This subsection identifies all the security functions available to the administrator and needed to operate Windows 2000 securely. The details regarding security parameters and values are detailed in a Graphical User Interface (GUI) specification. The administrative security functions are derived from the Windows 2000 security functions described in the Windows 2000 ST.

The TOE supports a number of policies and features that require appropriate management. With few exceptions, the security management functions are restricted to an authorized administrator. This constraint is generally accomplished by privilege or access control (i.e., security descriptor), and occasionally by a specific Security Identifier (SID) requirement (i.e.," Administrators"). Windows 2000 supports security management functions for the following security policies and features:

Account Policy - The account policy management functions allow an authorized administrator to define constraints for passwords, account lockout (due to failed logon attempts) parameters, and Kerberos key usage parameters. The constraints for passwords restrict changes by including minimum password length, password history, and the minimum and maximum allowable password age. If the maximum password age is exceeded, the corresponding user cannot logon until the password is changed. The account lockout parameters include the number of failed logon attempts (in a selected interval) before locking the account and setting the duration of the lockout. The Kerberos key usage parameters primarily specify how long various keys remain valid.

Audit Policy - The audit policy management functions allow an authorized administrator the ability to enable and disable auditing, to configure which categories of events will be audited for success and/or failure, and to manage (create, delete, and clear) and access the security event log. An authorized administrator can also define specifically which user and access mode combinations will be audited for specific objects in the system.

Account Database - The account database management functions allow an authorized administrator to define, assign, and remove security attributes to and from both user and group accounts, both locally and for a domain, if applicable. The set of attributes includes account names, SIDs, passwords, group memberships, and other security-relevant and non-security relevant information. Of the set of user information, only the password can be modified by a user that is not an authorized administrator. Specifically, an authorized administrator assigns an initial password when an account is created and may also change the password like any other account attribute. However, users have the ability to change their own password. This capability is controlled by requiring users to first enter their old password in order to change the password to a new value.

User Rights Policy - The user rights management functions allow an authorized administrator to assign or remove user and group accounts to and from specific logon rights and privileges.

Domain Policy - The domain management functions allow an authorized administrator to add and remove machines to and from a domain as well as to establish trust relationships among domains. Changes to domains and domain relationships effectively change the definition and scope of other security databases and policies (e.g., the account database). For example, accounts in a domain are generally recognized by all members of the domain. Similarly, accounts in a trusted domain are recognized in the trusting domain.

Group Policy - The group policy management functions allow an authorized administrator to define accounts, user right assignments, and machine/computer security settings, etc. for a group of Windows 2000 systems or accounts within a domain. The group policies effectively modify the policies (e.g., machine security settings, and user rights policy) defined for the corresponding systems or users.

IPSEC Policy - The IPSEC management functions allow an authorized administrator to define whether and how (e.g., protocols and ports to be protected, outbound and/or inbound traffic, with what cryptographic algorithms) IPSEC will be used to protect traffic among distributed Windows 2000 systems.

Encrypting File System (EFS) Policy - The EFS management functions allow an authorized administrator to enable or disable EFS on a New Technology File System (NTFS) volume and generally control the recovery for EFS data.

Cryptographic Protection - The algorithm used for the encryption and decryption of user data blocks.

Disk Quota - The disk quota management functions allow an authorized administrator to manage disk quotas for NTFS volumes. More specifically, the functions allow an authorized administrator to enable or disable disk quotas, define default disk quotas, and define actions to take when disk quotas are exceeded.

System Banner - The logon functions can be configured by the administrator to display a logon banner with a title and warning defined by the administrator.

Session Locking - Unlocking any locked session is restricted to administrators and the interactively logged on user.

Time - Setting the system clock is restricted to administrators.