PC Help Jansant - Local Security Policy in Windows 2000 Guide
Main Menu
Home Page
Computer Guides
Computer Dictionary
Network Setup
Tips and Tricks
Internet Guide
Freeware/Shareware
PC Upgrade Guide
PC Maintenance
Support Forum
Local Security Settings in windows 2000
This page will explain;
- Local security policies - Microsofts security policy
- Local group policy - group security policy.
- gpedit.msc
The Local Security Settings tool is found in the Control Panel's Administrative
Tools menu. You must have administrator privileges to access the Local
Security Settings.
The Local Security Settings include.
Account Policies: Password and account lockout policies.
Local Policies: Audit policies, user rights assignments, and security
options.
Public Key Policies: Configure encrypted data recovery agents and trusted
certificate authorities.
IP Security (IPSec) Policies: Configure network IP security on the local
machine.
By using the Group Policy Editor via a command you are given more control
over settings for the local machine. You must have administrator privileges
to access the Group Policy Editor. Click Start, Run, and type gpedit.msc
and press enter. All the controls in the Local Security Settings are available
here plus many more. The level of control over the local machine is truly
remarkable. If you use gpedit.msc you will find the Local Security Settings
under the Windows Settings folder.
Password Policy
The default setting for Password Policy allows insecure passwords. Users
can set passwords with only one letter if they want. The more complex
the password id the more secure it is. Its a good idea to set a minimum
length here and also select password complexity which stops people using
words as passwords or simple variations of words. You can also set passwords
to expire forcing users to change their passwords at predetermined intervals.
I suggest you use long passwords of at least 8 characters with a mix of
letters and numbers. Its important to remember that if your on a domain
network, domain security settings will override these settings.
Account Lockout Policy
This policy will lock the account of a user if X number of unsuccessful
attempts in Y number of minutes are made to log into an account. It will
lock for Z number of minutes. There are 3 policies in this folder, 1 each
for X, Y, and Z. If an account is locked the user can either wait for
the account to unlock or contact a person with administrator privileges
to unlock it. Once again any domain level policies will override this
local setting.
Audit Policy
The Audit Policy allows administrators to log user activity. When auditing
is turned on for events they are recorded in the security log which can
be found in the Event Viewer within Administrative Tools. The size of
the security log is limited and also auditing consumes computer resources
and slows performance, keep this in mind.
User Rights Assignment
This policy is set by groups not users, also the domain settings will
override local settings, thus two columns "Local setting" and
"effective Setting". Some rights are negative rights, "Deny
Logon Locally".
Security Options
Security Options gives a range of additional security options such as
preventing users from installing printer drivers, allowing the removal
of removable NTFS media, and many other things.
Encrypted Data Recovery Agent
This allows you to add users who can act as a recovery agent in the event
people are locked out from their encrypted files. By default the administrator
is a recovery agent.
IP Security Policies on Local Machine
Configures network IP security on the local machine. These policies are
either simply assigned or the use of a wizard is used to create a policy.
Web-Site Administrators Local Time
feedback - terms of use - contact - sitemap - advertise - webmasters
©PC Help Jansant