Windows 2000 Security Policy
This section introduces various security policy tools and the priority order of security policy application. By default Group Policy is inherited and cumulative and affects all computers in the Microsoft Active Directoryu0026reg; container. You can manage group policies by using Group Policy Objects (GPOs) which are data structures attached to a specific hierarchy of selected Active Directory objects such as sites domains or organizational units (OU). After creating these
the GPO it may be applied in a standard order: LSDOU indicating (1) locally (2) site (3) field (4) OU. The priority of the policy applied later is higher than the priority of the policy applied first. If a computer belongs to a domain and there is a conflict between the domain and the local computer policy the domain policy is effective. However if a computer no longer belongs to a domain the local group policy is applied.
When a computer joins a domain that implements Active Directory and Group Policy it will process local GPOs. Note that even when the 'Prevent policy inheritance' option is specified local GPO policies are processed.
You can define account policies (password account lockout and Kerberos policies) for the entire domain in the default domain GPO local policies (audit policy user rights assignment and security options) because in the default domain controller GPO A domain control controller (DC) is defined. For DCs the settings defined in the default DC GPO take precedence over the settings defined in the default domain GPO. In this way if user privileges are configured in the default domain GPO (for example 'Add workstations to the domain') there is no effect on DCs in this domain.
There is an option to allow enforcement of Group Policy in a specific GPO which prevents the GPO in the lower-level Active Directory container from replacing this policy. For example if a specific GPO is defined at the domain level and the GPO is specified to be enforced the policies contained in the GPO will be applied to all OUs in this domain; in other words lower-level containers (OU) cannot replace this domain group Strategy.
Note: The account policy security zone accepts its special handling methods that take effect in this domain computer. All DCs in this domain receive account policies from the GPO configured on the domain node regardless of the location of the DC's computer objects. This ensures that a consistent account policy is enforced for all domain accounts. All non-DC computers in the domain can follow the normal GPO hierarchy to obtain policies for local accounts on these computers. By default member workstations and servers enforce the policy settings configured in their local account domain GPOs but if there are other GPOs with a lower scope that override the default settings these settings will take effect.
Local Security Policy
Use local security policy to set security requirements in the local computer. It is mainly used for stand-alone computers or for applying specific security settings to domain members. In an Active Directory managed network local security policy settings have the lowest priority.
? Open the local security policy
1. Log on to the computer with administrator privileges.
2. On a Windows 2000 Professional computer 'Administrative Tools' will not be displayed as an option in the 'Start' menu by default. To view the 'Administrative Tools' menu options in Windows 2000 Professional click 'Start' point to 'Settings' and then click 'Taskbar and Start Menu.' In the 'Taskbar and Start Menu Properties' window click the 'Advanced' tab. In the 'Start Menu Settings' dialog box select 'Display Management Tools'. Click the 'OK' button to complete the setting.
3. Click 'Start' point to 'Programs' then point to 'Administrative Tools' and then click 'Local Security Policy'. This will allow the 'Local Security Settings' console.
Figure 1: Local security settings Domain security policy
Using domain security policy can set and propagate the security requirements of all computers in the domain. The domain security policy replaces the local security policy settings of all computers in the domain.
? Open the domain security policy
1. Open the 'Active Directory Users and Computers' snap-in.
2. Right-click the appropriate organizational unit or domain you want to view and then click 'Properties'. For example to view the domain security policy right-click the domain. To view the domain controller policy right-click the Domain Controllers OU.
3. Click the 'Group Policy' tab.
4. Click the 'Edit' button.
5. Expand 'Windows Settings'.
6. Perform security configuration in the 'Security Settings' tree.
Organization Unit Group Policy Object
Should use OU to manage the security policy in the domain. This domain is already provided with the domain controller OU. However you can define other OUs as needed. For example baseline settings should be applied at the domain level and then specific settings should be applied at the OU level. In this way you can create a workstation OU and place all workstations in it create a domain server OU and place all domain member servers in it and so on.
OU GPO can replace the security policy settings implemented by the policy interface discussed earlier. For example if the policy set for the domain is not compatible with the same policy configured for the domain controller OU the domain controller will not inherit the domain policy settings. This can be avoided by selecting the 'No substitution' option when creating the OU GPO. The 'No Substitution' option will force all child containers to inherit the policies from the parent container even if these policies conflict with the child container's policies and the child container is set to 'Prevent Inheritance'. By clicking the 'Options' button on the GPO's 'Properties' dialog box locate the 'Prohibit Override' check box.
Other security configuration interface
In order to facilitate discussion and implementation this document focuses on the management of security settings through Windows 2000 security policies. However on standalone computers these interfaces are not available and even in domain members it is sometimes necessary to manage security one by one rather than through Group Policy. There are many independent tools that can be used to perform these tasks. The most commonly used is the security configuration editor that comes with all Windows 2000 systems.
Security Configuration Editor
Management Configuration Editor (SCE) is composed of two management units of Microsoft Management Console (MMC) used to provide security configuration for Windows 2000 operating system And analysis functions. The first snap-in is the 'security template' snap-in which provides a graphical way for administrators to manage .inf files (used to apply security settings). The second management unit is the 'Security Configuration and Analysis' management unit which is used by the administrator to analyze the security of the system related to a specific template and apply the settings in the template to the system. These interfaces are shown in Figure 2. In order to view these management units a new console must be created.
? Create a new console
1. Click 'Start' then click 'Run...' and run MMC.
2. After the MMC appears click 'Control Panel' and then click 'Add/Remove Snap-in...'. Next click 'Add...' and then double-click 'Security Configuration and Analysis' and 'Security Template'.
3. Click 'Close' and 'OK' to return to the console. For future use this console can now be saved to be available in the 'Administrative Tools' folder on the 'Start' menu.?The magical effect of Windows 2000 installation CD-Computer Knowledge Network