One,
Introduction:
The security template is a new feature of Windows 2000. It is a safe configuration physical representation method, which consists of files (.inf) of security attributes supported by Windows 2000. It organizes all existing security attributes to a location to simplify security management. The security information contained in the security template has such seven categories: account strategy, local policy, time log, restricted group, file system, registry, system service. Security templates can also be used as safety analysis. .
Second, the scope of application
Windows 2000 Professional Edition and Server Edition
Third, template:
Microsoft recommends a series of Windows 2000 Security Configuration Templates
W2khg_baseline.inf - should be applied to the general settings of all computers.
W2khg_memberwks.inf - Only for workstations as a domain member.
W2khg_memberlaptop.inf - Only for portable computers as a domain member.
W2khg_memberserver.inf - Only for the settings of the server connected to the domain.
W2khg_domainController.inf - only for the domain controller settings.
W2khg_standalonewks.inf - Only for the settlement of the independent workstation.
W2khg_standalonesrv.inf - Only for standalone servers.
Security template can be from http://www.microsoft.com/downloads/details.aspx?familyid=15e83186-a2c8-4c8f-a9d0-a0201f639a56&displaylang=en download
Fourth, view and edit the security configuration template
1. Copy the desired template to the "/% systemroot% / security / templates" directory or other location of the hard disk.
Note: If you copy them to a different location, you need (a) to properly guarantee the security of the location to use the user unable to modify the template, (b) add it to the MMC security template management unit.
2. Click Start, click Run, type MMC.exe, and then click OK.
3. On the Console menu, click Add / Delete Administration Unit, and then click Add.
4, select "Security Template", click Add, click "Close", and then click OK.
5. To save the management unit settings, click Save "on the Console menu. Type the name of this console and click Save.
6. In the Security Template management unit, double-click Security Template.
7, double-click the default path folder (% systemroot% / security / templates), then double-click the security configuration template you want to modify.
8, double-click the security policy you want to modify (for example, "Account Policy").
9. Click the security zone you want to customize (such as "Password Policy"), then double-click the security property you want to modify (such as "Password length minimum").
10. The modification step is the same as the steps described in the "Secure Configuration" section of this document.
11. After the modification is complete, right-click the name of the modified security configuration template, and then click Save.
V. Use Template
1. Log in to the computer with an account with administrative privileges.
2. Copy the desired template to the "/% systemroot% / security / templates" (or "C: / Winnt / Security / Templates" folder in the system partition.
3. Click Start, click Run, type mmc.exe, and then click OK.
4. On the Console menu, click Add / Remove Administration Unit, and then click Add.
5, select Secure Configuration and Analysis, click Add, click "Close", then click OK.
6. To save the management unit settings, click Save "on the Console menu. 7. In the Security Configuration and Analysis management unit, right-click Secure Configuration and Analysis.
If a work database is not set, click "Open Database" to set a work database. Type the name of the new database, with ".sdb" to the extension, and then click Open. Find a security configuration template and select it so that it will appear in the File Name: Text box. Select "Clear this Database" and click "Open".
If you have set a work database, click Import Template. Find a security configuration template and select it so that it will appear in the File Name: Text box. Select "Clear this Database" and click "Open".
8. Right-click Secure Configuration and Analysis, and then click Instant Computer Now. A window appears, showing the path to the error log file, then click OK.
Note: The security settings can be set immediately, and some settings have been applied, but they only take effect after restarting the computer.
9. Turn off the Security Configuration and Analysis tool and restart your computer.
Sixth, several parameters that must be modified
1, the settings of the security log: Because the security log is an important means of logging a system, you can view some of the system running status through the log, and the default installation of Windows 2000 does not open any security review, so you need to be on Security Templates → Audit Policy Open the corresponding review. Click "Local Policy → Review Policy"
Set to: Audit policy changes success, failed
Review the success of the login event, failed
Reviewed to visit successfully, failed
The audit process is successful, failed
Audit Directory Service Access Failure
Audit privilege failed
The audit system event succeeded, failed
Review account login event success, failed
Review account management success, failed
Then press the right button to save
2, Account Security Settings: The default installation of Windows 2000 allows any users to get all the system all accounts and sharing lists through empty users, resulting in attacking the computer if some passwords are easy to leak, so the following must be used. Click Account Policy → Password Policy, this project.
Set to: Setting: Enable the "Password must meet the complexity requirements", "The minimum length of the password" is 12 characters, "Forced Password History" is 5 times, "The maximum deposit period" is 30 days. Then press the right button to save
3. Security Options Settings: Click Local Policy → Security Options to find the right column "Additional Limits to Anonymous Connections". Double-click to set the valid policy, select "You do not allow the SAM account and share". Because this value is only non-NULL user access SAM account information and sharing information, this item is generally selected. Then press the right button to save
Note: Please repeat the fifth steps after the change! (Or in the Control Panel -> Management Tool -> Related items in local security strategy
