Refreshing Our First Lesson

As you'll recall, in our first lesson we created a security template for a basic Windows 2000 server and then learned how to configure the Account Policies as illustrated below. Before I show you how to create a different template for specific server types such as a DNS server, a DHCP server, and an Exchange server, we need to finish up learning how to configure the remaining policies for a basic Windows 2000 server.

Security template account policies.

Aside from the Account Policies that you learned how to configure in Part 1 of this series, there are six other types of security policies we can configure:

• Local Policies
• Event Log
• Restricted Groups
• System Services
• Registry
• File System

Before getting started, refer to Part 1 to refresh your memory on how to open the Security Template to configure the policies. After opening the template, configure the Local Policies by clicking the + next to the Local Policies, as illustrated below. You'll see that there are three types of Local Policies to configure.

Security template local policies.

You'll need to configure security policies of the three types of Local Policies, and then do the same for Event Log, Restricted Groups, System Server, Registry, and File System. In Part 1, I taught you how to click on the various choices in the Template Security Policy Setting box, as illustrated below, to select the setting that you want.

Security template policy setting box.

Configure Local Policies, Event Log, and Restricted Groups

Now that you know how to select the security setting that you want, all you really need to know is the proper settings to select. The right settings will be different for every network and organizations, but in the tables below I have taken the liberty to recommend default Local Policy Settings and Event Log Settings, which may work well for most organizations. Double-click on the Policy name to select and configure the appropriate setting as shown below.

Security template security options.

Table 1 offers some Local Policy Setting Recommendations for your Windows 2000 basicsv template.

Table 1. Local Policy Setting Recommendations for Windows 2000

Policy Name	Policy	Computer Setting
Audit Policy	Audit account logon events	Success, Failure
	Audit account management	Success, Failure
	Audit directory service access	Success, Failure
	Audit logon events	Success, Failure
	Audit object access	Failure
	Audit policy change	Success, Failure
	Audit privilege use	Success, Failure
	Audit process tracking	None
	Audit system events	Success, Failure
User Rights Assignments	Force shutdown from a remote system	Administrators
	General security audits	Administrators
	Impersonate a client after authentication	None
	Increase scheduling priority	Administrators
	Load and unload device drivers	Administrators, Power Users
	Lock pages in memory	None
	Log on as batch job	None
	Manage auditing and security log	Administrators
	Modify firmware environment values	None
	Profile single process	Administrators
	Profile system performance	Administrators
	Remove computer from docking station	Administrators, Authenticated Users
	Replace a process level token	None
	Restore files and directories	Administrators, Backup Operators
	Shut down the system	Administrators, Authenticated Users
	Synchronize directory service data	None
	Take ownership of files or other objects	Administrators
Security Options	Automatically log off users when logon time expires (local)	Enabled
	Allow system to be shut down without having to log on	Disabled
	Allowed to reject removable NTFS media	Administrators
	Amount of idle time required before disconnecting session	15 minutes
	Audit the access of global system objects	Disabled
	Audit use of backup and restore privilege	Enabled
	Automatically log off users when login time expires	Enabled
	Automatically log off users when login time expires (local)	Enabled
	Clear virtual memory page file when system shuts down	Enabled
	Digitally sign client communication (always)	Disabled
	Digitally sign client communication (when possible)	Enabled
	Digitally sign server communication (when possible)	Enabled
	Disable CTRL + ALT + DEL requirement for logon	Enabled
	Do not display last user name in logon screen	Disabled
	LAN Manager Authentication Level	Send LM & NTLM - Use NTLMv2 session security if negotiated
	Message text for users attempting to logon	Authorized Users Only
	Message title for users attempting to logon	Logon Warning
	Number of previous logons to cache	Five Logons
	Prevent Dynamic DNS updates	Not Defined
	Prevent system maintenance of computer account password	Disabled
	Prevent users from installing printer drivers	Disabled
	Prompt user to change password before expiration	14 days
	Recovery Console: Allow automatic administrative logon	Disabled
	Recovery Console: Allow floppy copy and access to all drives and all folders	Disabled
	Rename administrator account	Not defined
	Rename guest account	Not defined
	Restrict CD-ROM access to locally logged-on user only	Enabled
	Secure channel: Digitally encrypt or sign secure channel data (always)	Disabled
	Secure channel: Digitally encrypt or sign secure channel data (when possible)	Enabled
	Secure channel: Digitally sign secure channel data (when possible)	Enabled
	Secure channel: Require strong (Windows 2000 or later) session key	Disabled
	Secure system partition (for RISC platforms only)	Not Defined
	Send unencrypted password to connect third-party SMB servers	Disabled
	Smart card removal behavior	Disabled
	Strengthen default permissions of global system objects	Enabled
	Unsigned driver installation behavior	Warn but allow installation
	Unsigned non-driver installation behavior	Warn but allow installation

Table 2 offers Event Log Setting recommendations for your Windows 2000 basics template. Keep in mind that log file sizes must be a multiple of 64 kilobytes.

Table 2. Event log Setting recommendations for Windows 2000

Policy Name	Policy Feature	Setting
Settings for Event Logs	Maximum application log size	81920 kilobytes
	Maximum security log size	81920 kilobytes
	Maximum system log size	81920 kilobytes
	Restrict guest to application log	Enabled
	Restrict guest access to security log	Enabled
	Retain application log	7 days
	Retain security log	7 days
	Retain system log	7 days
	Retention method for application log	Overwrite events as needed
	Retention method for security log	Overwrite events as needed
	Retention method for system log	Overwrite events as needed
	Shutdown computer when security audit log is full	Disabled

Before you can apply security policies to restricted groups, you'll first need to create some Restricted Groups. Using Restricted Groups allows you to create security memberships for predefined privileged users such as Administrators, Backup Operators, Guests, and Power Users. To create a Restricted Group, right-click on Restricted Groups and select Add Group as illustrated below.

Adding a restricted group.

When you see the pop-up box that prompts you to add a group, select Browse and you'll see a list of Restricted Groups. Select the one you want to add and click Add as illustrated below.

Select the restricted group name.

A pop-up box will highlight the Restricted Group that you selected. Now click OK as show below.

Add the administrators group.

You can then double-click on the Administrator Group name to add the members. After you have finished adding the members click OK as illustrated below.

Adding members to the administrator group.

You have now given all of the new members of the Administrator Group the security policies associated with a Windows 2000 Administrator.

We're going to stop here, and configure the remaining policies for your basic server in Part 3. Though your Security Template saves its settings dynamically, in case you want to experiment with different settings, it's worth knowing how to save the basic Windows 2000 Security Template file manually. Remember, each Security Template generates an .inf file. The basic Windows 2000 Security Template file is called basicsv.inf. To save it manually, right-click on basicsv and select Save As shown below.

Saving your security template.

You'll then be prompted to save it into a file and folder. If you've been experimenting with password policies and want to test them out, you may decided to save the template into a file called basicsv_password_test.inf as indicated below.

Creating a unique file name.

You'll always want to test out your policies before implementing them. You may want to create templates with version numbers in the file names each time you change the configuration, e.g. basicsv_v2.inf.

Coming Next

Congratulations, you're starting to turn into a Windows 2000 server security pro already. In Part 3 I'll teach you how to build policies to automatically configure System Services, Registry Settings, and File System Settings into your Windows 2000 basic server Security Template. By ensuring that these policies are configured with templates upon startup, you can be sure that the policies you want to implement are regenerated each time your system boots.

Read Part 3 of the Securing Windows Servers series here.