Configuring Security Options

Local Policies also allow the administrator to configure Security Options that consist of well-known security relevant system parameters, many of which are normally configured by setting registry values using tools like Regedt32.exe. A list of all available security relevant system parameters that can be modified through Security Options is provided in the Windows 2000 Security Configuration Guide, Table 4.6, Security Options. The "Required" column indicates if a security option must be enabled or disabled to meet the Windows 2000 ST. If this column is empty then the security option can be disabled or enabled in the evaluation configuration.

Security Options are configured as follows:

  1. Log on using an administrator account.

  2. Open the Active Directory Users and Computers tool.

  3. Right-click the container holding the domain controller and click Properties.

  4. Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.

  5. In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.

  6. Select Security Options.

    Dd277405.w2kab048(en-us,TechNet.10).gif

  7. To configure a Security Options policy, double-click a policy option or right-click on it and select Security. This opens a Security Policy Setting dialog box.

    Dd277405.w2kab049(en-us,TechNet.10).gif

  8. To make a security configuration change, check Define this policy setting on the Security Policy Setting dialog box and select to either enable or disable the security option.

  9. Click OK to configure the selected option.

    Input to the Security Policy Setting dialog boxes for selected security options will vary depending on the configuration requirements of the option. For example some security options may require selection from a drop down menu or a text input as shown below.

    w2kab050

    w2kab051

    The subparagraphs that follow provide examples that demonstrate the implementation of ST requirements through configuration of Windows 2000 security options via two methods. The first method involves editing a local computer security policy, or a group policy. The second method involves directly editing the registry on an individual machine.

Configuring Security Target Requirements through the Group Policies Security Options Interface

Audit the use of backup and restore privileges

By default, the use of backup and restore privileges are not audited. When the Audit privilege use audit policy is enabled and this security option is set, the use of the Backup and Restore privileges will be audited. Enable the capability to create audit event entries whenever the Backup files and directories or the Restore files and directories privileges as follows:

  1. Log on using an administrator account.

  2. Open the Active Directory Users and Computers tool.

  3. Right-click the container holding the domain controller and click Properties.

  4. Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.

  5. In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.

  6. Select Security Options.

  7. In the details pane, double-click Audit use of Backup and Restore privilege.

  8. Check the Define this policy setting box, select Enabled and click OK.

    w2kab052

  9. Exit the Group Policy window.

Implementing an Authorized Usage Warning

It is recommended that the system display a warning message to users before allowing them to log on. It may be necessary to get help with the wording of the message from the company's legal department. The message should inform users that the system is for authorized use only, and that they could be prosecuted if they misuse the system. For example,

This system may only be used for Company XYZ official business. Company XYZ computer systems may be monitored to ensure proper use, and to ensure that security mechanisms are not circumvented. Unauthorized use or intentional misuse of this system could result in criminal prosecution.

Add the logon message above to the Local Computer Policy as follows:

  1. Log on using an administrator account.

  2. Open the Active Directory Users and Computers tool.

  3. Right-click the container holding the domain controller and click Properties.

  4. Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.

  5. In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.

  6. Select Security Options.

  7. In the details pane, double-click Message title for users attempting to log on.

  8. Check the Define this policy setting box.

  9. Enter the title for the message (for example, "Warning") and click OK.

    Dd277405.w2kab053(en-us,TechNet.10).gif

  10. Double-click Message text for users attempting to log on.

  11. Check the Define this policy setting box.

  12. Enter the text for the message and click OK.

    w2kab054

  13. Exit the Group Policy window.

    Restart a domain client and log in to the domain to see the login banner message.

    Since this security setting is associated with the default domain GPO, it applies to all computers in the domain. This setting will override any local policies (defined on individual computers) that specify this security parameter, but will not override any OU policies that specify this value.

Disable Shut Down Without Logging On

This security option determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut Down the System user right in order to perform a system shutdown. By default, this option is enabled on workstations and disabled on servers in Local Computer Policy.

Disable the shutdown button on the Windows logon screen of Domain Computers as follows:

  1. Log on using an administrator account.

  2. Open the Active Directory Users and Computers tool.

  3. Right-click the container holding the domain controller and click Properties.

  4. Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.

  5. In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.

  6. Select Security Options.

  7. In the details pane, double-click Allow system to be shut down without having to log on.

  8. Check the Define this policy setting box, select Disabled and click OK.

    w2kab055

  9. Exit the Group Policy window.

Shut Down System Immediately If Unable to Log Security Audits

This Security Option determines whether the system should shut down if it is unable to log security events. If this policy is enabled, it causes the system to halt if a security audit cannot be logged for any reason. Typically, an event will fail to be logged when the security audit log is full and the retention method specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry cannot be overwritten, with this security option is enabled the following blue screen error will occur:

STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed

By default, this policy is disabled. This setting will cause the system shut itself down and the value in the registry will be reset to 2. When the system is rebooted, only an administrator account will be able to log on. The administrator will then have to archive and clear the log, reset the Registry value to 1, and reboot the system before any other user is allowed to log on.

Note: Use this security policy on servers and Domain Controllers only after implementing strict procedures for archiving and clearing the audit logs on a regular basis. Use of this Registry setting will require that strict audit archive policies be maintained in order to prevent halting of systems, which could cause disruption of user activity and disruption of system network services.

Enable this security option as follows:

  1. Log on using an administrator account.

  2. Open the Active Directory Users and Computers tool.

  3. Right-click the container holding the domain controller and click Properties.

  4. Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.

  5. In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.

  6. Select Security Options.

  7. In the details pane, double-click Allow system to be shut down without having to log on.

  8. Check the Define this policy setting box, select Disable and click OK.

    w2kab056

  9. Exit the Group Policy window.

If the audit log gets full and the system halts as a result of this setting, recover using the Registry Editor as follows:

Warning: Using Registry Editor incorrectly can cause serious, system-wide problems that may require reinstallation of Windows 2000 to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved.

  1. Log in as an authorized administrator.

  2. Archive and clear the audit log.

  3. Open Start, select Run, type regedt32 and click OK.

  4. Click the HKEY_LOCAL_MACHINE on Local Machine window.

  5. Navigate to SYSTEM\CurrentControlSet\Control\Lsa.

  6. In the topic pane, double-click on CrashOnAuditFail.

  7. Reset the value from a 2 to a 1in the DWORD Editor window and click the OK button.

    Dd277405.w2kab057(en-us,TechNet.10).gif

Configuring Security Target Requirements through the Registry Editor

This subsection provides one example of how the security parameters discussed above can be configured by directly editing the Windows 2000 Registry with the Registry Editor.

Warning: Using Registry Editor incorrectly can cause serious, system-wide problems that may require reinstallation of Windows 2000 to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved.

Implementing an Authorized Usage Warning:

Use extreme caution when editing the registry, because changes happen immediately and there is no option to discard changes when the Registry Editor is exited.

  1. To start the Registry Editor (regedt32.exe) open Start, select Run, type regedt32 and click OK.

    Dd277405.w2kab058(en-us,TechNet.10).gif

  2. Click the HKEY_LOCAL_MACHINE on Local Machine window.

  3. If it is not already expanded, double-click HKEY_LOCAL_MACHINE.

  4. Navigate to SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

  5. In the topic pane, double-click on LegalNoticeCaption.

  6. Enter the title for the message (for example, "Warning") and click OK.

    Dd277405.w2kab059(en-us,TechNet.10).gif

  7. Double-click LegalNoticeText.

  8. Enter the text for the message and click OK.

    Dd277405.w2kab060(en-us,TechNet.10).gif

  9. In the Registry menu, select Exit.