Windows 2000 Security Configuration Tool

Document directory

• Local Security Policy
• Domain Security Policy
• Organizational Unit Group Policy Object
• Security Configuration Editor
• Other tools

Content on this page

	Content of this module
	Target
	Applicability
	How to use this module
	Windows 2000 Security Policy
	Other security configuration Interfaces

Content of this module

This module provides an overview of tools used for security configuration changes to meet the Microsoft Windows 2000 operating system standard installation benchmarks. This module only describes tools, but does not describe the settings that can be made using these tools.

Back to Top

Target

This module can be used:

•	Identifies Windows 2000 Security Configuration tools.

Back to Top

Applicability

This module applies to the following products and technologies:

•	Microsoft Windows 2000 operating system.
•	Microsoft Windows 2000 operating system security configuration tool.

Back to Top

How to use this module

This module identifies security configuration tools that can be used for Windows 2000. This module also describes how to create and process group policies. Use this module to familiarize yourself with these tools.

To fully understand the content of this module, please:

•	Read the Windows 2000 security configuration in the module. This module details the security settings that can be used to improve Windows 2000 Security.
•	Use the included "how" module: • How to configure and apply security templates in Windows 2000

Back to Top

Windows 2000 Security Policy

This section describes the priority sequence of various security policy tools and their related security policy applications. By default, group policies are inherited and accumulative, and affect all computers in the Microsoft Active Directory container. You can manage group policies by using the Group Policy object (GPO). These Group Policy objects are in the selected Active Directory object (such as site, domain or organization unit (OU )) the data structure attached to a specific level.

After creating these GPO instances, you can apply them in the following standard order: lsdou, which indicates (1) local, (2) site, (3) domain, (4) ou. The policy priority of the application is higher than that of the first application. If a computer belongs to a certain domain and there is a conflict between the domain and the Local Computer Policy, the domain policy is valid. However, if a computer no longer belongs to a certain domain, the local group policy is applied.

Local GPO is processed when a computer joins a domain that implements active directory and group policies. Note that local GPO policies are processed even when the "Blocking Policy inheritance" option is specified.

You can define the Account Policies (passwords, account locks, and Kerberos policies) for the entire domain in the local GPO Policy (Audit Policy, user permission allocation, and security options) of the default domain ), because the domain control controller (DC) is defined in the default domain controller GPO ). For DC, the setting priority defined in the default dc gpo is higher than that defined in the default domain GPO. In this way, if you configure user privileges in the default domain GPO (for example, "add a workstation in the domain"), the DC in this domain will not be affected.

There is an option to allow force group policy enforcement in a specific GPO, which can prevent GPO in a lower-level Active Directory container from replacing this policy. For example, if a specific GPO is defined at the domain level and GPO is specified to be enforced, the policy contained in the GPO will be applied to all ou in the domain; that is, containers of lower levels (OU) this domain group policy cannot be replaced.

Note:The Account Policy Security Area receives the special processing method that takes effect on this domain computer. All DC in this domain receive the GPO account policy from the domain node, regardless of the location of the DC computer object. This ensures that consistent account policies are enforced for all domain accounts. All non-DC computers in the domain can obtain the policies for local accounts on these computers according to the normal GPO hierarchy. By default, the member workstation and server forcibly implement the policy settings configured in the GPO of their local account domain. However, if there are other GPO instances that replace the default settings in a lower range, these settings will take effect.

Local Security Policy

You can use the Local Security Policy to set security requirements on the local computer. It is mainly used for individual computers or for applying specific security settings to domain members. In an Active Directory-hosted network, Local Security Policy settings have the lowest priority.

•

Enable Local Security Policy 1. Log on to the computer as an administrator. 2. On Windows 2000 Professional computers, "Administrative Tools" are not displayed as an option in the "Start" menu by default. To view the "Administrative Tools" menu options in Windows 2000 Professional, click "start", point to "Settings", and then click "Taskbar and Start Menu ". In the "Taskbar and Start Menu properties" window, click the "advanced" tab. In the "Start Menu Settings" dialog box, select "display management tools ". Click OK to complete the settings. 3. Click Start, point to programs, point to administrative tools, and then click Local Security Policy ". In this way, you can use the "Local Security Settings" console.

Figure 1: Local Security Settings

Domain Security Policy

You can use domain security policies to set and disseminate security requirements for all computers in the domain. The domain Security Policy replaces the Local Security Policy settings of all computers in the domain.

•

Enable Domain Security Policy 1. Open the "Active Directory users and computers" Management Unit. 2. Right-click the appropriate organization unit or domain you want to view, and click Properties ". For example, to view the domain Security Policy, right-click the domain. To view the Domain Controller Policy, right-click "Domain Controller" ou. 3. Click the Group Policy tab. 4. Click "edit. 5. Expand "Windows Settings ". 6. Execute the security configuration in the "Security Settings" tree.

Organizational Unit Group Policy Object

You should use ou to manage security policies in the domain. This domain has been provided with the domain controller ou. However, you can define other ou as needed. For example, you should apply the benchmark settings at the domain level, and then apply the specific settings at the ou level. In this way, you can create a workstation ou, place all workstations in it, create a Domain Server ou, and place all Domain Member Servers in it.

Ou GPO can replace the security policy settings implemented on the policy interface discussed earlier. For example, if the policy set for the domain is not compatible with the same policy configured for the domain controller ou, the domain controller does not inherit the Domain Policy settings. You can avoid this situation by selecting the "prohibit substitution" option during ou GPO creation. The "Disable substitution" option forces all sub-containers to inherit the policy from the parent container, even if these policies conflict with sub-container policies and "block inheritance" is set for sub-containers. Click the "options" button in the "properties" dialog box of GPO to locate the "Disable substitution" check box.

Back to Top

Other security configuration Interfaces

To facilitate discussion and implementation, this document focuses on managing security settings through Windows 2000 security policies. However, on an independent computer, these interfaces are unavailable, and sometimes security needs to be managed one by one among domain members, rather than through group policies. There are many independent tools that can be used to execute these tasks. The most commonly used Security Configuration editor is attached to all Windows 2000 systems.

Security Configuration Editor

The Management Configuration Editor (SCE) is composed of two management units, Microsoft Management Console (MMC), which provides security configuration and analysis functions for Windows 2000 operating systems. The first Management Unit is the "security template" management unit, which allows administrators to manage. INF files (for application security settings) graphically. The second Management Unit is the "Security Configuration and analysis" Management Unit, which is used by the Administrator to analyze the security of the system related to a specific template and apply the settings in the template to the system. These interfaces are shown in figure 2. To view these management units, you must create a new console.

•

Create a new console 1. Click Start, and then click Run...MMC. 2. When MMC appears, click "console", and then click "Add/delete snap-in ...". Click "add..." and double-click "Security Configuration and analysis" and "security template ". 3. Click Close and OK to return to the console. For future use, you can now save this console to make it available in the "Administrative Tools" folder on the "Start" menu.

Figure 2: Security Configuration Editor

With the SCE tool, the administrator can configure the security of the Windows 2000 operating system, and then perform regular analysis on the system to ensure that the configuration is complete or necessary changes over time. These tools can effectively provide access to each item displayed in the "Security Settings" tree of the Group Policy.

For details about using the SCE tool, see http://www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp ).

Other tools

Many other tools attached to Windows 2000 can be used to manage security. This section briefly introduces some of these tools. It is estimated that the Administrator is familiar with these tools and does not need to introduce them more.

•	Windows Explorer-allows you to configure the Random Access Control List (DACL) and system access control list (SACL) on the file system ).
•	Regedt32.exe-allows you to configure DACL and SACL on the registry.
•	Cacls.exe-command line tool that allows you to configure and view the DACL of a file system.
•	Net.exe-the command line tool can be used to create and configure user accounts and group members, and to configure various settings (such as whether the system is visible in the network browsing list ).
•	Netsh.exe-command line tool for configuring network parameters.
•	Secedit.exe-command line tool that provides the same functions as the SCE tool.

Back to Top