To open Local Security Policy, on the Start screen, type, secpol. When you find the policy setting in the details pane, double-click the security policy that you want to modify. Some security policy settings require that the computer be restarted before the setting takes effect. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
The following procedure describes how to configure a security policy setting for a Group Policy Object when you are on a workstation or server that is joined to a domain. For devices that are members of a Windows Server or later domain, security settings policies depend on the following technologies:. The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users.
By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server. A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management WBEM , which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment.
WMI provides access to information about objects in a managed environment. An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings.
RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. The following components are associated with Security Settings: a configuration engine; an analysis engine; a template and database interface layer; setup integration logic; and the secedit.
The security configuration engine is responsible for handling security configuration editor-related security requests for the system on which it runs. The analysis engine analyzes system security for a given configuration and saves the result. The template and database interface layer handles reading and writing requests from and to the template or database for internal storage.
The security configuration logic integrates with setup and manages system security for a clean installation or upgrade to a more recent Windows operating system. Security information is stored in templates.
Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy RSoP. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.
Communication between parts of the Security Settings extension occurs by using the following methods:. On domain controllers, scesrv. This is the client-side interface or wrapper to scesrv. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API. The command-line version of the security configuration and analysis user interfaces, secedit.
You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security. These are text files that contain declarative security settings.
They are loaded into a database before configuration or analysis. Group Policy security policies are stored in. For a domain-joined device, where Group Policy is administered, security settings are processed in conjunction with Group Policy. Not all settings are configurable.
When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence:. The network starts. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:. For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
Security settings may still persist even if a setting is no longer defined in the policy that originally applied it. All settings applied through local policy or a Group Policy Object are stored in a local database on your device.
Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device.
If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing.
Registry and file settings will maintain the values applied through policy until that setting is set to other values. You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy.
Security Configuration and Analysis provides the ability to import and export security templates into or from a database. If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object.
Security Configuration and Analysis performs security analysis by comparing the current state of system security against an analysis database. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. It resolves conflicts in order of import; the last template that is imported takes precedence.
Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click Properties. If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. By calling the secedit. You can also run it dynamically from a command prompt. Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. Strong passwords help protect accounts, especially administrative accounts, from being compromised by unauthorized users. In legacy versions of Windows Server, strong passwords could be enforced throughout the organization through a password policy that was applied to the entire domain. A password policy could be applied to the domain using a domain-based GPO that specified password requirements for the domain.
To configure strong passwords, Microsoft created the Passwords must meet complexity requirements Group Policy setting. The password complexity setting prevents users from employing simple, easy-to-guess passwords by enforcing the following requirements with respect to creating passwords:. As with previous versions of Windows Server, domain controllers keep track of logon attempts.
By configuring Account Lockout Policy settings, you can control what happens when unauthorized access attempts occur. You can configure the following settings for the entire domain:. With the release of more recent editions of Windows Server, Microsoft has created a concept known as a fine-grained password policy.
Also included in Windows Server R2, fine-grained password policies enable you to configure different password policies and lockout settings as discussed previously that can be applied to specific users or groups within a domain. If you recall, previously these were applied to the entire domain. Fine-grained password policies are particularly helpful in the following scenarios:. The PSO holds attributes for the finegrained password and account lockout policy settings.
The details pane shows a series of predefined user rights. To modify the assignment of any right, right-click it and select Properties.
As shown for the Back up files and directories user right, the Properties dialog box displays the built-in groups that are granted this right by default.
The Back up files and directories Properties dialog box displays the groups that are granted this right by default, and it enables you to modify this assignment if required. To grant this right to another user or group, click Add User or Group. In the Add User or Group dialog box that appears, type or browse to the required user or group.
Then click OK. To remove a user or group, select it and click Remove. When finished, click OK to close the Properties dialog box. You are returned to the Group Policy Management Editor, where you can continue to configure additional user rights as needed. Configuring Security Options Settings Within the Local Policies subnode of Security Settings, you have the user rights assignment already discussed, as well as audit policies, which are discussed later in this tutorial.
Several of the more important options that you should be familiar with are as follows: Accounts: Block Microsoft accounts: Prevents users from using Microsoft accounts to access the computer or creating new Microsoft accounts on the computer. This setting was new to Windows 8 and Windows Server and is continued in Windows 8. Accounts: Rename administrator account: This option renames the default administrator account to a value you specify.
Intruders cannot simply look for "Administrator" when attempting to crack your network. Interactive logon: Do not display last user name: Enable this option to prevent the username of the last logged-on user from appearing in the logon dialog box, thus preventing another individual from seeing a username. This can also help to reduce lockouts.
0コメント