Print Page      Email Page
Back to Article List

It's Easy to Secure Windows 2000 Servers: Part 2
By Laura Taylor
March 16, 2005

Refreshing Our First Lesson

As you'll recall, in our first lesson we created a security template for a basic Windows 2000 server and then learned how to configure the Account Policies as illustrated below. Before I show you how to create a different template for specific server types such as a DNS server, a DHCP server, and an Exchange server, we need to finish up learning how to configure the remaining policies for a basic Windows 2000 server.

Security template account policies.

Aside from the Account Policies that you learned how to configure in Part 1 of this series, there are six other types of security policies we can configure:

  • Local Policies
  • Event Log
  • Restricted Groups
  • System Services
  • Registry
  • File System

Before getting started, refer to Part 1 to refresh your memory on how to open the Security Template to configure the policies. After opening the template, configure the Local Policies by clicking the + next to the Local Policies, as illustrated below. You'll see that there are three types of Local Policies to configure.

Security template local policies.

You'll need to configure security policies of the three types of Local Policies, and then do the same for Event Log, Restricted Groups, System Server, Registry, and File System. In Part 1, I taught you how to click on the various choices in the Template Security Policy Setting box, as illustrated below, to select the setting that you want.

Security template policy setting box.

Configure Local Policies, Event Log, and Restricted Groups

Now that you know how to select the security setting that you want, all you really need to know is the proper settings to select. The right settings will be different for every network and organizations, but in the tables below I have taken the liberty to recommend default Local Policy Settings and Event Log Settings, which may work well for most organizations. Double-click on the Policy name to select and configure the appropriate setting as shown below.

Security template security options.

Table 1 offers some Local Policy Setting Recommendations for your Windows 2000 basicsv template.

Table 1. Local Policy Setting Recommendations for Windows 2000
Policy Name Policy Computer Setting
Audit Policy Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Failure
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit process tracking None
Audit system events Success, Failure
User Rights Assignments Force shutdown from a remote system Administrators
General security audits Administrators
Impersonate a client after authentication None
Increase scheduling priority Administrators
Load and unload device drivers Administrators, Power Users
Lock pages in memory None
Log on as batch job None
Manage auditing and security log Administrators
Modify firmware environment values None
Profile single process Administrators
Profile system performance Administrators
Remove computer from docking station Administrators, Authenticated Users
Replace a process level token None
Restore files and directories Administrators, Backup Operators
Shut down the system Administrators, Authenticated Users
Synchronize directory service data None
Take ownership of files or other objects Administrators
Security Options Automatically log off users when logon time expires (local) Enabled
Allow system to be shut down without having to log on Disabled
Allowed to reject removable NTFS media Administrators
Amount of idle time required before disconnecting session 15 minutes
Audit the access of global system objects Disabled
Audit use of backup and restore privilege Enabled
Automatically log off users when login time expires Enabled
Automatically log off users when login time expires (local) Enabled
Clear virtual memory page file when system shuts down Enabled
Digitally sign client communication (always) Disabled
Digitally sign client communication (when possible) Enabled
Digitally sign server communication (when possible) Enabled
Disable CTRL + ALT + DEL requirement for logon Enabled
Do not display last user name in logon screen Disabled
LAN Manager Authentication Level Send LM & NTLM - Use NTLMv2 session security if negotiated
Message text for users attempting to logon Authorized Users Only
Message title for users attempting to logon Logon Warning
Number of previous logons to cache Five Logons
Prevent Dynamic DNS updates Not Defined
Prevent system maintenance of computer account password Disabled
Prevent users from installing printer drivers Disabled
Prompt user to change password before expiration 14 days
Recovery Console: Allow automatic administrative logon Disabled
Recovery Console: Allow floppy copy and access to all drives and all folders Disabled
Rename administrator account Not defined
Rename guest account Not defined
Restrict CD-ROM access to locally logged-on user only Enabled
Secure channel: Digitally encrypt or sign secure channel data (always) Disabled
Secure channel: Digitally encrypt or sign secure channel data (when possible) Enabled
Secure channel: Digitally sign secure channel data (when possible) Enabled
Secure channel: Require strong (Windows 2000 or later) session key Disabled
Secure system partition (for RISC platforms only) Not Defined
Send unencrypted password to connect third-party SMB servers Disabled
Smart card removal behavior Disabled
Strengthen default permissions of global system objects Enabled
Unsigned driver installation behavior Warn but allow installation
Unsigned non-driver installation behavior Warn but allow installation

Table 2 offers Event Log Setting recommendations for your Windows 2000 basics template. Keep in mind that log file sizes must be a multiple of 64 kilobytes.

Table 2. Event log Setting recommendations for Windows 2000
Policy Name Policy Feature Setting
Settings for Event Logs Maximum application log size 81920 kilobytes
Maximum security log size 81920 kilobytes
Maximum system log size 81920 kilobytes
Restrict guest to application log Enabled
Restrict guest access to security log Enabled
Retain application log 7 days
Retain security log 7 days
Retain system log 7 days
Retention method for application log Overwrite events as needed
Retention method for security log Overwrite events as needed
Retention method for system log Overwrite events as needed
Shutdown computer when security audit log is full Disabled

Before you can apply security policies to restricted groups, you'll first need to create some Restricted Groups. Using Restricted Groups allows you to create security memberships for predefined privileged users such as Administrators, Backup Operators, Guests, and Power Users. To create a Restricted Group, right-click on Restricted Groups and select Add Group as illustrated below.

Adding a restricted group.

When you see the pop-up box that prompts you to add a group, select Browse and you'll see a list of Restricted Groups. Select the one you want to add and click Add as illustrated below.

Select the restricted group name.

A pop-up box will highlight the Restricted Group that you selected. Now click OK as show below.

Add the administrators group.

You can then double-click on the Administrator Group name to add the members. After you have finished adding the members click OK as illustrated below.

Adding members to the administrator group.

You have now given all of the new members of the Administrator Group the security policies associated with a Windows 2000 Administrator.

We're going to stop here, and configure the remaining policies for your basic server in Part 3. Though your Security Template saves its settings dynamically, in case you want to experiment with different settings, it's worth knowing how to save the basic Windows 2000 Security Template file manually. Remember, each Security Template generates an .inf file. The basic Windows 2000 Security Template file is called basicsv.inf. To save it manually, right-click on basicsv and select Save As shown below.

Saving your security template.

You'll then be prompted to save it into a file and folder. If you've been experimenting with password policies and want to test them out, you may decided to save the template into a file called basicsv_password_test.inf as indicated below.

Creating a unique file name.

You'll always want to test out your policies before implementing them. You may want to create templates with version numbers in the file names each time you change the configuration, e.g. basicsv_v2.inf.

Coming Next

Congratulations, you're starting to turn into a Windows 2000 server security pro already. In Part 3 I'll teach you how to build policies to automatically configure System Services, Registry Settings, and File System Settings into your Windows 2000 basic server Security Template. By ensuring that these policies are configured with templates upon startup, you can be sure that the policies you want to implement are regenerated each time your system boots.

Read Part 3 of the Securing Windows Servers series here.

DHTML Menu By Milonic JavaScript