Microsoft Windows 2000 Local computer Policies
Windows 2000 Professional is designed to be used as network client for a Windows 2000(and Windows NT) network or as a standalone operating system where user accounts are used to govern or control access.
Used to uniquely identify a user to the system using a named user account and a password
Domain user account
Exit s throughout a domain and can be used on any computer that is a member of the domain
* Can be used to grant access to network resources
Collection of users and each member of a group takes on the access privileges or restrictions defined for that group
Is a stored snapshot of a users desktop environment setting. Can exit on a single computer or can be configured to follow a user around a network, regardless of what workstation is used.
Is a set of configuration options that defines aspects of Windows 2000 security. Security policies are used to defined for a user, a computer or a group to restrict the computing environment
* Is the most powerful user account available in the Windows 2000 environment
The Administrator account has the following characteristics:
* It can not be deleted
* This account has limited access to resources and computer activities
The Guest account has the following characteristics:
* It can not deleted
Two common rules follow:
* User names are constructed from the first and last name of the user,
plus a code identify his or her job tittle or department: for example,
BobSmithAccounting or SmithBobAccounting
Regardless of what naming convention is deployed, it needs to address the following four elements:
* It must be consistent across all objects
Local Security Policy
Windows 2000 has combined several security and access controls into a centralised policy. This centralised policy is called the group policy. A group policy is an MMC snap-in that is used to specify users desktop settings. There are group policies for local computers, groups and domains and ORGANISATIONAL UNITS (Ous) which contain users, groups, resources and other OUs
All group policy types can be managed from a Windows 2000 Server system, but only a local computer group policy can be managed from a Windows 2000 Professional system.
Group policies are applied in the following order:
1. Any exiting legacy Windows NT 4.0 Ntconfig.pol file is applied
The order of application of these policies is important because contradictory settings in later policies will override the settings of the former policies.
Defines the restrictions on password. This policy is used to enforce strong passwords for a more secure environment.
Account lockout Policy
Defines the conditions that result in a user account being locked out. Lockout is used to prevent brute force attacks against user accounts. For example, if a user tries to log on and is unsuccessful more than 5 times, it is a good idea to lock that user out.
User Rights Policy
Defines which groups or users can perform specific privileged actions. For examples, you may want to give a group, such as Power Users, the right to add a workstation to a domain
The items in this policy and their defaults setting are:
* Access this computer from the network - Everyone, User, Power Users, Backup, Operator,
* Add workstations to domain - None
* Changing the system time - Power Users, Administrators
Defines and control various security features, functions and controls of the Windows 2000 environment. For example, you can disable the option to allow the system to be shut down without having to log on to tighten security.