aims
Use this module to achieve the following goals:
• Describe the Active Directory application group policy object • Design Organization unit structure to support secure management • Design Group Policy objects to support security management • Manage security templates • Manage management templates • Use Group Policy to implement a valid password policy • Use Group Policy Realizing Effective Account Lock Policy • Determine which users can add a workstation to the domain • Make sure that the user is logged out while the allowed login time is completed • Use the Group Policy Management Tool to update the policy and view the results of the Group Policy application.
Back to top
Scope of application
This module is suitable for the following products and technologies:
• Windows XP Professional Clients in Windows Server 2003 Domain • Windows XP Professional client in Windows 2000 domains, WINDOWS
Back to top
How to use this module
This module provides a method and describes the steps required to secure the security of the Windows XP Professional client in Windows Server 2003 or Windows 2000 Active Directory domain.
In order to fully understand this module content, please
• Read the module in this guide 1 "Introduction to the Windows XP Security Guide". This module defines the enterprise client environment and high security environment referenced in this module. • Use the checklist. The checklist in the "Checklist" section of this guide "Configuring the Active Directory Domain Infrastructure" provides printable job guidance for quick reference. Use task-based checklists to quickly evaluate what steps are needed and help you gradually complete your steps. • Use the "Windows XP Security Guide Settings" spreadsheet provided with this guide. It can help you prepare the settings made in your environment as a document. • Use the included solution. This guide refers to the following guidance articles (all in English):
• "How to: Prevent Users from changing a password Except When Required in Windows Server 2003" • "How to: prevent users from changing a password Except When Required in Windows 2000"
Back to top
Group Policy
Group Policy is a feature of the Microsoft® Active Directory® directory service that can be used to change user and computer settings, as well as configuration management in Microsoft Windows Server 2003TM and Microsoft Windows® 2000 Server fields. However, you need to perform certain basic steps in the domain before applying Group Policy to Microsoft Windows XP Professional clients in the environment.
Group Policy Settings in Group Policy Objects (GPOs) on the environment in the environment. GPO links to the container, including Active Directory Site, Domain, and Organizational Units (OU). Since Group Policy is closely integrated with Active Directory, it is necessary to make basic understanding of the Active Directory structure and security meaning in which different design options are configured before implementing Group Policy. For more information on Active Directory Design, see Modules for Windows Server 2003 Security Guide 2 "Configuring The Domain Infrastructure".
Table 2.1: Benchmark Security Template
Description Enterprise Client High Security Level The Betmark Security Template for Clients Enterprise Client - Domain.inf High Security - Domain.inf
Back to top
Support security management OU design
OU is a container in the Active Directory domain. The OU can include users, groups, computers, and other organizations, which are called sub-OUs. GPO can be linked to OU, which is the minimum container in the Active Directory hierarchy. You can also delegate administrative rights to OU. OUs provide a simple way to group users, computers, and other security entities, and provide an effective way to divide management boundaries. Assign users and computers to separate OUs because some settings are only available for users, and some are only available for computers. The delegation guide can be used to delegate the control of a group or a single OU, which can be obtained as part of the Active Directory user and computer Microsoft Management Console (MMC) management unit tool. For links to documents that delegate privileges, see the "Additional Information" section of this module.
One main objective for any environmental design OU structure is to provide a foundation for the seamless group policy implementation of all workstations that covers the Active Directory while ensuring that they meet the organization's security standards. Another goal of designing an OU structure is to provide appropriate security settings for specific types of users in your organization. For example, it is possible to allow the developer to operate the workstation for general users without the right. The secure requirements can be slightly different compared to desktop computers. The following figure illustrates a simple OU structure sufficient to discuss the group policy in this module. This OU structure may differ from the organization of your environment.
Figure 2.1Windows XP computer OU structure
Department OU
It is necessary to create a department OU in the environment because security requirements within the organization changes. Department security settings can be applied to computers and users in their respective sectoral OUs via GPO.
Safe XP User OU
This OU contains accounts for users who are also involved in the enterprise client environment and high security environments. The settings for this OU application are discussed in the User Configuration section in the Module 4 "Windows XP Management Templates".
Windows XP OU
This OU contains sub-OUs for each Windows XP client in the environment. Here, a guide for desktop computers and portable computer clients. For this reason, a desktop computer OU and a portable computer OU have been created.
• Desktop Computer OU: This OU contains desktop computers that are always connected to your corporate network. Module 3 "Windows XP Client Security Settings" and Module 4 "Windows XP Management Templates" discussed the settings for this OU application. • Portable Computer OU: This OU contains a portable computer that is not always connected to your company's network. Module 3 "Windows XP Client Security Settings" and Module 4 "Windows XP Management Templates" discussed the settings for this OU application.
Back to top
GPO design supporting security management
Use GPO to ensure that specific settings, user privileges, and behavior are applied to all workstations or users in the OU. By using group strategies (rather than manual steps), you can easily update a workstation or user that requires additional changes in the future. The alternative method for applying these settings using GPO is to send a technician manually configure these settings on each client.
Figure 2.2GPO application sequence
The above figure shows the order in which GPO is applied to a computer as a member of the sub OU. First, a local policy application group policy from each Windows XP workstation. After applying the local policy, apply any GPO in the site level and domain level.
For several OU layers, the Nested Windows XP client is used in the hierarchy, in the order of the highest OU level to the lowest level, the GPO is applied. The last GPO is applied from the OU containing the client computer. This GPO processing order (local policy, site, domain, parent OU and sub-OU) is very important because the GPO applied later in this process will replace the previously applied GPO. The user GPO is the same, the only difference is that the user account has no local security policy.
Remember the following considerations when designing group strategies.
• The administrator must set the order of linking multiple GPOs to an OU, otherwise, by default, the sequential application policy will be linked to this OU. If you specify the same order in multiple policies, the highest strategy in the policy list of the container has the highest priority. • You can configure the GPO using the Disable Alternate option. Once this option is selected, the other GPO cannot replace the settings configured for this policy. • You can configure Active Directory, Sites, Domain, or OUs using the Prevent Policy Inheritance option. This option blocks GPO settings from the higher GPO from the Active Directory hierarchy unless they have selected the "Disable Alternate" option. • Group Policy Settings to users and computers in accordance with the location of the user or computer object in Active Directory. In some cases, it may be necessary to apply policies to the user object according to the location of the computer object (rather than the user object). The Group Policy Ring Function enables administrators to apply user group policy settings based on user logged in. For more information on loopback support, see the Group Policy White Paper listed in the "Other Information" section of this module. The figure below expands the basic OU structure to display how to apply GPO to clients running Windows XP and belonging to the portable computer OU and desktop computers.
Figure 2.3 Expansion OU structure, including security GPO for desktop computers and laptop running Windows XP.
In the above example, the portable computer is a member of the portable computer OU. The first policy of app is to run a local security policy on a portable computer of Windows XP. Since there is only one site in this example, GPO is not applied at the site level, and the domain GPO is used as the next policy. Finally, a portable computer GPO is applied.
Note: The desktop computer policy is not applied to any portable computer because it is not linked to any OU containing the hierarchy of the laptop OU. In addition, the secure XP user OU does not have a corresponding security module (.inf file) because it only includes settings from the management module.
As an example of how the GPO acts, it is assumed that the Windows XP OU policy settings that "Allow Login through Terminal Services" is set to "Administrators" group. The portable computer GPO settings that "Allow Login through Terminal Services" is set to "Power Users" and "Administrators" groups. In this case, the user in the "Power User" group can log in to the laptop using the terminal service. This is because the portable computer OU is a child of Windows XP OU. If you enable the "Prohibition of Alternate" policy options in the Windows XP GPO, only those accounts in the "Administrators" group are allowed to log in to the client using the terminal service.
Security template
Group Policy Templates are text-based files. These files can be changed using the MMC security template management unit, or using a text editor (such as Notepad). Some of the template files contain a specific access control list (ACL) defined by the Security Descriptor Definition Language (SDDL). For more information on editing security templates and SDDL, see the "Additional Information" section in this module.
Security template management
It is very important to store the security template used in the production environment in the infrastructure. The access rights of the security template should only be awarded administrators responsible for implementing group policies. By default, security templates are stored in the% SystemRoot% / Security / Templates folder that runs Windows XP and Windows Server 2003.
This folder is not copied across multiple domain controllers. Therefore, you need to select a domain controller to save the main copy of the security template to avoid encountering version control issues related to template. This best operation ensures that you always modify the same copy of the template.
Import security template
Import Security Templates using the following procedure.
• Import Security Templates into GPO:
1. Navigate to the Windows Settings folder in the Group Policy Object Editor. 2. Expand the Windows Settings folder and select Security Settings. 3. Right-click the Security Settings folder, and then click Import Policy .... 4. Select the security template you want to import and click Open. The settings in the file will be imported into the GPO.
Management template
Other security settings can be obtained in Unicode-based files called management templates. The management template is a file containing the registry that affects Windows XP and its components and other applications (such as Microsoft Office XP). The management template can include computer settings and user settings. Computer settings are stored in the HKEY_LOCAL_MACHINE registry configuration unit. The user settings are stored in the HKEY_CURRENT_USER registry configuration unit.
Management template management
Like the best way to store security templates above, it is very important to store the security location of the management template used in the production environment in the infrastructure. Only administrators responsible for implementing group policies can have access to this location. The management templates included with Windows XP and Windows 2003 Server are stored in the% SystemRoot% / Inf directory. "Office XP Resource Kit" comes with additional templates for Office XP. These templates will be changed when sending service pack, so you cannot edit.
Add a management template to the policy
In addition to the management template included with Windows XP, apply the Office XP template to the GPO to configure OFFICE XP settings. Add another template to GPO with the following procedure.
• Add a management template to GPO:
1. Navigate to the Management Template folder in the Group Policy Object Editor. 2. Right-click the Administrative Template folder and click Add / Remove Template. 3. In the Add / Remove Template dialog box, click Add. 4. Navigate to the folder that contains the management template file. 5. Select the template you want to add, click Open, and then click Close.
Back to top
Domain level group strategy
The domain grade group policy includes settings for all computers and user applications in the domain. Data level security is described in detail in "Windows Server 2003 Security Guide" in http://go.microsoft.com/fwlink/?linkid=14845.
Password policy
The complex password that frequently changes has reduced the possibility of successful password attack. The password policy sets the complexity and life of the password. This section discusses each password policy setting for enterprise client environment and high security level environments.
Configure the following value in the domain set policy in the following location in the Group Policy Object Editor:
Computer Configuration / Windows Settings / Security Settings / Account Policy / Password Policy
The following table contains a password policy recommendation for the two security environments defined in this guide.
Forced password history
Table 2.2: Setting
Domain Controller Default Value Enterprise Client High Security Set 24 Remember 24 Remember Password 24 Remember Password
"Forced Password History" settings determine the number of unique new passwords related to the user account before reuse the old password. This set value must be between 0 and 24 remembered passwords. The default value of Windows XP is 0 passwords, but the default settings in the domain are 24-remembered passwords. To maintain the validity of the password history, use the "Password Shortest Limits" setting to prevent the user from changing the password from the "Force Password History" setting.
For the two security environments defined in this guide, the "Forced Password History" setting is configured as "24 Remember Password". By ensuring that the user cannot easily reuse the password (no matter unexpected or deliberate), the maximum set value enhances the security of the password. It can also help ensure that the attacker's password can be expired before the user's account can be used. Set this value to the maximum number does not generate known issues.
Password longest use deadline
Table 2.3: Setting
Domain controller default Enterprise client high security level 42 days 42 days 42 days
This setting ranges from 1 to 999 days. In order to specify a password from the order, this value can be set to 0. This setting defines that an attacker that enumerates a password uses a password to access the computer's deadline on the network before password expiration. The default value of this setting is 42 days.
For the two security environments defined in this guide, the "Password Uppends" setting is configured to "42 days". Most passwords can be unmarkable, the more frequent password changes, the less the attacker uses the unlocked password. However, the lower the setting of this value, the greater the possibility of increasing calls supported by the help station. Setting the "Password Most Limit" to a value of 42 to ensure a cyclical cycle, thereby increasing password security.
Password shortest life
Table 2.4: Setting
Domain controller default value Enterprise client high security level 1 day 2 days 2 days
"The shortest use period" setting determines that the number of passwords must be used before the user can change the password. The value of this setting is from 1 to 998 days, or the value of this setting can be set to 0 to allow the password to be changed immediately. The default value of this setting is 0 days.
The value of the "password shortest use" setting must be less than the value specified for the "Password Maximum Limit" setting, unless the value of the "password maximum life" setting is 0 (resulting in the password never expire). If the value of the "password maximum life" set is 0, the value of the "password shortest use period" setting can be configured to any value between 0 and 999.
If you want the "Force Password History" to take effect, configure this value to greater than 0. If the "password shortest use" setting does not value, the user can repeat the loop in the password until the old value you want is found. The default values for this setting do not follow this suggestion. Therefore, the administrator can specify a password for the user, and then ask the user to change the password specified by the administrator when logging in. If the "Force Password History" is set to "0", the user does not have to select a new password.
For the two security environments defined in this guide, the "password shortest use period" is configured to "2 days". When this setting is used with similar short period values set by "Forced Password History", the value "2 days" is appropriate. This limitation ensures that the user must wait 2 days to change the password, which prevents the user from looping the same password. This value also enforces that users use at least 2 days before resetting the password, encourage users to remember the new password. It also blocks users from avoiding restrictions on the "Force Password History" by quickly set up 24 new passwords.
Password length minimum
Table 2.5: Setting
Domain Controller Default Value Enterprise Ho High Security Level 7 Characters 8 characters 12 characters
"Password Length Minimum" setting requires that the password must contain the specified number of characters. Long password (eight or more characters) is usually more effective than short passwords. For this setting, the user cannot use an empty password and must create a password for a certain character length. The default value of this setting is 0 characters.
Adding password complexity requirements can reduce the possibility of dictionary attacks, in dictionary attacks, attackers try the known words and a large number of commonly used password names in the dictionary to try to guess passwords. The next part of this module will discuss complexity requirements. A too short password will reduce security because tools that perform dictionary attacks or strong attacks using the password can be easily decipherted. In a powerful attack, the attacker attempts to find the security password or the symmetric encryption key is to try all possible passwords or keys until the correct password or key is found. It is required to generate a lot of error entered passwords and will increase the increase in account locks and an increase in related calls supported by the help desk. In addition, the password that requires too long actually reduces the security of the organization, as the user is likely to write a password to avoid forgetting.
On the other hand, each additional character in the password increases its complexity to increase according to the exponential level. If the password is required to be at least 8 characters, even if the more vulnerable LM hash will become more powerful, because the longer password requires an attacker to unlock two parts of each password (rather than a part). If the password is 7 characters or less, the latter half of the LM hash parsed into a specific value, this value will notify the attacker, the password is shorter than 8 characters. A lot of time has been spent: if the LM hash is stored, the 8 character password is lower than the 7-character password. If the password is seven characters or fewer, the second part of the LM hash parsed into a specific value, this value will notify the pedestrian, the password is shorter than eight characters. The password is required to be at least eight characters to make the more vulnerable LM hash, because the longer password requires an attacker to decrypt two parts of each password (rather than a part). Since the two parts of the LM hash can be attacked in parallel, the second part of the LM has is only 1 character, which is succumbed to strong attacks in one million seconds, so this is actually not obvious. Improve the safety of the environment unless the password is the Alt character set.
The longer password is always better. If the LM hash is not stored, 8 character passwords are much more secure than 7 character passwords. For these reasons, Microsoft recommends replacing a shorter password with a longer password.
In a corporate client environment, make sure the value of the "Password Length Minimum" setting is configured as "8 characters" default values. This password setting is sufficient to provide appropriate security, but it is still too short for users with good memory. In a high security level, the value is configured as "12 characters".
Password must meet complexity requirements
Table 2.6: Setting
Domain Controller Default Enterprise Client High Security Level Enabled Enabled Enabled
"Password must meet the complexity requirements" setting Check all new passwords to ensure that they meet the basic requirements of the powerful password. By default, the value of this setting in Windows XP is configured to "Disabled", but this setting is "Enabled" in the Windows Server 2003 domain.
In addition, each additional character in the password will increase its complexity by an exponential level. For example, the seven-bit password may have 267 or 1 x 107 possible combinations. Seven characters are case-sensitive, and the alphanumeric password is 527 combinations. Seven characters are unparalleled in case-by-case-sensitive alphanumeric passwords with 627 combinations. At a speed of 1,000,000 attempts per second, it takes only 48 minutes to decline. The eight character password has 268 or 2 x 1011 possible combinations. From the surface, this seems to be an incredible number. However, at a speed of 1,000,000 attempts per second (this is the function of many password deciphering tools), all possible passwords can be tried at a speed of 59 hours. Keep in mind that if the password uses Alt characters and other special keyboard characters (such as! Or @), this time will greatly increase.
Combining these settings will make strong attacks difficult (if it is not impossible).
Store passwords with reducible encryption (for all users in the domain)
Table 2.7: Setting
Domain Controller Default Value Enterprise Garage High Security Level Disabled Disabled Disabled Disabled
"Use reverted encryption to store passwords (for all users in the domain)" Set to determine if the operating system uses a restored encryption to store the password. This setting supports applications that need to understand the user password to authenticate authentication. The storage password is used in nature as the plain text version of the saved password. For this reason, this policy should never be enabled unless the application requirements exceed the need to protect password information. The default value of this setting is "disabled".
This policy is required when the Charging Handshake Authentication Protocol (CHAP) is used via a Remote Access or Internet Authentication Service (IAS). This policy is also required when using a summary verification in the Microsoft Internet Information Service (IIS). Make sure "Storage Password (for all users in the domain)" is "disabled" with a restored encryption. This setting is disabled in the Local Security Policy of Windows Server 2003 and in the local security policy of the workstation and servers.
Since there is a high vulnerability that activates this setting, Microsoft recommends to force the "Disabled" default value in both environments defined in this guide.
Prevent users from changing passwords (unless required)
In addition to the above password strategy, centralized control of all users is the requirements of certain organizations. This section describes how to prevent users from changing passwords (unless they are required to do this).
The centralized control of the user password is the basis for the design of a well-designed Windows XP security program. You can use the group policy to set the shortest and longest usage period of the password as described above. But remember, requires that you often change your password to avoid the user's password history settings. It is required that the password is too long and the user will forget the password, resulting in a number of calls from the help desk.
The user can change the password in the time period between the shortest and longest usage period settings. However, the safety design of the high security level requires the user, and only when the operating system gives a prompt when the password reaches the longest time limit, the password is given. Administrators can configure Windows so that users can change the password only when the operating system prompts them to change the password. To prevent users from changing passwords (unless required to change), you can disable the "Change Password ..." button in the Windows Security dialog box that appears when you press CTRL Alt Delete.
This configuration can be implemented using Group Policy, or you can implement this configuration for one or more specific users by editing registry. For a detailed description of this configuration, see Microsoft Knowledge Base Article 324744 "How to: Prevent Users from Changing a Password Except When Required in Windows Serverrosoft.com/Default.ASPX SCID = 324744 (English). If you have a Windows 2000 domain, please refer to Microsoft Knowledge Base Article 309799 "How to: Prevent Users from Changing A Password Except When Required in Windows 2000": http://support.microsoft.com/default.aspx? SCID = 309799 (English).
Back to top
Account Lock Policy
Account Lock Policy is an Active Directory security feature that locks the user account after multiple logins in a specified time period failed. Allowed attempts and time sections are based on the value configured for the security policy lock. Users cannot log in to the locked account. The domain controller tracks the login attempt, and the server software can be configured to respond to such potential attacks by disabling the account in the preset time period.
When configuring an account lock policy in an Active Directory domain, administrators can set any values for attempts and time period variables. However, if the value of the "Reset Account Lock Counter" is greater than the value of the Account Lock Time setting, the domain controller automatically adjusts the value of the Account Lock Time setting to set the same value as the "Reset Account Lock Counter".
In addition, if the value of the "Account Lock Time" setting is lower than the "Reset Account Lock Counter" setting, the domain controller automatically adjusts the value of the "Reset Account Lock Counter" to the same "account lock time" setting. value. Therefore, if the value of the "Account Lock Time" setting is defined, the value of the "Reset Account Lock Counter" setting must be less than or equal to the value configured for the "Account Lock Time" setting. The domain controller performs this to avoid conflicts with settings in the security policy. If the administrator configures the value of the Reset Account Lock Counter Set to the value of the "Account Lock Time", the implementation of the value configured for the "Account Lock Time" setting will be expired, so the user can log in to the network. . However, the "Reset Account Lock Counter" setting will continue to count. Therefore, "Account Lock Threshold" setting will retain the maximum (3 invalid login), and the user will not log in.
In order to avoid this, the domain controller automatically resets the value of the "Reset Account Lock Counter" to the value of the "Account Lock Time".
These security policy settings help prevent attackers from guessing user passwords and reduce the possibility of successful attacks on the network environment. You can configure the values in the following table in the Domain Group Policy in the Group Policy Object Editor:
Computer Configuration / Windows Settings / Security Settings / Account Policy / Account Lock Policy
The following table contains the account lock policy recommendations for the two security environments defined in this guide.
Account lock time
Table 2.8: Setting
Domain controller default value Enterprise client high security level does not define 30 minutes for 30 minutes
The Account Lock Time setting determines that the account that must be experienced before the account is not locked and the user can attempt to log in again. This setting performs this by specifying the number of minutes not available in the specified lock account. If the value of the Account Lock Time setting is configured to 0, the locked account will remain locked until the administrator unlocks them. The Windows XP default value of this setting is "no definition".
In order to reduce the number of assistance to support the call, provide a secure infrastructure, and for the two environments defined in this guide, the value of the Account Lock Time setting is "30 minutes".
Configuring the value of this setting to never-automatic unlocks seem to be a good idea, but this will increase the number of calls received by the help desk in the organization to unlock accidentally locked accounts. For each lock level, the value of this setting is configured to reduce the "Deny Service (DOS)" attack. This setting value also allows the user to log in again within 30 minutes when the account is locked, which is the time period they most likely accepted without the help desk.
Account lock threshold
Table 2.9: Setting
Domain controller default Enterprise client high security level 0 invalid login 50 times invalid login 50 times invalid login
The Account Lock Threshold setting determines that the user can try to log in to the account before the account is locked.
Authorized users to lock themselves in accounts, may have: Transmission Passwords or NPP passwords, or change your password on your computer and log in to other computers. Computers with error passwords continuously attempt to authenticate the user, because it is incorrect for authentication, causing the user account to ultimately lock. This issue does not exist for organizations that use only the domain controllers running Windows Server 2003 or earlier. To avoid locking the authorized user, set the account lock threshold to a higher number. The default value of this setting is "0 invalid login".
For both environments defined in this guide, configure the value of "Account Lock Threshold" to "50 invalid login".
Since there is a vulnerability in vain whether this setting is configured, unique measures are defined for each possibility of these possibilities. Your organization should make a balance between the two based on the threat of identification and the risk that is trying to reduce. There are two options available for this setting.
• Configure the value of "Account Lock Threshold" to "0" to ensure that the account will not be locked. This setting value will avoid the DOS attack designed to lock the account in the organization. It can also reduce the number of helps calls because users do not accidentally lock them outdoors. Since this setting does not avoid strong attacks, it is only configured to be a value ratio of 0 large values when it is clearly compliant.
• Password Policy Force all users using complex passwords consisting of 8 or more characters. • Strong audit mechanisms have been in place so as to remind administrators when a series of account locks occur in an organization environment. For example, an auditing solution should monitor security events 539 (this event is failed to log in). This incident means locking the account when trying to log in. If the above conditions are not met, the second option is:
• Configure the Account Lock Threshold setting to a sufficiently high value so that users can accidentally transfer error passwords without locking themselves, while ensuring a strong password attack will still lock the account. In this case, the value of this setting is configured as an invalid login of a certain number of times (for example, 3 to 5) ensures appropriate security and acceptability. This setting value will avoid unexpected account locking and reduce the number of helps calls, but cannot avoid DOS attacks as described above.
Reset Account Locking Counter
Table 2.10: Setting
Domain controller default value Enterprise client high security level does not define 30 minutes for 30 minutes
The Reset Account Lock Counter setting determines that the "Account Lock Threshold" is reset to zero before the length of time. The default value of this setting is "no definition". If the "Account Lock Threshold" is defined, this reset time must be less than or equal to the value of the Account Lock Time setting.
For the two environments defined in this guide, the "Reset Account Lock Counter" setting is configured to "30 minutes".
Keep this setting for its default, or configure this value at a very long interval, which will make the environment faces the threat of DOS attacks. An attacker is maliciously logged in to all users in the organization, and lock their accounts as described above. If there is no determination of a policy to reset the account lock, the administrator must manually unlock all accounts. Conversely, if a reasonable time value is configured for this setting, the user is only set to the time that the user has set before all accounts are unlocked. Therefore, the recommended set value is 30 minutes to define the user's most likely to receive the user without the need for help to help the help desk.
Back to top
User authority assignment
Module 3 "Windows XP Client Security Settings" detailed user permission assignment. However, you should set a workstation user permission in all domain controller settings, this module is discussed. "Windows 2003 Server Security Guide" modules 3 and 4 are described in other information about the member server and the domain controller settings.
Add a workstation in the domain
Table 2.11: Setting
Domain Controller Default Enterprise Client High Security AUTHENTICATED USERS Administrators Administrators
"Domain Add Workstation" User Permissions Allow users to add a computer to a particular domain. In order to take this permission, it must be assigned to the user as part of the domain's default domain controller policy. Users granted this permission can add up to 10 workstations to the domain. Users who have granted "Creating Computer Objects" permissions in Active Directory, can also join the computer to the domain. Users granted this permission can add an unlimited number of computers to the domain, regardless of whether they have been assigned a "domain to add workstations" user privileges.
By default, all users in the "Authenticated Users" group can add up to 10 computer accounts to the Active Directory domain. These new computer accounts are created in the computer container.
In the Active Directory domain, each computer account is a complete security entity that authenticates and access domain resources. Some organizations want to limit the number of computers in the Active Directory environment so they can always track, generate, and manage them.
Allow users to add a workstation to the domain to hinder this effort. It also provides users with ways to perform more difficult tracking activities because they can create other unauthorized domain computers.
For these reasons, in the two environments defined in this guide, the "Domain Add Workstation" user privileges only grant to the "Administrators" group.
Back to top
Security Settings
The account policy must be defined in the default domain policy and must be enforced by the domain controller of the constituent domain. The domain controller always acquires an account policy from the default domain policy GPO, even if there is other account policies that contain an OU app containing domain controllers. There are two strategies in the security option, which also works like the account policy to be considered in the domain level. You can configure the domain set policy values in the following table in the following location in the Group Policy Object Editor:
Computer Configuration / Windows Settings / Security Settings / Local Policy / Security Options
Microsoft Network Server: Automatically log out of users when login time is running
Table 2.12: Setting
Domain Controller Default Value Enterprise Gales High Security Level No Definition Enabled Enabled
"Microsoft Network Server: Automatic Logout User" setting when the login time is used, determine whether the user connected to the local computer is disconnected after the valid login time exceeds the user account. This setting affects the Server Message Block (SMB) component. After this policy is enabled, it enables the client and the SMB service to enforce after the client login time. If this policy is disabled, the established client session is allowed to continue after the client login time. Enabling this setting ensures that "Network Security: Enforcing" over the login time after the login time is enforced.
This policy is important if the organization has configured a login time for the user. Otherwise, it is assumed that users who have access to network resources beyond the login time can actually continue to use these resources by sessions established in the allowable time.
If the login time is not used in your organization, you will have no effect. If the login time is used, the existing user session will be enforced when the login time of the existing user is exceeded.
Network Access: Allow anonymous SID / name conversion
Table 2.13: Setting
Domain Controller Default Value Enterprise Client High Security Level No Deflict has been disabled
"Network Access: Allow anonymous SID / Name Translation" settings to determine if an anonymous user can request another user's SID.
If this setting is enabled for the domain controller, the user knows that the user's SID attribute can contact the computer that is also enabled, and uses the SID to get the name of the administrator. This person can then use the account name to start password guess attack. The default setting of a member computer is "disabled", which has no effect on them. However, the default setting of the domain controller is "enabled". Disabling this setting will cause the old system to communicate with the following Windows Server 2003 domain:
• Remote Access Service Server Based on Microsoft Windows NT® 4.0. • When the web application on IIS is configured to allow "Basic Authentication" and disable "anonymous access", the built-in guest user account cannot access the web application. In addition, if you rename another name to another name, you cannot access the web application using the new name. • Remote Access Service Server running on a Windows 2000 computer in a Windows NT 3.x domain or Windows NT 4.0 domain.
Network Security: Forced logout after more than the login time
Table 2.14: Setting
Domain Controller Default Value Enterprise Gaffler Level Disable Enabled Enabled
"Network Security: After the login time, the mandatory logout" setting determines whether the user is connected to the local computer after the valid login time exceeds the user account. This setting affects the SMB component.
Enabling this policy can enforce the session of the client and the SMB server after the client login time, this user will not be able to log in to the system before he or her next planned access time. Disabling this policy will retain the established client session after the login time exceeds the client. To affect domain accounts, this setting must be defined in the default domain policy.
Back to top
Kerberos strategy
The Kerberos version 5 authentication protocol's policy is configured for domain controller instead of a member computer that is domain. These policies determine the settings related to Kerberos, such as ticket life and mandatory. There is no Kerberos policy in the local computer policy. In most environments, the default values for these policies should not be changed. This guide does not provide any changes to the default Kerberos policy. For more information on these settings, see Additional Guides in the following sites "Threats and counter": security settings in windows server 2003 and windows xp ": http: //go.microsoft.com/fwlink/? Lineid = 15159 (English) . Back to top
OU Level Group Policy
The security settings included in the OU Level Group Policy should be OU. These settings include computer settings and user settings. In order to facilitate management and improvement, in this guide, the sections of the Software Limit Policy (SRP) are introduced separately from other security settings. Module 6 "Windows XP Client Software Limit Policy" discussed SRP in detail.
Security setting group policy
You need to create a GPO for each of the Windows XP computers in the environment. In this guide, the laptop and desktop computers are divided into separate OUs to apply custom GPOs for each category of these computer categories.
Software restriction policy settings
Create a dedicated GPO for configuring SRP settings in your environment. There are some forced reasons to separate SRP settings with the remaining group policy settings. First, SRP is different from other group policy settings. SRP does not require administrators to enable or disable options or configuration values, but requires administrator identities which application sets will be supported, which restrictions are applied, and how to handle exceptions. Secondly, if a disaster error occurs when an SRP policy is implemented in a production environment, this method can promote fast recovery: Administrators can temporarily disable the GPO defined for SRP settings without affecting any other security settings.
Back to top
Group Policy Tool
Some tools included with Windows XP make it easier to process the GPO. The next part will make a brief outlined tools. For more information on these tools, see the help of Windows XP.
Force group strategy update
Active Directory regularly updates group policies, but you can use GPUPDATE (Windows XP Professional Command Board) to enforce the version of the client computer. This tool must run locally on the client computer.
To update your local computer using the GPUPDATE tool, type the following command:
GPUPDATE / FORCE
After running GPUPDATE, you will return the following confirmation information:
C: / documents and settings / administrator.mslab> gpupdate / force
Refreshing strategy ...
User policy refresh has been completed.
Computer policy refresh has been completed.
To check an error in policy processing, please refer to the event log.
C: / Documents and Settings / Administrator.MssLab>
For user-based group policies, you must log out and then log in to the computer being used to test the strategy. Computer policies should be updated immediately.
View other options for running your gpupdate type:
GPUPDATE /?
View the result set of strategies
Two tools included with Windows XP can determine which policies have been applied to a computer in the environment, and when they apply and apply.
RSOP management unit
The RSOP.MSC) of the policy (RSOP.MSC) is the MMC management unit tool that displays aggregation settings for all policies that have been applied to your computer. This tool can run locally or can be run from another computer. For each policy setting, the RSOP tool displays the computer settings and source GPO. GPRESULT
GPRESULT is a command line tool that provides statistics about the time, the application of GPO, and application sequences for the recently approved computer application group policy. This tool also provides information about any GPO by screening applications. The GPRESULT tool can be used remotely or on the client computer.
Back to top
Summary
Group Policy is a function based on Active Directory, which is designed to control users and computer environments in Windows Server 2003 and Windows 2000 domains. Certain basic steps must be performed in the domain before using a Windows XP desktop computer in an environment.
The group policy object (GPO) in the domain controller in the environment is linked to the container, including websites, domains, and OUs residing in the Active Directory structure. Understanding the security implications of the Active Directory structure and security implications in which different design options are configured before implementing a Group Policy.
Group Policy is an important tool for ensuring Windows XP security. This module includes details about how to apply and maintain uniform security policies from the central location throughout the network.
This module also provides information on different levels of group policies, as well as special tools for Group Policy in the environment in Windows XP.
other information
For more information on Active Directory Management and Design, see the White Paper "Design Considerations for Delegation of Administration in Activity": http://www.microsoft.com/technet/treeview/default.asp? URL = / TechNet / Prodtechnol / ad / windows2000 / plan / adDeLadm.asp.
For more information on Active Directory Design, see the White Paper "Best Practice Active Directory Design for Managing Windows Networks" on Microsoft Site: http://www.microsoft.com/technet/treeview/default.asp?url=/ TECHNET / PRODTECHNOL / AD / Windows2000 / Plan / BPADDSGN.ASP.
For more information on group strategies, see the white paper on the following Microsoft website "Step - by - step guide to understanding the group policy feature set": http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps .asp (English).
For more information on Windows XP security, see "Windows XP Professional Resource Kit" online documentation on the following Microsoft website: http://www.microsoft.com/windowsxp/pro/techinfo/productdoc/Resourcekit.asp.
For new security information about Windows XP, see the White Paper on Microsoft Site "What's New In Security For Windows XP Professional and Windows XP Home Edition": http://www.microsoft.com/china/technet/prodtechnol/winxppro/ Evaluate / XPsec.asp. For more information on management templates, see the White Paper "Implementing Registry - Based Group Policy": http://www.microsoft.com/windows/www.microsoft.com/windows/Management/RBPpaper.asp.
For more information about the Group Update (GPUPDATE) Tool, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ProdTechnol/ WinXPRO / PRODDOCS / REFRGP.ASP (English).
For more information on the Results set (RSOP) tool, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/Prodtechnol/ WinXPRO / PRODDOCS / RSPintro.asp ).
For more information on Group Policy Results (GPRESULT) tools, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/Proddocs/gpresult.asp (English) .
For more information on applying privileges in Active Directory, see Charts in "Windows 2000 Resource Kits" in the following location: http://www.microsoft.com/windows2000/techinfo/reskit/en -us / default.asp? url = / windows2000 / techInfo / reskit / en-us / deploy / dgbe_sec_haqs.asp.