These are the nine types of Group Policy security features mentioned previously in this chapter. They are containers located in the Security Settings node of a Group Policy object. They include: • Account Policies • Local Policies • Event Log • Restricted Groups • Systems Services • Registry • File System • Public Key Policies • Internet Protocol Security Policies on Active Directory Some of the policy areas apply only to the scope of a domain, that is, the policy settings are domain-wide. Account policies, for example, apply uniformly to all user accounts in the domain. You cannot define different account policies for different organizational units in the same domain.

Of the security policy areas, Account policies and Public Key policies have domain-wide scope. All other policy areas can be specified at level of the organizational unit. Account Policies Account policies are the first subcategory of Security Settings.

The Account policies include the following: Password Policy You can modify password policy to meet your organization's security needs. For example, you can specify minimum password length and maximum password age You can also require complex passwords and prevent users from reusing passwords or simple variations of passwords. Account Lockout Policy You can force users to be locked out after a specified number of failed logon attempts. You can also specify the period of time that accounts are frozen. Kerberos Authentication Policy You can modify the default Kerberos settings for each domain. For example, you can set the maximum lifetime of a user ticket.

Microsoft's 5 biggest weaknesses Search, mobile devices, the Web and even the desktop represent challenges for Redmond. Tech Review: Active Directory Policy Administration Suites. There are other weaknesses in Group. Without the need to open Microsoft's Group Policy object.

The policies you choose affect the level of help desk support required for users as well as the vulnerability of your network to security breaches and attacks. Serial Of Hide My Ip. For example, specifying a restrictive account lockout policy increases the potential for denial of service attacks, and setting a restrictive password policy results in increased help desk calls from users who cannot log on to the network. In addition, specifying restrictive password policy can actually reduce the security of the network.

For example, if you require passwords longer than seven characters, most users have difficulty remembering them. They might write their passwords down and leave them where an intruder can easily find them. Local Computer Policies The second subcategory of Security Settings is Local Computer policies. Local Computer policies include the following: Audit Policy Windows 2000 can record a range of security event types, from a system-wide event, such as a user logging on, to an attempt by a particular user to read a specific file. Both successful and unsuccessful attempts to perform an action can be recorded. User Rights Assignment You can control the rights assigned to user accounts and security groups for local computers. You can specify users and security groups who have rights to perform a variety of tasks affecting security.

For example, you can control who can access computers from the network, who can log on locally, or who can shut down the system. You can specify who has rights to perform critical administrative tasks on the computer, such as backing up and restoring files and directories, taking ownership of files and objects, and forcing shutdown from a remote system. Security Options You can control a wide variety of security options for local computers. For example, you can specify policies that force users to log off when logon hours expire, disable CTRL+ALT+DEL for logon (to force smart card logon), and force computers to halt if unable to audit.

Restricted Groups Policies You can define Restricted groups policies to manage and enforce the membership of built-in or user-defined groups that have special rights and permissions. Restricted Groups policies contain a list of members of specific groups whose membership are defined centrally as part of the security policy. Enforcement of Restricted Groups automatically sets any computer local group membership to match the membership list settings defined in the policy. Changes to group membership by the local computer administrator are overwritten by the Restricted Groups policy defined in Active Directory. Restricted Groups can be used to manage membership in the built-in groups. Built-in groups include local groups such as Administrators, Power Users, Print Operators, and Server Operators, as well as global groups such as Domain Administrators. You can add groups that you consider sensitive or privileged to the Restricted Groups list, along with their membership information.