Back to Article List
It's Easy to Secure Windows 2000 Servers: Part 2
By Laura Taylor
March 16, 2005
Refreshing Our First Lesson
As you'll recall, in our first lesson we created a security template for a basic Windows 2000 server and then learned how to configure the Account Policies as illustrated below. Before I show you how to create a different template for specific server types such as a DNS server, a DHCP server, and an Exchange server, we need to finish up learning how to configure the remaining policies for a basic Windows 2000 server.
Security template account policies.
Aside from the Account Policies that you learned how to configure in Part 1 of this series, there are six other types of security policies we can configure:
Before getting started, refer to Part 1 to refresh your memory on how to open the Security Template to configure the policies. After opening the template, configure the Local Policies by clicking the + next to the Local Policies, as illustrated below. You'll see that there are three types of Local Policies to configure.
Security template local policies.
You'll need to configure security policies of the three types of Local Policies, and then do the same for Event Log, Restricted Groups, System Server, Registry, and File System. In Part 1, I taught you how to click on the various choices in the Template Security Policy Setting box, as illustrated below, to select the setting that you want.
Security template policy setting box.
Configure Local Policies, Event Log, and Restricted Groups
Now that you know how to select the security setting that you want, all you really need to know is the proper settings to select. The right settings will be different for every network and organizations, but in the tables below I have taken the liberty to recommend default Local Policy Settings and Event Log Settings, which may work well for most organizations. Double-click on the Policy name to select and configure the appropriate setting as shown below.
Security template security options.
Table 1 offers some Local Policy Setting Recommendations for your Windows 2000 basicsv template.
Table 1. Local Policy Setting Recommendations for Windows 2000
Table 2 offers Event Log Setting recommendations for your Windows 2000 basics template. Keep in mind that log file sizes must be a multiple of 64 kilobytes.
Table 2. Event log Setting recommendations for Windows 2000
Before you can apply security policies to restricted groups, you'll first need to create some Restricted Groups. Using Restricted Groups allows you to create security memberships for predefined privileged users such as Administrators, Backup Operators, Guests, and Power Users. To create a Restricted Group, right-click on Restricted Groups and select Add Group as illustrated below.
Adding a restricted group.
When you see the pop-up box that prompts you to add a group, select Browse and you'll see a list of Restricted Groups. Select the one you want to add and click Add as illustrated below.
Select the restricted group name.
A pop-up box will highlight the Restricted Group that you selected. Now click OK as show below.
Add the administrators group.
You can then double-click on the Administrator Group name to add the members. After you have finished adding the members click OK as illustrated below.
Adding members to the administrator group.
You have now given all of the new members of the Administrator Group the security policies associated with a Windows 2000 Administrator.
We're going to stop here, and configure the remaining policies for your basic server in Part 3. Though your Security Template saves its settings dynamically, in case you want to experiment with different settings, it's worth knowing how to save the basic Windows 2000 Security Template file manually. Remember, each Security Template generates an .inf file. The basic Windows 2000 Security Template file is called basicsv.inf. To save it manually, right-click on basicsv and select Save As shown below.
Saving your security template.
You'll then be prompted to save it into a file and folder. If you've been experimenting with password policies and want to test them out, you may decided to save the template into a file called basicsv_password_test.inf as indicated below.
Creating a unique file name.
You'll always want to test out your policies before implementing them. You may want to create templates with version numbers in the file names each time you change the configuration, e.g. basicsv_v2.inf.
Congratulations, you're starting to turn into a Windows 2000 server security pro already. In Part 3 I'll teach you how to build policies to automatically configure System Services, Registry Settings, and File System Settings into your Windows 2000 basic server Security Template. By ensuring that these policies are configured with templates upon startup, you can be sure that the policies you want to implement are regenerated each time your system boots.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: firstname.lastname@example.org | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759