Home > Articles

  • Print
  • + Share This
From the author of

Policies

One of the most powerful security configuration features of Windows 2000 is group policy. Group policies provide a mechanism for enforcing security settings across groups of computers, regardless of the user who logs onto that computer, or groups of users, regardless of the computer used for logon. Policies contain entries that specify security permissions for a wide variety of computing functions, ranging from restricting the use of floppy drives to encrypting or signing communication. Group policies can be applied to Windows 2000 sites, domains, and Organizational Units, or can be used in combination. Each site, domain, or OU can have multiple policies defined at the same time. Site policies are applied first; then domain and then OU policies are applied, each overwriting any conflicting settings. For this reason, policies should be planned carefully to avoid unexpected results after all policy levels have been applied. It is also important to mention that each computer policy must be downloaded to the target computers during startup, and each user settings policy must be downloaded during logon. The time required to process policies (machine startup and logon) is directly related to the number of policies being applied and the number of settings in each policy.

You can use the security configuration options within policies to help secure your Exchange implementation. For example, you can specify that Exchange servers encrypt all communication with clients that are capable of supporting encryption, or you can require Kerberos authentication between clients and Exchange servers.

Site-based policies are defined in the Active Directory Sites and Services snap-in. Group policies are defined in the Users and Computers snap-in by right-clicking the target domain or OU and choosing Properties. The Group Policy tab contains all policy objects that apply.

TIP

Like all other objects in the Active Directory, group policy objects can be secured using access control lists. Policies have the potential for large-scale impact in your organization, so be judicious when assigning permissions that will allow modification to group policy objects.

To add a new policy, choose New, type a descriptive name for the policy, and then click the Edit button. Several of the configuration options within the Group Policy objects do not relate to security, but several security settings are available. Configuration of these settings will depend on your computing environment and your level of security tolerance. For example, in a pure Windows 2000 environment, all client and server communication can be encrypted to protect data in transmission. With down-level or non-Windows clients, this might not be possible. In addition, some organizations might not be concerned about communication between internal systems, only computers outside of the corporate network.

Security Templates

In an effort to simplify the application of Group Policies, Windows 2000 is equipped with security templates. These templates are preconfigured policy settings for various network situations. For example, the HISECWS.INF template can be used as a starting point for applying a group policy that defines a highly secured workstation. As expected, the highly secured workstation policy includes digital signing and encryption of network communication, not displaying the last logged-on user, disconnecting idle sessions, and handling password requirements such as minimum character length, expirations, and password history. Applying these settings within your organization can assist in maintaining a secure messaging system. If necessary, you can create custom policy templates to apply against groups of Exchange servers or Exchange clients with special security needs.

To apply a security template, open the group policy object and navigate to Computer Configuration, Windows Settings. Right-click Security Settings and choose Import Policy. By default, security policy templates are stored in \WINNT\SECURITY\TEMPLATES. The default templates are outlined in Table 1. Highlight a template file (INF) and choose Open. After the template is applied, you can modify any of the options that are selected or ignored.

Table 1-The Default GPO Templates

Template Name

Description

Basicdc.inf

Basic domain controller: Default settings for Windows 2000 domain controller. Reverts server to the same configuration as a new installation, with the exception of User Rights and Group Membership.

Basicsv.inf

Basic server: Default settings for Windows 2000 server. Reverts server to the same configuration as a new installation, with the exception of local User Rights and Group Membership.

Basicwk.inf

Basic workstation: Default settings for Windows 2000 professional. Reverts workstation to the same configuration as a new installation, with the exception of local User Rights and Group Membership.

Compatws.inf

Compatible workstation: Relaxes default security settings so that earlier applications can run effectively. Required for Office 97. Can be applied to both Windows 2000 standalone servers and workstations.

Securedc.inf

Secure domain controller: Increases security settings in account policies, auditing, and the Registry.

Securews.inf

Secure workstation: Increases security settings in account policies, auditing, the Registry, and removes all accounts from the Power Users group. Can be applied to both Windows 2000 workstations and standalone servers.

Hisecdc.inf

High security domain controller: Highest security configuration that can be used only in native mode. All communication is sent signed and encrypted. Results in an incapability to communicate with most down-level Windows clients.

Hisecws.inf

High-security workstation: Highest security configuration that requires all communication to be signed and encrypted. Modifies security configuration for Power Users to limit unsecure activities such as the installation of non-Windows 2000 certified applications. Can be applied to both Windows 2000 workstations and standalone servers.

Notssid.inf

No Terminal Services SID—Used to remove user's Terminal Services SID from the file system and Registry. This process ensures that Terminal Server users follow the same security configuration policy as regular users.

Ocfiless.inf

Optional components for servers: Security settings for optional components that can be selected during setup or Add/Remove programs. Can be applied to all Windows 2000 servers.

Ocfilesw.inf

Optional components for workstations: Security settings for optional components that can be selected during setup or from Add/Remove Programs.


TIP

Policy settings can be overwritten by other policies that are applied later in the list. To prevent policy settings from being overwritten by another policies settings, highlight the policy and choose the Options button. From here, you can specify No Override to ensure that the Group Policy settings are not modified by subsequent policies. Be sure that you understand the implications of this setting on the group policy architecture before choosing to use it.

  • + Share This
  • 🔖 Save To Your Account