Microsoft Windows 2000 Local computer Policies

Windows 2000 Professional is designed to be used as network client for a Windows 2000(and Windows NT) network or as a standalone operating system where user accounts are used to govern or control access.

User Accounts

Used to uniquely identify a user to the system using a named user account and a password

Domain user account

Exit s throughout a domain and can be used on any computer that is a member of the domain

* Can be used to grant access to network resources
* Can be used to grant access to local resources

Groups

Collection of users and each member of a group takes on the access privileges or restrictions defined for that group

Profiles

Is a stored snapshot of a user’s desktop environment setting. Can exit on a single computer or can be configured to follow a user around a network, regardless of what workstation is used.

Policies

Is a set of configuration options that defines aspects of Windows 2000 security. Security policies are used to defined for a user, a computer or a group to restrict the computing environment

Administrator

* Is the most powerful user account available in the Windows 2000 environment
* The account has unlimited access and unrestricted privileges to every aspect of Windows 2000
* Account also has unrestricted ability to manage all security setting, other users, groups, printers, shares and storage devices

The Administrator account has the following characteristics:

* It can not be deleted
* It can not be LOCKED OUT (disabled because of repeated failed logon attempts)
* It can not be DISABLED (made unusable for logon)
* It can be renamed

Guest

* This account has limited access to resources and computer activities
* You should set a new password for the Guest account and it should be used only by authorised one-time users or users with low-security access

The Guest account has the following characteristics:

* It can not deleted
* It can be locked out
* It can be disabled (it is disabled by default)
* It can have a blank password (it is blank by default)
* It can renamed

Naming Conventions

Two common rules follow:

* User names are constructed from the first and last name of the user, plus a code identify his or her job tittle or department: for example, BobSmithAccounting or SmithBobAccounting
* Group names are constructed from resource types, department names, location names, project names and combination of all three: for example, Accounting01, AustinUsers, BigProject01, etc

Regardless of what naming convention is deployed, it needs to address the following four elements:

* It must be consistent across all objects
* It must be easy to use and understand
* New names should be easily constructed by mimicking the composition of exiting names
* An object’s name should clearly identify that object’s type

Local Security Policy

Windows 2000 has combined several security and access controls into a centralised policy. This centralised policy is called the group policy. A group policy is an MMC snap-in that is used to specify user’s desktop settings. There are group policies for local computers, groups and domains and ORGANISATIONAL UNITS (Ous) which contain users, groups, resources and other OUs

All group policy types can be managed from a Windows 2000 Server system, but only a local computer group policy can be managed from a Windows 2000 Professional system.

Group policies are applied in the following order:

1. Any exiting legacy Windows NT 4.0 Ntconfig.pol file is applied
2. Any unique local group policy is applied (that is, the group policy for the local machine)
3. Any sites group policies are applied
4. Any domain group policies are applied
5. Any OU group policies are applied

The order of application of these policies is important because contradictory settings in later policies will override the settings of the former policies.

Password Policy

Defines the restrictions on password. This policy is used to enforce strong passwords for a more secure environment.

Account lockout Policy

Defines the conditions that result in a user account being locked out. Lockout is used to prevent brute force attacks against user accounts. For example, if a user tries to log on and is unsuccessful more than 5 times, it is a good idea to lock that user out.

User Rights Policy

Defines which groups or users can perform specific privileged actions. For examples, you may want to give a group, such as Power Users, the right to add a workstation to a domain

The items in this policy and their defaults setting are:

* Access this computer from the network - Everyone, User, Power Users, Backup, Operator,

Administrators

* Add workstations to domain - None
* Act as part of the operating system - None
* Back up files and directories -Backup operators, Administrators
* Bypass traverse checking - Everyone, Users, Power Users, Backup Operators,

Administrators

* Changing the system time - Power Users, Administrators
* Create a pagefile - Administrators
* Create a token object - None
* Create permanent shared objects - None
* Debug programs: Administrators

Security Options

Defines and control various security features, functions and controls of the Windows 2000 environment. For example, you can disable the option to allow the system to be shut down without having to log on to tighten security.