Chapter 4 - Security Configuration Tools

This section provides an overview of the tools used for making security configuration changes to the standard install base of Windows 2000. We only describe the tools here, not the settings that should be made using those tools.

Chapter 5 documents the settings to be made in each of the configurations this guide supports. In Chapter 6 of this document we provide procedures for automating most of the security settings.

On This Page

Windows 2000 Security Policies
Additional Security Configuration Interfaces

Windows 2000 Security Policies

This subsection explains the various security policy tools and their order of precedence with respect to application of security policies. By default, Group Policies are inherited and cumulative, and affect all computers in an Active Directory container. Group Policies are administered through the use of Group Policy Objects (GPOs), which are data structures attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units (OUs).

These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2) Site, (3) Domain, (4) OU, with the later policies being superior to the earlier applied policies. Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy is applied.

When a computer is joined to a domain with the Active Directory and Group Policy implemented, a Local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified.

Account policies (i.e., password, lockout, Kerberos) are defined for the entire domain in the default domain Group Policy Object (GPO). Local policies (i.e., audit, user rights, and security options) for Domain Controllers (DCs) are defined in the default Domain Controllers GPO. For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege were configured (for example, Add workstations to domain) in the default Domain GPO, it would have no impact on the DCs in that domain.

Options exist that allow enforcement of the Group Policy in a specific Group Policy Object so that GPOs in lower-level Active Directory containers are prevented from overriding that policy. For example, if there is a specific GPO defined at the domain level and it is specified that the GPO be enforced, the policies that the GPO contains apply to all OUs under that domain; that is, the lower-level containers (OUs) cannot override that domain Group Policy.

Note: The Account Policies security area receives special treatment in how it takes effect on computers in the domain. All DCs in the domain receive their account policies from GPOs configured at the domain node regardless of where the computer object for the DC is. This ensures that consistent account policies are enforced for all domain accounts. All non-DC computers in the domain follow the normal GPO hierarchy for getting policies for the local accounts on those computers. By default, member workstations and servers enforce the policy settings configured in the domain GPO for their local accounts, but if there is another GPO at lower scope that overrides the default settings, then those settings will take effect.

Local Security Policy

A Local Security Policy is used to set the security requirements on the local computer. It is primarily used for stand-alone computers or to apply specific security settings to a Domain member. Within an Active Directory managed network the Local Security Policy settings have the least precedence.

To open the Local Security Policy:

  1. Log on to the computer with administrative rights.

  2. In a Windows 2000 Professional computer, Administrative Tools is not displayed as a Start menu option by default. To view the Administrative Tools menu option in Windows 2000 Professional, click Start, point to Settings, and select Taskbar and Start Menu. In the Taskbar and Start Menu Properties window, click the Advanced tab. Check the Display Administrative Tools checkbox in the Start Menu Settings dialog box. Click the OK button to complete the setting.

  3. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy. This opens the Local Security Settings console.


Domain Security Policy

A Domain Security Policy is used to set and propagate security requirements for all computers in the Domain. The Domain Security Policy overrides Local Security Policy settings for all computers within the Domain.

To open a Domain Security Policy:

  1. Open the Active Directory Users and Computers snap-in

  2. Right-click the appropriate organizational unit or domain whose policy you wish to view. For example, to view the domain security policy, right click on the domain. To view the Domain Controller policy, right click the Domain Controllers OU.

  3. Click the Group Policy tab

  4. Click the Edit... button

  5. Expand Windows Settings

  6. The security configuration is performed in the Security Settings tree

Organizational Unit Group Policy Objects

We recommend using OUs to manage security policy in a domain. The domain already comes with the Domain Controllers OU. However, you can define other OUs as necessary. For example, we recommend applying the baseline settings at the Domain level, and then applying the specific settings at the OU level. Thus, you would create a Workstations OU and put all workstations in that, a Domain Servers OU and put all Domain member servers in that, and so on.

An OU GPO may override security policy settings implemented by the previously discussed policy interfaces. For example, if a policy that is set for the domain is incompatible with the same policy configured for the Domain Controllers OU, the Domain Controllers do not inherit the domain policy setting. This can be avoided by selecting the No Override option when creating an OU GPO. The No Override option forces all child containers to inherit the parent's policies even if those policies conflict with the child's policies, and even if Block Inheritance has been set for the child. The No Override check box is located by clicking the Options button on the GPO's Properties dialog box. However, in our particular case, we will use this feature to apply our security settings.

Additional Security Configuration Interfaces

For ease of discussion and implementation, this document focuses on managing security settings through Windows 2000 Security Policies. However, on stand-alone computers, those interfaces are not available, and even on domain members, it is sometimes desirable to manage security on a case-by-case basis as opposed to via Group Policy. There are a number of stand-alone tools which can be used to perform these tasks. The most prevalent is the Security Configuration Editor tools, which ship with all Windows 2000 systems.

Security Configuration Editor

The Security Configuration Editor (SCE) consists of two Microsoft Management Console (MMC) snap-ins designed to provide a capability for security configuration and analysis of Windows 2000 operating systems. The first snap-in is the Security Templates snap-in which gives administrators a graphical way to manage the inf files used to apply security settings. The second snap-in is the Security Configuration and Analysis snap-in which allows an administrator to analyze a systems security vis-à-vis a particular template and apply the settings in a template to a system. These interfaces are shown in Figure 1. In order to view these snap-ins a new console must be created. To do so click Start:Run and run MMC. When the MMC comes up, click Console:Add/Remove Snap in Then click Add and double-click both Security Configuration and Analysis and Security Templates. Click Close and OK to return to the console. For future use, you may now save this console so that it becomes available in the Administrative Tools folder on the Start menu.


Figure 1: SCE Tools

The SCE tools allow administrators to configure security on Windows 2000 operating systems, and then perform periodic analysis of the systems to ensure that the configuration remains intact or to make necessary changes over time. They effectively give access to everything that shows up in the Security Settings tree in a Group Policy.

Other tools

There are numerous other tools which ship with Windows 2000 for managing security. This section briefly introduces some of them. It is expected that administrators are familiar with these tools and need no further introduction to them.

  • Windows Explorer – allows configuration of both Discretionary (DACL) and System (SACL) Access Control Lists on the file system

  • Regedt32.exe – allows configuration of both DACLs and SACLs on the registry

  • Cacls.exe – command line tool which allows configuration and viewing of file system DACLs.

  • Net.exe – a family of command line tools which can create and configure user accounts, group memberships, as well as various settings such as whether the system is visible in network browse lists.

  • Netsh.exe – a command line tool for configuration of network parameters

  • Secedit.exe – a command line tool providing the same functionality as the GUI SCE.