Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


July 24, 2000

Group Policy and Security


A Web Exclusive from Windows IT Pro
Robert McIntosh
Windows 2000 Ready
InstantDoc #9169
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

In my last column, I talked about Group Policy and how it is applied based on a user's or a computer's location within Active Directory (AD). This week, I look at network security, one of several areas where you can use Group Policy to simplify the tasks that you face as a network administrator. With Group Policy, you can ensure that the machines on your network remain in a secure configuration after you deploy them.

When you create or modify a Group Policy Object (GPO), you can configure several security settings located under Group Policy Editor (GPE) Computer Configuration, Windows Settings, Security Settings. As Figure 1 shows, Security Settings is where you can configure a machine on your network to use IP security and specify settings for everything from user rights to system services. Although some individual settings are easier to configure under Windows NT 4.0, the ability to configure all the settings from one location is a key benefit of Windows 2000's Group Policy. And because you can apply Group Policy to Organizational Units (OUs) that contain multiple computers with similar security requirements, it's much easier to apply changes such as assigning permissions to a Registry key. One exception is the Account Policies settings, which apply at the domain level and which, by default, the Default Domain Policy sets.

As you can see, Group Policy makes it easy to configure security settings on the machines in your Win2K domain. In addition, two tools, Security Templates and Security Configuration and Analysis, are extremely useful for applying network security policy and evaluating whether individual machines comply with the policy, as Figure 2 shows. With these tools, you can build templates with particular security settings for different groups of machines, apply the settings to the machines, and then periodically evaluate the machines to verify that they remain properly configured.

Security Templates
You can use the Microsoft Management Console's (MMC's) Security Templates snap-in to build different templates that you can import into Group Policies. You can either create a new policy from scratch or modify one of the built-in policies. After you decide which template to use, you can import the template settings into your GPO using Group Policy Editor (GPE) by right-clicking Computer Configuration, Windows Settings, Security Settings and choosing Import Policy. This process applies all the settings you configured in the template to all the computers in the container (e.g., site, domain, OU) that you link the Group Policy to.

Security Configuration and Analysis
You can use the MMC's Security Configuration and Analysis snap-in to verify that the security settings you apply with Group Policy are in use. Before you perform an analysis, create a database to store the results. After you create and open the database and choose the template containing the settings that you want to apply to a specific machine, right-click the snap-in and choose Analyze Computer Now to check the actual security settings against the desired settings. You can also use Security Configuration and Analysis to apply the security template to the machine, but it's better to use Group Policy. If you use Security Configuration and Analysis to apply the settings, a user can come behind you and change the settings. With Group Policy, if a user changes a security setting, it changes back to its original value the next time Win2K applies the policy.

On a final note, be sure that you thoroughly test any security templates in a lab environment before rolling them into production. The Win2K default security setting provides a significant increase in security over the NT 4.0 default settings. If you need to ensure compatibility with any non-Win2K certified applications, you might have to use the built-in Compatible Template (compatws.inf) or put your users in the built-in Power Users group. If you want to ensure that all your machines are using the Win2K default settings, you can apply the appropriate default template (basicwk.inf, basicsv.inf, or basicdc.inf). However, if you apply the changes to machines that you upgraded from NT 4.0, you might experience problems with some applications that were working under NT 4.0.

End of Article

Reader Comments
It is a question:
I had setup my server as a primary domain controller, then demoted it back to a member server. Now I cannot map a share from outside the network. How can I undo the group policy that is already there?

Thanks
Riyad

Riyad July 18, 2001

I wanted to change the minimum password length using the group policy, but for some reason, I cannot change it because the feature seemed to be disabled.

I can only see the current setting, but not change it. I have logged in using the domain administrator account. Do you have any idea on how to fix this?

Thank you

Rendra Basuki December 01, 2003

I would like to know where (Link) I can learn everyhting I need to now about the system policy editor?

Is there a specific pre-designed program out there that will make things easier for me?

Sandeep Cheema April 19, 2004

How can I secure a user on a workgroup. I have been reading about GPO but it talks only about a domain. Could you give a guide and maybe some resources on the subjects.

Marcos Rodas April 27, 2004

I downloaded MMC for Windows NT but all of the snap-ins available on 2000 are not installed. Where can I get them?

Ryan April 29, 2004

I wanna create a group policy that i can move from server to server (without havng to redo it on every server) is that poosible>??? and if so, how do i go about doing it??

Chris May 18, 2004

There is a security template for this purpose. Kind of an undo. I don't recall the name but if you look at the list of security templates its clear is reset the settings back to "out of the box".

ecomboy June 21, 2004

Most of the comments are questions so I have another. Is it possible to configure Windows 2000 Professional so a regular user, not an administrative user, can change the IP address?

J. R. June 24, 2004

Armor2net Personal Firewall software provides a complete spectrum of Internet security and Internet privacy for computers. The program protects the computer from hackers, data thieves, and other Internet-based dangers.
For more information, please visit: <a href=¡°http://www.armor2net.com¡±>http://www.armor2net.com</a>


nina_h2004 September 01, 2004 (Article Rating: )

I am currently running some system scans. On a few machines, it is telling me that "User account has no required password" these are all on the local machines. I am 100% positive that all user accounts have passwords. Any ideas of where I can go on a Windows 2000 professional machines to require the password?

sselbst September 02, 2004 (Article Rating: )

 See More Comments  1   2 

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta

Addressing the Insider Threat with NetIQ Security and Administration Solutions
Related Events Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing