The administrator can configure the entries in the security database via each of the nodes in the Security Configuration and Analysis and Security Templates snap-ins.You cannot define new security attributes. Only modification of existing Windows 2000 security elements are configurable. Microsoft or third parties might include extensions to the security attributes in the future.
Account Policies
Account policies define aspects of security relating primarily to passwords.The
Password Policy contains entries related to password aging and password length. Account Lockout Policy determines how many failed tries a person gets before the account is locked out. Kerberos Policy applies only to domain logons, since local logons do not use Kerberos. Entries include maximum lifetimes for various tickets, such as user tickets and user renewal. Figure 5.7 shows some entries for the account policy nodes.Table 5.2 lists all options available through the account policies.
Table 5.2Options Available within Account Policies
Password Policies Option Description
Enforce password history Remembers users’ passwords. Requires that they cannot use the same password again until it has left the password history. Values range from 0 passwords remembered to 24 passwords remembered. The default is 0 passwords remembered.
Maximum password age Defines the maximum amount of time that a user can keep a password without having to change it. Values range from the password never expires to password expires every 999 days. The default is 42 days.
Minimum password age Defines the minimum amount of time that a user can keep a password without having to change it. Values range from password can be changed immediately to password can be changed after 998 days. The default is 0 days. Minimum password length Defines the minimum number of characters
required for a user’s password. Value ranges from no password required to at least 14 characters required. The default is 0 characters.
Passwords must meet Requires that the user’s password have a mix of complexity requirements uppercase, lowercase, and numbers. Value is
either enabled or disabled. The default is disabled.
Store password using Stores a copy of the user’s password in Active reversible encryption for Directory using reversible encryption. This is all users in the domain required for the message the digest authentica-
tion method to work. Value is either enabled or disabled. The default is disabled.
Account Lockout Policies
Account lockout duration Defines the time in minutes that an account will remain locked out. Value ranges from account is locked out until administrator unlocks it to 99,999 minutes (69 days, 10 hours, and 39 minutes). The default is not defined. Account lockout threshold Defines how many times a user can enter an
incorrect password before the user’s account is locked. Value ranges from the account will not lock out to 999 invalid logon attempts. The default is 5 attempts.
Reset account lockout Defines how long to keep track of unsuccessful counter after logons. Value ranges from 1 minute to 99,999
minutes. The default is not defined.
Kerberos Policies
Enforce user logon — restrictions
Maximum lifetime for Defines the maximum amount of time in service ticket minutes that a service ticket is valid. Value
ranges from tickets don’t expire to 99,999 minutes. The default is 600 minutes (10 hours). Maximum lifetime for Defines the maximum amount of time in hours user ticket that a user ticket is valid. Value ranges from
tickets don’t expire to 99,999 hours. The default is 10 hours.
Maximum lifetime for user — ticket renewal
Table 5.2Continued
Option Description
Maximum tolerance for Specifies the amount of time in minutes that computer clock computers clocks can be skewed. Value ranges synchronization from 0 minutes to 99,999 minutes. The default
is 5 minutes.
Local Policies
Local policies include the Audit Policy, User Rights Assignment, and Security
Options. Some Audit Policy selections include auditing logon events, use of user privileges, systems events, and object access.The User Rights Assignment node includes the ability to grant or deny user rights such as the right to add worksta- tions to the domain, change the system time, log on locally, and access the com- puter from the network.
The most profound improvements to the program are represented in the Security Options node, where you can make changes that could be made only via direct Registry edits in Windows NT 4.0. Examples of such security options include clearing the pagefile when the system shuts down, message text during logon, number of previous logons kept in cache, and shut down system immedi- ately if unable to log security audits. Figure 5.8 shows some of the entries in the Local Policies node.Table 5.3 lists all options available through the local policies. The improvements in local policy management are numerous with the addition of the configurable objects available in the Security Options node.
Table 5.2Continued
Option Description
Table 5.3Options Available within Local Policies
Audit Policies Option Description
Audit account logon events Audits when an account is authenticated to the database.
Audit account management Audits when a user account or group is created, deleted, or modified.
Audit directory service access Audits when access is gained to an Active Directory object.
Audit logon events Audits when a user logs on or off a local computer and when a user makes a network connection to a machine.
Audit object access Audits when files, folders, or printers are accessed.
Audit policy change Audits when security options, user rights, or audit policies are modified.
Audit privilege use Audits when a user right is utilized.
Audit process tracking Audits when an application performs an action. Audit system events Audits when a security-related event occurs,
such as rebooting the computer.
User Rights Assignment
Access this computer from Allows a user or group to connect to the the network computer over the network.
Act as part of the Allows a process to gain access to resources operating system under any user identity.
Add workstations to Allows user or group to add a computer to the domain the domain.
Back up files and directories Allows a user or group to bypass file and directory permissions to back up the system. Bypass traverse checking Allows a user or group to pass through direc-
tories without having access while navigating an object path in any Windows file system. Change the system time Allows a user or group to set the time for the
computer’s internal clock.
Create a pagefile Allows a user or group to create and change the size of a pagefile.
Create a token object Allows a process to create a token to get access to any local resources.
Create permanent Allows a process to create a directory object shared objects in the object manager.
Debug programs Allows a user or group to attach a debugger to any process.
Deny access to this computer Denies the ability to connect to the computer from the network over the network.
Deny logon as a batch job Denies the ability to log on using a batch- queue facility.
Deny logon on as a service Denies the ability to log on as a service. Deny logon locally Denies a user or group the ability to log on
to the local machine.
Enable computer and user Allows a user or group to set the Trusted for accounts to be trusted for Delegation setting on a user or computer delegation object
Force shutdown from a Allows a user or group to shut down a remote system computer remotely.
Generate security audits Allows a process to make entries in the security log.
Increase quotas Allows a process to increase the processor quota for any processes to which it has write property access.
Increase scheduling priority Allows a process to increase the execution priority for any processes to which it has write property access.
Load and Unload device Allows a user or group to install and uninstall drivers Plug and Play device drivers.
Lock pages in memory Allows a process to keep data in physical memory.
Log on as a batch job Allows a user or group to log on using a batch-queue facility.
Log on as a service Allows logging on as a service.
Log on locally Allows a user or group to log on to the local machine.
Table 5.3Continued
Option Description
Manage auditing and Allows a user or group to configure object security log access auditing.
Modify firmware environment Allows changing the system environment values variables.
Profile single process Allows a user or group to use performance- monitoring tools to monitor the performance of nonsystem processes.
Profile system performance Allows a user or group to use performance- monitoring tools to monitor the performance of system processes.
Remove computer from Allows a user or group to undock a laptop docking station within Windows 2000.
Replace a process level token Allows a process to replace the default token associated with a subprocess that has been started.
Restore files and directories Allows a user or group to bypass file and directory permissions when restoring backed- up files and directories.
Shut down the system Allows a user or group to shut down the local computer.
Synchronize directory Allows a process to provide directory synchro- service data nization services.
Take ownership of files or Allows a user or group to take ownership of other objects any securable system object.
Security Options
Additional restrictions for Adds restrictions for anonymous connections. anonymous connections Choices include None, Do not allow enumera-
tion of SAM accounts and share, and No access without explicit anonymous permissions.
Allow server operators to Gives members of the Server Operators group schedule tasks (domain the right to schedule tasks.
controllers only)
Allow system to be shut Enables the shutdown tab on the down without having to Ctrl+Alt+Del logon screen.
log on
Table 5.3Continued
Option Description
Allowed to eject removable Multivalue media
Amount of time required Defines how long a user can be connected in before disconnecting session an idle state before the user is disconnected. Audit the access of global Audits when a system object is accessed. system objects
Audit use of Backup and Audits when the Backup and Restore Restore privilege privileges are used.
Automatically log off users Disconnects users who are connected across when time expires the network when their time expires.
Automatically log off users Disconnects users who are logged in locally when time expires (local) when their time expires.
Clear virtual memory pagefile Empties the pagefile on shutdown. when system shuts down
Digitally sign client Requires the computer to sign its communica- communications (always) tions when functioning as a client, whether or
not the server supports signing. Unsigned communications are not allowed.
Digitally sign client Configures the computer to request signed communications (when communications when functioning as a client possible) to a server that supports signing. Unsigned
communications will be allowed, but they are not preferred.
Digitally sign server Configures the computer to require that all communications (always) connecting clients sign their communications.
Unsigned communications are not allowed. Digitally sign server Configures the computer to request that all communications (when connecting clients sign their communications. possible) Unsigned communications will be allowed,
but they are not preferred. Disable Ctrl+Alt+Del Forces smart card logon. requirement for logon
Do not display last user Does not display the name of the last user to name in logon screen log on to the system.
LAN Manager Authentication Controls the level of authentication supported Level for down-level clients.
Table 5.3Continued
Option Description
Message text for users The text to be displayed in a window presented attempting to log on to all users logging on.
Message title for users The title of the window presented to all users attempting to log on logging on.
Number of previous logons Determines how many times users can log on to cache (in case domain with their cached credentials.
controller is not available)
Prevent system maintenance Prevents the system from changing the of computer account computer account password.
password
Prevent users from installing Keeps users from installing printers. printer drivers
Recovery Console: Allow Automatically logs the administrator on with automatic administrative the recovery console administrator account logon when booting to recovery console.
Recovery Console: Allow Allows copying from a floppy when booted floppy copy and access to into recovery console. Also allows access to all drives and all folders the entire hard drive in recovery mode. Rename administrator Renames the administrator account to the account name specified here.
Rename guest account Renames the guest account to the name specified here.
Restrict CD-ROM access to Restricts network access to the CD-ROM. locally logged-on user only
Restrict floppy access to Restricts network access to the floppy drive. locally logged-on user only
Secure channel: Digitally Requires the machine to encrypt or sign encrypt or sign secure secure channel data.
channel data (always)
Secure channel: Digitally Configures the machine to encrypt secure encrypt secure channel channel data when communicating with a data (when possible) machine that supports digital encryption. Secure channel: Digitally Configures the machine to sign secure sign secure channel data channel data when communicating with a (when possible) machine that supports digital signing.
Table 5.3Continued
Option Description