In this technical guide, will outline the most important you how to modify the Group Policy security settings.
You can use Windows XP, 2000 and Server 2003 operating systems use these methods on the local computer, or Server 2003 and 2000 domain-level OU in the use of these methods.The sake of brevity and to provide the latest information, I am going to explain how to set up Windows Server 2003-based domain name.Remember, these are just the domain name you can set up your Group Policy objects are most likely to have problems.In my view, these settings can keep or destroy the security of Windows.And because of the different settings, your progress has been different.Therefore, I encourage you to use before each set are in-depth research to ensure that these settings can be compatible with your network.If possible, test these settings (if you're lucky to have a test environment so).
If you do not have to test, I suggest you download and install Microsoft's Group Policy Management Console (GPMC) to do these changes.This program will focus on the Group Policy management tasks into a single interface allows you to more comprehensive view of your domain.To start the editing process, you upload GPMC, expand your domain, right-click "Default Domain Policy" and select "Edit."This will load the Group Policy Object Editor.If you want faster or "sub-enterprise" approach to editing your domain group policy object, you can "Start" menu, run "gpedit.msc".
1. To determine a default password policy, so that your organization set up in the "Computer Configuration / Windows Settings / Security Settings / Account Policies / Password Policy" below.
2. In order to prevent automatic password crackers, in the "Computer Configuration / Windows Settings / Security Settings / Account Policies / Account closed strategy" in the following settings:
* Account closed duration (determined at least 5-10 minutes)
* Account closed limit (determined up to allow 5 to 10 times the illegal log)
* Then restart the closed account (identified at least 10-15 minutes later)
3. In the "Computer Configuration / Windows Settings / Security Settings / Local Policies / inspection policy" to enable the following functions:
• Check Account Management
* Check the policy change
* Check the permission to use
• Check the system event
Ideally, you want to enable recording successes and failures of the registry.However, depending on what type you want to keep records and whether you can manage these records.Roberta Bragg here describes some of the common inspection records settings.Keep in mind, enabling every type of record system you need more processor and hard drive resources.
4. As an enhanced Windows security best practices and for the attacker to set more obstacles in order to reduce attacks on Windows, you can "Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options" in the following set:
* Account: Rename administrator account - but not require more effective to add a security layer (to determine a new name)
* Account number: rename the customer account (set a new name)
* Interactive Logon: Do not display last user name (set to Enabled)
* Interactive logon: Do not the last user name (set to off)
* Interactive Logon: The user attempts to log in a message text (make sure to let the user read the banner text (text banner), along the lines of "This is a private and controlled system. If you abuse the system, you will be subject to sanctions. - First, let your lawyer to run this program ")
* Interactive Logon: The user attempts to log the information provided by subject - a warning!!! Write something back
• Network access: Do not allow SAM accounts and shared directory (set to "Enable")
• Network Access: "Allow each person to apply to anonymous users" is set to close
• Network security: "No storage area network administrator change the password on the next hash value" is set to "Enable"
* Off: "allows the system to the case in the not logged off" is set to "off"
* Off: "Clear virtual memory page file" is set to "Enable"
If you do not have Windows Server 2003 domain controller, you can find here what Windows XP security settings of local details and what details there are Windows 2000 Server Group Policy settings.To learn more about Windows Server 2003 Group Policy information, see Microsoft's dedicated website.