Security

  • Article

Stand-alone computers have Security Policy associated with them that can be modified by users with the appropriate rights. When a computer joins a domain, the domain Security Policy is applied to the local computer. Domain Security Policy will override any changes made to Security Policy at the desktop level.

For information about Security Policy and Group Policy for computers in a domain, see the Deployment Planning Guide and Windows 2000 Help.

Security Policy is to computers as security groups are to users. Security Policy lets you apply a single security profile to multiple computers, just as security groups let you grant a standardized set of rights to a group of users. It enforces consistency and provides easy administration.

Security Policy objects contain permissions and parameters that implement multiple types of security strategies.

Prerequisites for Implementing Local Security Policy

Security Policy is installed by default on local computers. However, Active Directory must be installed on a server before you can edit and apply domainwide Security Policy objects.

How to Implement Security Policy

To apply local Security Policy, see Windows 2000 Professional Help.

In a domain, to view a sample Security Policy, open the Group Policy snap-in in the MMC and navigate to the Security Settings container:

Local Computer Policy

Ξ Computer Configuration

Ξ Windows Settings

Ξ Security Settings

Under Security Settings there are nine subdirectories of security policy settings. These nine groups are described later in this chapter.

Implementing Security Policy consists of creating a new Group Policy object (or modifying an existing one), enabling appropriate settings within the object, and then linking the Group Policy object to an organizational unit that contains computers in the domain.

Group Policy Considerations

Minimize the number of Group Policy objects, including Security Policy objects, that apply to users and computers. Do this first, because each computer and user Group Policy object must be loaded to a computer during startup and to user profiles at logon. Multiple Group Policy objects increase computer startup and logon time. Second, applying multiple Group Policy objects can create policy conflicts that are difficult to troubleshoot.

In general, Group Policy can be passed down from parent to child sites, domains, and organizational units. If you have assigned a specific Group Policy to a high-level parent, that Group Policy applies to all organizational units beneath the parent, including the user and computer objects in each container. For more information about inheritance of Group Policy settings, see Defining Client Administration and Configuration Standards in the Deployment Planning Guide .

Security templates (described later in this chapter) are useful as models of security settings appropriate for different types of Group Policy.