Click the plus sign next to the Account Policies folder to see the Password Policy folder and the Account Lockout Policy folder. Click each folder to see its options, many of which are probably familiar to you from NT. Options for password age and account lockouts are old standbys, but a new option is password complexity. To configure an option, double-click it to open a dialog box. Some options might not let you change the settings because of dependency on another security feature, such as IPSec. In the Password Policy folder, settings to consider enabling immediately include
Enforce password history. Enabling this setting forces users to choose unique passwords.
Minimum Password Length. If you use NT LAN Manager (NTLM) authentication, limit passwords to seven characters. Because of the way NTLM hashes passwords, seven-character passwords are harder to crack than eight-character passwords. If you have no legacy or non-Windows clients (e.g., Windows 9x, Windows 3.x, DOS, OS/2) in your organization, disable NTLM authentication. For more information about NTLM, see Jan De Clercq, "NT Gatekeeper," March 2001.
Passwords must meet complexity requirements. Enabling this setting forces users to choose passwords that contain characters from at least three of the following categories: A-Z, a-z, 0-9, and nonalphanumeric characters (e.g., !, $, #, %).
For more information about protecting passwords, see Randy Franklin Smith's Windows 2000 Magazine articles "Protect Your Passwords," October 1998 and "Win2K Password Protection," Winter 2000.
Set the options in the Account Lockout Policy folder with care. Attackers can use brute-force password cracking software, such as NetBIOS Auditing Tool (NAT), and effectively create a Denial of Service (DoS) attack by locking out many of the accounts on a target.
In the Local Policies folder, click Audit Policy. Here you can set the auditing features you want to track. Setting the auditing options in Win2K is similar to the way you set them in NT. Simply double-click the item and select Success, Failure, or both to have Win2K start to audit that event or resource.
In the User Rights Assignment folder, you can set policy on various administrative and system-related events and resources, including network access, system shutdown, device driver management, and more. To set these options, double-click the item and add or remove users from the settings window.
The last folder I discuss here is Security Options, which contains many security options that, in NT, you couldn't set without changing a key in the registry or using an aftermarket software package. For example, Figure 1 shows the Additional restrictions for anonymous connections dialog box. In NT, you manipulate these options only in the registry. I recommend the following settings for some of the key options in the Security Options folder:
Disable Allow system to be shut down without having to log on (good for physical security).
Enable Do not display last user name in logon screen (good for physical security).
Enable Rename administrator account (good for hiding the administrator account from attacks).
Double-click Additional restrictions for anonymous connections, then select Do not allow enumeration of SAM accounts and shares from the drop-down list. This option, which Figure 1 shows, can minimize an intruder's ability to use active anonymous FTP, Web, or Telnet services to fingerprint the server.
The options I've outlined are only a few that you should consider. I recommend putting time and effort into studying each policy and deciding whether it will help or hamper your system's security or users' access to your system.
Onward and Upward
As you've seen here, Microsoft has taken some large leaps forward in Win2K and has provided better security features. However, if you don't use these features, they won't do you any good. A good security plan is a must. Before you migrate from NT to Win2K, review Win2K's available security features, decide which ones will be useful or necessary for your scenario, and include them in your plan. Join me in the next installment of this series, when I'll delve into the backbone of Win2K security, AD.
Related Articles in Previous Issues
Windows 2000 Magazine Network
You can obtain the following articles from the Windows 2000 Magazine Web site at http://www.win2000mag.com.
DAVID CHERNICOFF
Forefront, "Preparing for Active Directory,"
January 2000, InstantDoc ID 7761 SEAN DAILY
Tricks & Traps, "The ADSI Edit Utility,"
March 2001, InstantDoc ID 19626 ED ROTH
"DM/ActiveRoles 2.0,"
February 2001, InstantDoc ID 16447 PAUL THURROTT
"Windows 2000, One Year Later,"
February 2001 Web Exclusive, InstantDoc ID 20037 BOB WELLS
Scripting Solutions, "Easy Active Directory Scripting for Systems Administrators, Part 2," November 2000, InstantDoc ID 15734
Scripting Solutions, "Easy Active Directory Scripting for Systems Administrators, Part 1," September 2000, InstantDoc ID 9168
FAQ Windows NT/2000 JOHN SAVILL
"What Is Active Directory?"
http://www.windows2000faq.com/articles/index.cfm?articleid=13371
Prev. page