Windows 2000 Security
Step 6 – Security Policies
Browse to My Computer > Control Panel > Administrator Tools > Local Security Policies.
You may configure the following settings automatically through Action > Import Policy and then opening hisecws.inf .
Password Policies
| Enforce password history | 5 passwords remembered |
| Maximum password age | 30 or 42 days |
| Minimum password age | 0 days |
| Minimum password length | 10 or more characters |
| Passwords must meet complexity requirements |
Enabled |
| Store passwords using reversible encryption for all users in the domain |
Disabled |
Account Threshold Policies
| Account Lockout Duration | 30 minutes |
| Account Lockout Threshold | 5 invalid logon attempts |
| Reset account lockout counter after | 30 minutes |
Auditing Policies
| Account logon events | Success, failure |
| Account management | Success, failure |
| Logon events | Success, failure |
| Object access | Success |
| Policy change | Success, failure |
| Privilege use | Success, failure |
| System events | Success, failure |
User Right Assignment Policies
| Access this computer from the network | None |
| Act as part of the operating system | None |
| Add workstations to domain | None |
| Back up files and directories | Administrators |
| Bypass traverse checking | Authenticated Users |
| Change the system time | Administrators |
| Create a page file | Administrators |
| Create a token object | None |
| Create permanent shared objects | None |
| Debug programs | None |
| Deny access to this computer from the network |
Guests |
| Deny logon as a batch job | None |
| Deny logon as a service | None |
| Deny logon locally | Guests |
| Enable computer and user accounts to be trusted for delegation |
None |
| Force shutdown from a remote system | None |
| Generate security audits | None |
| Increase quotas | Administrators |
| Increase scheduling priority | Administrators |
| Load and unload device drivers | Administrators |
| Lock pages in memory | None |
| Log on as a batch job | None |
| Log on as a service | None |
| Log on locally | Administrators, Authenticated Users |
| Manage auditing and security log | Administrators |
| Modify firmware environment values | Administrators |
| Profile single process | Administrators |
| Profile system performance | Administrators |
| Remove computer from docking station | Administrators, Authenticated Users |
| Replace a process level token | None |
| Restore files and directories | Administrators |
| Shut down the system | Administrators, Authenticated Users |
| Synchronize directory service data | None |
| Take ownership of files or other objects | Administrators |
Security Policies
| Additional restrictions for anonymous connections | No access without explicit anonymous permissions |
| Allow server operators to schedule tasks (domain controllers only) | Not defined |
| Allow system to be shut down without having to log on | Disabled |
| Allowed to eject removable NTFS media | Administrators |
| Amount of idle time required before disconnecting session | 30 minutes |
| Audit the access of global system objects | Enabled |
| Audit use of Backup and Restore privilege | Enabled |
| Automatically log off users when logon time expires (local) | Enable |
| Clear virtual memory pagefile when systems shuts down | Enabled |
| Default user screensaver enabled | Enabled |
| Default user screensaver password protection is enabled | Enabled |
| Default user screensaver program | Logon.scr |
| Default user screensaver timeout value | 900 |
| Digitally sign client communications (always) | Disabled |
| Digitally sign client communication (when possible) | Enabled |
| Digitally sign server communication (always) | Disabled |
| Digitally sign server communication (when possible) | Enabled |
| Disable CTRL+ALT+DEL requirement for logon | Disabled |
| Disable the CD Rom autorun feature | Disabled |
| Do not allow caching of roaming profiles | Enabled |
| Do not display last user name in logon screen | Enabled |
| LAN Manager Authentication Level | Send NTLMv2 responses only/refuse LM & NTLM |
| Message text for users attempting to log on | Unauthorised access is not permitted to this private system. All access is monitored and logged. If in doubt then you are unauthorised. |
| Message title for users attempting to log on | SECURITY WARNING! |
| Number of previous logons to cache (in case domain controller is not available) | 0 logons |
| Permissible exit routines | Not defined |
| Permit administrator automatic logon | Disabled |
| Prevent creation of 8.3 file names | Enabled |
| Prevent system maintenance of computer account password | Disabled |
| Prevent the dial-up password from being saved | Enabled |
| Prevent users from installing printer drivers | Enabled |
| Prompt user to change password before expiration | 14 days |
| Recovery Console: Allow automatic administrative logon | Enabled |
| Recovery Console: Allow floppy copy and access to all drives and all folders | Disabled |
| Rename administrator account | You should have already done this. |
| Rename guest account | You should have already done this. |
| Restrict CD-ROM access to locally logged-on user only | Enabled |
| Restrict floppy access to locally logged-on user only | Enabled |
| Secure channel: Digitally encrypt or sign secure channel data (always) | Disabled |
| Secure channel: Digitally encrypt secure channel data (when possible) | Enabled |
| Secure channel: Digitally sign secure channel data (when possible) | Enabled |
| Secure channel: Require strong (Windows 2000 or later) session key | Disabled |
| Send unencrypted password to connect to third-party SMB servers | Disabled |
| Shut down system immediately if unable to log security audits | Enabled |
| Smart card removal behaviour | Lock Workstation |
| Strengthen default permissions of global system objects (e.g. Symbolic Links) | Enabled |
| Unsigned driver installation behaviour | Warn but allow installation |
| Unsigned non-driver installation behaviour | Warn but allow installation |