) are defined in the default Domain Controllers GPO. For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege were configured (for example, Add workstations to domain) in the default Domain GPO, it would have no impact on the DCs in that domain. Options exist that allow enforcement of the Group Policy in a specific Group Policy Object so that GPOs in lower-level Active Directory containers are prevented from overriding that policy. For example, if there is a specific GPO defined at the domain level and it is specified that the GPO be enforced, the policies that the GPO contains apply to all OUs under that domain; that is, the lower-level containers (OUs) cannot override that domain Group Policy. Note: The Account Policies security area receives special treatment in how it takes effect on computers in the domain. All DCs in the domain receive their account policies from GPOs configured at the domain node regardless of where the computer object for the DC is. This ensures that consistent account policies are enforced for all domain accounts. All non-DC computers in the domain follow the normal GPO hierarchy for getting policies for the local accounts on those computers. By default, member workstations and servers enforce the policy settings configured in the domain GPO for their local accounts, but if there is another GPO at lower scope that overrides the default settings, then those settings will take effect. Local Security Policy A Local Security Policy is used to set the security requirements on the local computer. It is primarily used for stand-alone computers or to apply specific security settings to a Domain member. Within an Active Directory managed network the Local Security Policy settings have the least precedence. To open the Local Security Policy: 1. | Log on to the computer with administrative rights. | 2. | In a Windows 2000 Professional computer, Administrative Tools is not displayed as a Start menu option by default. To view the Administrative Tools menu option in Windows 2000 Professional, click Start, point to Settings, and select Taskbar and Start Menu. In the Taskbar and Start Menu Properties window, click the Advanced tab. Check the Display Administrative Tools checkbox in the Start Menu Settings dialog box. Click the OK button to complete the setting. | 3. | Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy. This opens the Local Security Settings console. Note: Local Security Policies display Local Settings for the computer and the Effective Settings resulting from the addition of Domain level security policy settings. Domain level security policy settings take precedence over any local settings, as shown below. |
Domain Security Policy A Domain Security Policy is used to set and propagate security requirements for all computers in the Domain. The Domain Security Policy overrides Local Security Policy settings for all computers within the Domain. To open the Domain Security Policy: 1. | Log on to the Domain Controller with administrative rights. | 2. | Click Start, point to Programs, point to Administrative Tools, and then click Domain Security Policy. This opens the Domain Security Policy console. |
Domain Controller Security Policy A Domain Controller Security Policy is used to set and propagate security requirements for Domain Controllers. The Domain Controller Security Policy applies strictly to all Domain Controllers within the applicable Domain and is not overwritten by the Domain Security Policy. To open the Domain Controller Security Policy: 1. | Log on to the Domain Controller with administrative rights. | 2. | Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy. This opens the Domain Controller Security Policy console. |
Organizational Unit Group Policy Objects This document will not cover the implementation of OU GPOs. However, it should be noted that an OU GPO may override security policy settings implemented by the previously discussed policy interfaces. For example, if a policy that is set for the domain is incompatible with the same policy configured for a child OU, the child does not inherit the domain policy setting. Instead, the setting in the child OU is applied. This can be avoided by selecting the No Override option when creating an OU GPO. The No Override option forces all child containers to inherit the parent's policies even if those policies conflict with the child's policies, and even if Block Inheritance has been set for the child. The No Override check box is located by clicking the Options button on the GPO's Properties dialog box. Additional Security Configuration InterfacesFor ease of discussion and implementation, this document focuses on managing security settings through the interfaces describe above, Windows 2000 Security Policies. However, additional tools are available, and may be addressed in cases where stand-alone policy interfaces do not provide a capability to address specific security management options. These tools include several of the standard Windows 2000 management interfaces, as well as the Security Configuration Tool Set which can not only be used to apply specific security setting, but also to test the operating systems for compliance with established policy requirements. Details on using each of these interfaces can be found in the Windows 2000 Evaluated Configuration Administrator's Guide. Windows Explorer Windows Explorer can be used to configure permission and audit settings on specific files and folders. Shares and share permissions can also be set through the Windows Explorer interface, as illustrated below. Registry Editors Two Registry editors are available with Windows 2000; Regedit.exe and Regedt32.exe. Of the two, Regedt32.exe is the only one that supports editing of permission and audit settings for Registry key objects. In the Evaluated Configuration, only Regedt32.exe should be used. Warning: Using Registry Editor incorrectly can cause serious, system-wide problems that may require reinstallation of Windows 2000 to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Computer Management Interface The Computer Management interface is available on all Windows 2000 operating systems. It supports management of audit logs, share assignments and permissions, system services, as well as user and groups accounts. On Domain Controllers the user and group accounts are managed from Active Directory Users and Computers interface instead of the Computer Management interface. Active Directory Users and Computers The Active Directory Users and Computers interface is used to create and manage users, computers, and other Active Directory objects for a domain and is only available on Domain Controllers. Microsoft Security Configuration Tool Set The Microsoft Security Configuration Tool Set consists of a set of Microsoft Management Console (MMC) snap-ins designed to provide a capability for security configuration and analysis of Windows 2000 operating systems. The Security Configuration Tool Set allows administrators to configure security on Windows 2000 operating systems, and then perform periodic analysis of the systems to ensure that the configuration remains intact or to make necessary changes over time. Account PoliciesAccount policies are the rules that control three major account authentication features: password configuration, account lockout, and Kerberos authentication. | • | Password policy. For local user accounts, determines settings for passwords such as enforcement, and lifetimes. | | • | Account lockout policy. For local user accounts, determines when and for whom an account will be locked out of the system. | | • | Kerberos policy. Kerberos authentication is the primary authentication mechanism used in an Active Directory domain. |
Account policies can be applied to user accounts in domains, organizational units, trees, and so forth, and there is a hierarchical structure to these policies: | • | Domain policies take precedence over Active Directory object policies. | | • | Organization unit policies take precedence over Domain policies. | | • | Root domain policies take precedence over all policies. |
See the Windows 2000 Evaluated Configuration Administrator's Guide for additional information on setting account policies. Set the Password Policy View and edit current password policy settings as follows: 1. | Open the applicable Security Policy | 2. | Expand Security Settings. | 3. | Within Security Settings, expand Account Policies to reveal the Password, Account Lockout, and Kerberos policies. | 4. | Click on the Password Policy object. The right-hand details pane will reveal the configurable Password Policy settings. | 5. | Set the Password Policy as recommended or required in Table 3.1. |
Table 3.1 Password Policy Settings Set the Password History Requirements Security Objective: Set limit on how often passwords may be reused. Procedure: 1. | Double click on the Enforce password history policy object in the right-hand details pane to open the corresponding Security Policy Setting dialog window. | 2. | For Domain-level policies, check the Define this policy setting box. | 3. | Change the number in the passwords remembered field (maximum is 24) to reflect the number of passwords the system will remember. A recommended setting is 24 passwords remembered. |
| 
|
|
| |
| Set the Maximum Password Age Security Objective: Set the length of time users can keep their passwords before they have to change it. Procedure: 1. | Double click on the Maximum password age policy object in the right-hand details pane to open the corresponding Security Policy Setting dialog window. | 2. | For Domain-level policies, check the Define this policy setting box | 3. | Change the number in the daysfield to the desired number. A recommended setting is 42 days. |
Note: The ST requires that a password expiration time be able to be set, but does not specify an expiration period. A Maximum Password Age must be set if a Minimum Password Age is used. |
|
|
| |
| Set the Minimum Password Age Security Objective: Set the length of time users must keep a password before they can change it. Procedure: 1. | Double click on the Minimum password age policy object in the right-hand details pane to open the corresponding Security Policy Setting dialog window. | 2. | For Domain-level policies, check the Define this policy setting box | 3. | Change the number in the days field to the desired number. A recommended setting is 2 days. |
Note: The ST requires that the administrator be able to set a minimum password age, but does not specify the length of time users must keep a password before they can change it. A Minimum Password Age must be set if a Maximum Password Age is used. |
|
|
| |
| Set the Minimum Password Length Security Objective: Set the minimum number characters required for user passwords. Procedure: 1. | Double click on the Passwords must meet complexity requirements policy object in the right-hand details pane to open the corresponding Security Policy Setting dialog window. | 2. | For Domain-level policies, check the Define this policy setting box. | 3. | Select the Enabled radio button. |
Note: The ST does not specify password complexity requirements. |
|
|
|
| | Set the Password Complexity Requirements Security Objective: Requires the use of complex (strong) password. This policy will impose a requirement for a combination of alphanumeric, special, and upper and lower case characters in a password. |
|
|
| |
| Do Not Enable Reversible Encryption for Passwords Security Objective: Not recommended. Procedure: Verify the default setting is "Disabled ". |
|
|
|
| |
Set the Account Lockout Policy View current Account Lockout Policy settings and edit as follows: 1. | Open the applicable Security Policy. | 2. | Expand Security Settings. | 3. | Within Security Settings expand Account Policies to reveal the Password, Account Lockout, and Kerberos policies. | 4. | Click on the Account Lockout Policy object. The right-hand details pane will reveal the configurable Account Lockout Policy settings. | 5. | Set the Account Lockout Policy as recommended or required in Table 3.2. |
Table 3.2 Account Lockout Policy Settings Set Account Lockout Duration Security Objective: Once an account is locked for invalid password attempts, this setting keeps the account locked for a specified period of time (or until an administrator unlocks the account) before resetting. Procedure: 1. | Double click on the Account lockout duration policy object in the right-hand details pane to open the corresponding Security Policy Setting dialog window. | 2. | For Domain-level policies, check the Define this policy setting box. | 3. | It is recommended that the policy be set to lock the account indefinitely by changing the number in the minutes field to zero (0). This will require an administrator to unlock the account. |
Notes: The ST requires that a lockout duration be set. To meet the strength of function requirement, the value must be set to 1 minute or greater. The value can also be set to 0, which then requires the administrator to unlock the account. The Account lockout duration policy is linked to the Reset account lockout counter after policy. If the Account lockout duration policy is set to 0, the Reset account lockout counter after policy can be set to any value. If the Account lockout duration policy is set to a value other than 0, the Reset account lockout counter after policy will be automatically set to an equal value by default. |
|
|
|
| | Set Account Lockout Threshold Security Objective: Set the number of invalid login attempts that are allowed before an account is locked out. Procedure: 1. | Double click on the Account lockout threshold policy object in the right-hand details pane to open the corresponding Security Policy Setting dialog window. | 2. | For Domain-level policies, check the Define this policy setting box. | 3. | Change the number in the invalid login attempts field to the desired number. It is required that it not be set at a value greater than 5. |
Note: The ST requires that a limit on the number of unsuccessful authentication attempts be set, but does not specify the limit. To meet the strength of function requirement, the value must be set at a value not greater than 5. Setting the Account lockout threshold will require that the Reset account lockout counter after and the Account lockout duration value settings be set. By default, they will be set to 30. |
|
|
|
| | Set the Account Lockout Reset Counter Security Objective: Every time a logon attempts fails, the value of a threshold that tracks the number of bad logon attempts is raised. This policy determines how long the lockout threshold is maintained before being reset. Procedure: 1. | Double click on the Reset account lockout counter after policy object in the right-hand details pane to open the corresponding Security Policy Setting dialog window. | 2. | For Domain-level policies, check the Define this policy setting box. | 3. | Change the number in the minutes field to the desired number. It is recommended that the reset counter be set to a minimum of 30 minutes. |
Note: The Reset account lockout counter after setting is linked to the Account lockout duration setting. If the Reset account lockout counter after setting is set to a value of 30 or less, the Account lockout duration setting will be automatically set to 30 by default. If the Reset account lockout counter after setting is set to a value of 31 or greater, the Account lockout duration will be automatically set to an equal value by default. |
|
|
|
| |
Access the Kerberos Policy Settings View current Kerberos Policy settings and allow editing. 1. | Open the Domain Security Policy or the Domain Controller Security Policy, as applicable. Note: The Kerberos Policy Settings are not available through a Local Security Policy tool. Domain members can inherit this policy from the Domain Security Policy. | 2. | Expand Security Settings. | 3. | Within Security Settings expand Account Policies to reveal the Password, Account Lockout, and Kerberos policies. | 4. | Click on the Kerberos Policy object. The right-hand details pane will reveal the configurable Kerberos Policy settings. | 5. | Set the Kerberos Policy as recommended or required in Table 3.3. |
Table 3.3 Kerberos Policy Settings Enforce User Logon Restrictions Security Objective: Validates every logon request by checking the user rights policy to see if the user has permission to log on locally or to access the computer from the network. Procedure: Default settings are adequate. Verify the setting is "Enabled". | | | | | | Set the Maximum Lifetime for Service Ticket Security Objective: Sets the maximum duration for which a service ticket is valid. Procedure: Default settings are adequate. Verify that ticket expiration is set to "600 minutes". |
|
|
| |
| Set the Maximum Lifetime for User Ticket Security Objective: Sets the maximum duration for which a user ticket is valid. Procedure: Default settings are adequate. Verify that ticket expiration is set to "10 hours". |
|
|
| |
| Set the Maximum Lifetime for User Ticket Renewal Security Objective: Sets the renewal period for expired tickets. Procedure: Default settings are adequate. Verify that the ticket renewal expires in " 7 days". |
|
|
| |
| Set the Maximum Tolerance for Computer Clock Synchronization Security Objective: Sets the maximum tolerance for synchronization between computers in the Domain. Procedure: Default settings are adequate. Verify that the maximum tolerance is set to " 5 minutes". |
|
|
|
| |
Local PoliciesLocal Policies determine the security options for a user or service account. Local policies are based on the computer a user is logged into, and the rights the user has on that particular computer. Local Policies can be used to configure: | • | Audit policy. Determines which security events are logged into the Security log on the computer (i.e., successful attempts, failed attempts or both). The Security log is part of Event Viewer. | | • | User rights assignment. Determines which users or groups have logon or task privileges on the computer. | | • | Security options. Enables or disables security settings for the computer, such as digital signing of data, Administrator and Guest account names, floppy drive and CD ROM access, driver installation, and logon prompts. Note: Local policies, by definition, are local to a computer. When these settings are imported to a Group Policy object in Active Directory, they will affect the local security settings of any computer accounts to which that Group Policy object is applied. Therefore, it is important to note the order of precedence for security policies. Security policies associated with Group Policy (Organizational Units) override policies established at the local level. Policies from the domain override locally defined policies. In either case, user account rights may no longer apply if there is a local policy setting that overrides those privileges. This is important because the behavior of Microsoft Windows 2000 can be quite different from the behavior in Microsoft Windows NT. For example, when password policies are configured for the Domain group policy (as they are by default), they affect every computer in that domain. This means that the local account databases (on individual workstations) in the domain have the same password policy as the domain itself. |
Set Event Audit Enable auditing of security related events: 1. | Open the applicable Security Policy. | 2. | Expand Security Settings. | 3. | Within Security Settings, expand Local Policies to reveal the Audit, User Rights Assignment, and Security Options policies. | 4. | Click on the Audit Policy object. The right-hand details pane will reveal the configurable Audit Policy settings | 5. | To set auditing of a security event, double click on the desired audit policy in the right-hand details pane. This will open the Security Policy Setting dialog window. | 6. | For Domain-level policies, check the Define these policy settings box, and check success or failure of the event as shown below. | 7. | Follow these procedures to set auditing of event categories as defined in Table 3.4. |
Table 3.4 Audit Policy Settings Audit Event Categories | Success | Failure | | | | | | Audit Account Logon Events |
|
|
|
|
| |
| Audit Account Management |
|
|
|
|
| |
| Audit Directory Service Access |
|
|
|
|
| |
| Audit Logon Events |
|
|
|
|
| |
| Audit Object Access |
|
|
|
|
| |
| Audit Policy Change |
| |
|
|
| |
| Audit Privilege Use |
|
|
|
|
| |
| Audit Process Tracking |
|
|
|
|
| |
| Audit System Events |
| |
|
|
| |
|
Notes: 1. | The Evaluated Configuration must include the "ability" to provide specific audit information. However, it is not required that the audit information be generated. | 2. | Setting an Audit Object Access policy only enables the capability to audit objects. To collect object access audit events, an auditing SACL must be set on each specific object for which access attempts are to be logged. The same applies if setting the Audit Directory Service Access policy. | 3. | Appendix B Audit Categories and Events, provides a matrix of Windows 2000 audit events, applicable ST requirements, and recommended audit settings. | 4. | "Account logon events" are generated where the account resides, such as on a Domain. " Logon events" are generated where the logon attempt occurs. |
Modify Logon Rights and Privileges Modify Logon Rights and Privileges for user accounts and services: 1. | Open the applicable Security Policy. | 2. | Expand Security Settings. | 3. | Within Security Settings, expand Local Policies to reveal the Audit, User Rights Assignment, and Security Options policies. | 4. | Click on the User Rights Assignment object. The right-hand details pane will reveal the configurable user rights policy settings. | 5. | To set a user Logon Right or Privilege, double click on the desired policy in the right-hand details pane. This will open the Security Policy Setting dialog window. | 6. | For Domain-level policies, check the Define these policy settings box. | 7. | To remove a Logon Right or Privilege for an account, click on the account name to highlight it and click the Remove button. | 8. | To add a Logon Right or Privilege to an account, click the Add button and browse the appropriate account directory for the desired account. | 9. | There are several default assignments of user rights and privileges that the administrator should or must (see recommended or required columns in Table 3.5) change to maintain the evaluated configuration. |
Note: The Power Users account does not exist on a Domain Controller. Therefore modifications affecting user rights and privileges for the Power Users group cannot be done manually from a Domain Controller. Also note that although the Power Users group does not reside on the Domain Controller, there may still exist references to this group in the Domain Controller's local policy, which remain after the computer is upgraded from a Server to a Domain Controller. Table 3.5 User Rights and Privileges Logon Right | Default | Modified | | | | | | Access this computer from the network (Professional/ Server) | Administrators Backup Operators Power Users Users Everyone | Administrators Backup Operators Power Users Users Authenticated Users |
|
| |
| | Access this computer from the network (Domain Controller) | Administrators Authenticated Users Everyone | Administrators Authenticated Users | | |
|
| | Log on Locally (Professional) | Administrators Backup Operators Power Users Users Machinename\ Guest | Administrators Backup Operators Power Users Users |
| | |
| | Log on Locally (Server) | Administrators Backup Operators Power Users Users Machinename\ Guest Machinename\ TsInternetUser | Administrators Backup Operators Power Users Users Note: The Machinename\ TsInternetUser account is removed because Windows 2000 Terminal Server is not part of the Evaluated Configuration. | |
| |
| | Log on Locally (Domain Controller) | Administrators Account Operators Backup Operators Print Operators Server Operators TsInternetUser | Administrators Account Operators Backup Operators Print Operators Server Operators Note: The TsInternetUser account is removed because Windows 2000 Terminal Server is not part of the Evaluated Configuration. | | |
|
| | Privilege | Default | Modified | | | | | | Add Workstations to the Domain (Domain Controller) | Authenticated Users | Remove the Authenticated Users account. Do not grant this privilege to other users. Note: Domain Administrators have this privilege by default. | | |
|
| | Increase Quotas (Domain Controller in the Domain Security Policy) | (Not Defined) | Administrators | | |
|
| | Increase Scheduling Priority (Domain Controller in the Domain Security Policy) | (Not Defined) | Administrators | | |
|
| | Load and Unload Device Drivers (Domain Controller in the Domain Security Policy) | (Not Defined) | Administrators | | |
|
| | Manage Auditing and Security Log (Domain Controller in the Domain Security Policy) | (Not Defined) | Administrators | | |
|
| | Modify Firmware Environment (Domain Controller in the Domain Security Policy) | (Not Defined) | Administrators | | |
|
| | Profile System Performance (Domain Controller in the Domain Security Policy) | (Not Defined) | Administrators | | |
|
| | Shut Down the System (Professional) | Administrators Backup Operators Power Users Users | Administrators Backup Operators Power Users Authenticated Users |
| | | |
| Take Ownership of Files and Objects (Domain Controller in the Domain Security Policy) | (Not Defined) | Administrators | | |
|
| |
Note: Appendix C User Rights and Privileges, provides a matrix of Windows 2000 user rights and privileges, applicable ST requirements, and the recommended/required modifications. Modify Security Options Modify predefined security related Registry settings: 1. | Open the applicable Security Policy. | 2. | Expand Security Settings. | 3. | Within Security Settings, expand Local Policies to reveal the Audit, User Rights Assignment, and Security Options policies. | 4. | Click on the Security Options object. The right-hand details pane will reveal the configurable security options. | 5. | To set a Security Option, double click on the desired policy in the right-hand details pane. This will open the Security Policy Setting dialog window. | 6. | For Domain-level policies, check the Define these policy settings box. | 7. | Input to the Security Policy Setting dialog boxes for selected security options will vary depending on the configuration requirements of the option. For example some security options may require selection from a drop down menu or a text input as shown below. | 8. | Modify the Security Options as shown in Table 3.6. |
Table 3.6 Security Option Settings Set Additional Restrictions for Anonymous Connections Security Objective: Disable ability of anonymous user to enumerate SAM accounts and shares. Procedure: 1. | Double click on Additional restrictions for anonymous connections in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | From the drop-down menu, select Do not allow enumeration of SAM accounts and shares. | 4. | Click the OK button. |
|
|
|
|
| | Allow server operators to schedule tasks (domain controllers only) Security Objective: Determines if Server Operators are allowed to submit jobs by means of the AT schedule facility. By default, a user must be an administrator in order to submit jobs by means of the AT scheduler. Enabling this security policy setting allows members of the Server Operators group to submit AT schedule jobs on Domain Controllers without having to make them Administrators. Procedure: Do not enable this feature. The AT schedule facility is not part of the Evaluated Configuration. Note: The Domain level policy default is "Not Defined." It is recommended that the policy be set to Disabled. | | |
|
| | Disable Shutdown Without Logon Security Objective: Disable the ability to shut down the computer without first authenticating to the system. Procedure: 1. | Double click on Allow system to be shut down without having to log on in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Disabled radio button and click the OK button. |
|
|
|
|
| | Restrict Ability to Eject Removable NTFS Media Security Objective: Ensure integrity of ACL settings on data contained in removable media by allowing only authorized administrators the capability of removing the media from the computer. Procedure: 1. | Double click on Allowed to eject removable NTFS media in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | From the drop-down menu, select Administrators and click the OK button. |
|
|
|
| |
| Amount of idle time required before disconnecting a session Security Objective: Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is disconnected due to inactivity. Administrators can use this policy to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. This policy is defined for servers by default in Local Computer Policy with a default value of 15 minutes. This policy is not defined on workstations. For this policy setting, a value of 0 means to disconnect an idle session as quickly as reasonably possible. Procedure: Do not change the default setting. |
|
|
| |
| Audit the Access of Global System Objects Security Objective: Enable the capability to audit access of global system objects. When this policy is enabled, it causes system objects such as mutexes, events, semaphores, and DOS Devices to be created with a default system access control list (SACL). If the Audit object access audit policy is also enabled, then access to these system objects will be audited. Procedure: 1. | Double click on Audit the access of global system objects in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Enabled radio button and click the OK button. |
Note: In the evaluated configuration, these objects must be auditable, however, enforcing this audit capability is optional. To audit these objects, the administrator must set this option. This setting will generate a large amount of audit information. Therefore, it should only be enabled where there is a strict audit management process in place for reviewing, archiving, and clearing the audit logs on a regular basis. The maximum log size should also be edited to support an increase in the number of events being logged. |
|
|
| |
| Audit the Use of Backup and Restore Privilege Security Objective: Enable the capability to create audit event entries whenever the Backup files and directories or the Restore files and directories privileges are used. By default, the use of backup and restore privileges are not audited. When the Audit privilege use audit policy is enabled and this security option is set, the use of the Backup and Restore privileges will be audited. Procedure: 1. | Double click on Audit use of Backup and Restore privilege in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Enabled radio button and click the OK button. |
Note: In the evaluated configuration, these objects must be auditable, however, enforcing this audit capability is optiona. To audit these objects, the administrator must set this option. This setting will generate a large amount of audit information. Therefore, it should only be enabled where there is a strict audit management process in place for reviewing, archiving, and clearing the audit logs on a regular basis. The maximum log size should also be edited to support an increase in the number of events being logged. |
|
|
| |
| Automatically Log Off Users When Logon Time Expires Security Objective: Force a user log off of the network when that user remains logged on beyond the allowed hour range. Procedure: 1. | Double click on Automatically log off users when logon time expires in the right-hand details pane. | 2. | Check the Define these policy settings box. | 3. | Select the Enabled radio button and click the OK button. |
Note: This Security Option can only be set at the Domain Controller. | | |
| |
| Automatically Log Off Users When Logon Time Expires (Local) Security Objective: Force a user log off of the local computer when that user remains logged on beyond the allowed hour range. Procedure: Double click on Automatically log off users when logon time expires (local) in the right-hand details pane. For Domain-level policies, check the Define these policy settings box. Select the Enabled radio button and click the OK button. |
|
|
| |
| Clear Virtual Memory Page File When System Shuts Down Security Objective: Removes the virtual memory pagefile when the system is shut down. The pagefile is reinitialized the next time a user logs in. The purpose is to ensure that any information that may remain within the page file is not available to the next user that logs on to the machine. Procedure: 1. | Double click on Clear virtual memory pagefile when system shuts down in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Enabled radio button and click the OK button. |
|
|
|
|
| | Digitally sign client communications (always) Security Objective: Determines whether the computer will always digitally sign client communications. The Windows 2000 Server Message Block (SMB) authentication protocol supports mutual authentication, which closes a "man-in-the-middle" attack, and supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Enabling this option requires the Windows 2000 SMB client to perform SMB packet signing. If this policy is disabled, it does not require the SMB client to sign packets. This policy is disabled by default. For the Evaluated Configuration, this policy option may be disabled and the following security option, "Digitally sign client communications" (when possible) may be enabled. Since the Evaluated Configuration operating environment is a closed network with all computers configured to the same requirements, communications will use SMB signing (see note below). Procedure: 1. | Double click on "Digitally sign client communications (always) "in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Disabled radio button and click the OK button. |
Note: In order to use SMB signing, it must be either enabled or required on both the SMB client and the SMB server. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the packet signing protocol during all subsequent sessions. If SMB signing is required on a server, then a client will not be able to establish a session unless it is at least enabled for SMB signing. |
|
|
|
| | Digitally sign client communications (when possible) Security Objective: If this policy is enabled, it causes the Windows 2000 Server Message Block (SMB) client to perform SMB packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing. See "Digitally sign client communications (always)" for additional details. Procedure: 1. | Double click on Digitally sign client communications (when possible) in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Enabled radio button and click the OK button. |
Note: See note "Digitally sign client communications (always)". |
|
|
|
| | "Digitally sign server communications (always)" Security Objective: If this policy is enabled, it requires the Windows 2000 Server Message Block (SMB) server to perform SMB packet signing. This policy is disabled by default. See "Digitally sign client communications (always)" for additional details. Procedure: 1. | Double click on Digitally sign server communications (always) in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Enabled radio button and click the OK button. |
Note: See note for Digitally sign client communications (always). |
|
|
|
| | Digitally sign server communications (when possible) Security Objective: If this policy is enabled, it causes the Windows 2000 Server Message Block (SMB) server to perform SMB packet signing. This policy is disabled by default on workstation and server platforms in Local Computer Policy. This policy is enabled by default on Domain Controllers.. See "Digitally sign client communications (always)" for additional details. Procedure: 1. | Double click on Digitally sign server communications (when possible) in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Enabled radio button and click the OK button. |
Note: See note for Digitally sign client communications (always). |
|
|
|
| | Disable CTRL+ALT+DEL Required for Logon Security Objective: DO NOT ENABLE THIS OPTION. Enabling this option will disable the trusted path mechanism. The purpose of the trusted path mechanism is to prevent spoofing of user login sessions. The default setting of this option is Disabled on a Windows 2000 computer, although a policy tool may show it as Not Defined. Procedure: Verify that the Disable CTRL+ALT+DEL requirement for logon option in the right hand details pane is set to Not Defined or is Disabled. | | | | | | Do Not Display Last User Name on Logon Screen Security Objective: By default, the Windows 2000 login interface displays the user ID of the last user that logged onto the computer. Enabling this option removes the name of the last user from the login session. As a result, an intruder attempting to break into the computer locally would not only need to guess the password, but would also need to guess a correct user ID. Procedure: 1. | Double click on Do not display user name in the logon screen in the right-hand details pane. | 2. | For Domain-level policies, check the Define these policy settings box. | 3. | Select the Enabled radio button and click the OK button. |
</ |
|
