Learn how to implement basic AD security features
In Part 1 of this series, I discussed the basics involved in securing a few key Windows 2000 areas. In Part 2, I cover the fundamentals of using Active Directory's (AD's) Group Policy to implement basic security features. AD is a huge topic, and I can't cover it all in this article. If you haven't installed or even looked at AD, read Microsoft's online documentation, peruse the information in Win2K Server Help, or pick up a book about AD. AD is important for properly deploying such Win2K security features as Encrypting File System (EFS), public key infrastructure (PKI), and Group Policy. I'll cover EFS and PKI in an upcoming article.
AD provides a more convenient way to manage your domain than Windows NT's primary and secondary domain management, which in large organizations, can be troublesome and time consuming. To install AD on a Win2K Server machine, click Start, Programs, Administrative Tools, Configure Your Server. Then, select Active Directory from the choices on the left. Follow the wizard steps, and in about 30 minutes to 1 hour, you'll have AD installed and ready to use. Now, let's look at Group Policy and the considerations involved in implementing this important AD feature.
Group Policy—AD Cornerstone
Group Policy is an important part of AD and Win2K security. With Group Policy, you can implement many of the same security features that I covered in Part 1, including the options in Local Security Policy, but you can implement these features for users and systems across the entire domain from a single point. In NT, you must manage all these security options on each system separately. Quite often, the task becomes so time-consuming that many administrators give up or apply the security to only the most important systems or accounts.
To get started with Group Policy, on a domain controller (DC), open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (click Start, Programs, Administrative Tools, then select Active Directory Users and Computers), which Figure 1, page 2, shows. In the window's left pane is a list of folders for built-in user accounts, computers that are members of the domain, DCs, foreign security principals, and users. Right-click the domain or the organizational unit (OU) that you want to manage, then select Properties. The Properties dialog box, which Figure 2, page 2, shows, has three tabs: General, Managed By (which lets you document a resource group's business owner), and Group Policy. Click the Group Policy tab to see a list of the policies that exist on the domain or OU you selected. The default policy that shows up the first time you click the Group Policy tab is Default Domain Policy. You can edit, add, delete, or view the policies' properties. You can click Options to see choices for disabling the policy in this domain or OU and for setting the policy so that another, higher policy can't override it. The windows that pop up when you go through these option menus can be daunting, and some windows look the same as those in other areas but don't have the same options. Look through the menus and get oriented before making any changes.
On the Group Policy tab, click Add, enter a new group policy called Test, then click Enter to return to the Group Policy tab. Click Edit, and you see the window that Figure 3 shows. Let's look in more detail at the Group Policy options in the Computer Configuration and User Configuration folders.
Computer Configuration options. The Computer Configuration folder contains options for software settings, Windows settings, and administrative templates. In Software Settings, you can implement domainwide software distribution for a group. (For more information about implementing domainwide software distribution, see Win2K Server Help.) Windows Settings contains options to implement startup and shutdown scripts that you can use for a variety of security-related tasks. Windows Settings also contains standard security options (i.e., options that you would find on a system that doesn't have AD installed), such as account lockouts, auditing, and event logging. To define a setting, double-click an option, select the Define this policy setting check box, then make the changes you want. Figure 4 shows the window you get when you double-click the Security Policy Setting option. Note that any options that you choose not to define won't override existing system policies that you or someone else might have defined elsewhere.
The Administrative Templates folder contains options to apply policies to Windows components, system settings, network settings, and printers. To set an option, double-click it, and choose one of the three radio buttons (i.e., not defined, enabled, or disabled). Click the Explain tab to see a short description of the policy. I recommend reading the description before you change an option so that you don't make a change that causes problems. An important folder to note is the Group Policy folder (i.e., \Computer Configuration\Administrative Templates\System\Group Policy), in which you can set how and when Win2K propagates group policies to the systems in the domain or OU.