CHAPTER 17

                          CONFIGURING GROUP POLICY AND

                                    LOCAL SECURITY POLICY

 

 

Lesson 1:  Configuring Account Policies

 

Password policy allows you to improve security on your computer by controlling how passwords

are created and managed.  You can specify the maximum length of time a password can be used

before the user must change it.  You can also set the minimum password length.

 

You can configure Password Policy on a computer running Windows 2000 Professional by using

Group Policy or Local Security Policy.  You use Group Policy to configure Password Policy as

follows:

 

 

  •   Use MMC to create a custom console, add the Group policy snap-in and save it with

the name Group Policy.

  •   Expand Local Computer Policy, under Computer Configuration expand Windows Setting/

Security Settings/Account Policies/ Password Policy.

  •   Select the settings on the Action menu/ Security.

 

 

Password Policy Settings

 

======================================================================

Settings                       Description

======================================================================

 

Enforce Password      How many passwords to keep.  A value of 0 indicates that no

History                        password history is being kept.  This is the default.  The Range

                                    Is from 0-24.

 

Maximum Password  The number of days before the user changes the password.

Age                             A value of 0, means the password will not require.

 

                                    A default of 42 days.  The range is 0-999 days.

 

Minimum Password   The number of days the user must keep the password

Age                             before changing it. A value of 0 = the password must

                                    Be changed immediately.  This is the default.

                                    Will prevent people from forcing to enter 10 password

                                    changes in a row, and use the favorite password they

                                    have.

 

                                    Range = 0-999.

 

 

 

======================================================================

 

winpro17.html                                                PAGE 2                                                      2001/12/18

 

 

 

 

Minimum Password   0-14. 0 = no password required. 0 is the default value.

Length                        Policy for site, a geographic location with an IP address.

 

Passwords Must         Options are enabled or disabled.  Disabled is the default.

Meet Complexity       Capitals, numerals, punctuation, a combination of the

Requirements             three are required.

 

Store Password          The options are enabled of disabled.  Default is disabled.

Using reversible         Only used in Windows 2000 Professional is in a domain.

Encryption for all

Users in the

Domain

 

======================================================================

 

 

 

Configuring Account Lockout Policy

 

If no account lockout policy is in place, an unauthorized user can repeatedly try to break into

your computer.

 

 

Lesson Summary:

 

  •   Windows 2000 Local Security Settings windows allows you to improve the security on

your computer by making it more difficult for an unauthorized user to gain access.

  •   Setting password policy allows you to manage the passwords used on your computers.

If no Account Lockout policy is in place, unauthorized users can repeatedly try to break into

your computer.

 

 

Lesson 2:  Configuring Security Options

 

The security Options node lives under the Local Policies node.  Close to 40 additional security

options are available here that allow you to increase the effective security on your computer.

 

 

Shutting Down the computer Without Logging on:

 

By default, Windows 200 Professional doesn’t require a user to logged on to the computer to

shut it down.  Security Options allows you to disable this feature and force users to log on to

the computer before it can be shut down.

 

 

 

======================================================================

 

winpro17.html                                                PAGE 3                                                      2001/12/18

 

 

 

 

Clear Virtual Memory Pagefile When System Shuts Down

 

By default Windows 2000 Professional doesn’t clear the virtual memory pagefile when the

system is shut down.  To enable this feature and clear the pagefile each time the system is

shut down, open the Group Policy snap-in, expand the Local Computer Policy, expand

computer configuration, expand Windows Settings, Expand Security Settings, Expand

Local Policies, and then select Security Options.  Right-Click Virtual Memory Pagefile

when System Shuts down and then click Enabled or disabled.

 

 

Disable CTRL+ALT+DEL Requirement for Logon

 

By default, Windows 2000 Professional requires user to press CTRL+ALT+DEL to

log on to the computer.  By disabling this you reduce the security on the computer.  

You eliminate the Trojan horse program waiting to capture your program.  You set this

option using the Group Policy snap-in.

 

 

Do not Display Last User Name in Logon Screen

 

By default, Windows 2000 P displays the last user name to log on. 

 

To enable this option and prevent the last user name from being displayed, in the Group

Policy snap-in, expand Local Computer Policy/computer configuration/Windows Settings/

Security Setting/Local Policies/console tree, Security options.

 

You should disable this feature for security purposes.

 

 

Lesson Summary:

 

  •   Use the CTRL+ALT+DELETE to avoid the Trojan horse application from stealing a users

password.

  •   You can increase security by not displaying the last user logged onto the network.