Setting NT Policies
Summary
Three separate policies can be set via User Manager for Domains. Account Policies are used .... User Rights Policies are used.... Audit Policies are used to track security events and log them to the NT Security Event log.
Account Policies
The domain Account Policies are modified by selecting "Policies/Account..." from the User Manager for domains. The parameters shown in the following two tables are set on the same window.
Password Restrictions
|
Account Policy Setting
|
Description
|
Recommended Standard
|
|
Maximum Password Age
|
The period of time a password can be used before the system requires the user to change it.
|
35 Days
|
|
Minimum Password Age
|
The period of time a password can be used before the system requires the user to change it.
|
3 Days
|
|
Minimum Password Length
|
The fewest characters a password can contain.
|
6 Characters
|
|
Password Uniqueness
|
The number of new passwords that must be used by a user account before an old password can be reused.
|
3 Passwords
|
Account Lockout
|
Account Lockout Settings
|
Description
|
Recommended Standard
|
|
Lockout After
|
The number of incorrect logon attempts that will cause the account to be locked.
|
3 Bad Logon Attempts
|
|
Reset Count After
|
The maximum number of minutes that can occur between any two bad logon attempts for lockout to occur.
|
30 Minutes
|
|
Lockout Duration
|
The duration and in minutes for locked accounts to remain locked before automatically becoming unlocked.
|
Forever
|
User Rights Policies
The User Rights policy manages the rights granted to groups and user accounts. A right authorizes a user logged on to an account to perform certain actions on the system. When a user does not have appropriate rights, attempts to carry out those actions are blocked.
Rights apply to the system as a whole and are different from permissions, which apply to specific objects. Members of a group have all the rights granted to that group. In most situations, the easiest way to provide rights to a user is to add that user's account to one of the built-in groups that already possesses the needed rights, rather than by administering the User Rights policy.
The User Rights
The list below provides descriptions of user rights that can be managed with the User Rights policy. Two advanced user rights (Bypass traverse checking, and Log on as a service) may be of interest to administrators, and are therefore included in the list.
-
Access this computer from network
-
Add workstations to domain
-
Back up files and directories
-
Change the system time
-
Force shutdown from a remote system
-
Load and unload device drivers
-
Log on locally
-
Manage auditing and security log
-
Restore files and directories
-
Shut down the system
-
Take ownership of files or other objects
-
Bypass traverse checking (advanced right)
-
Log on as a service (advanced right)
Note: Some advanced user-rights can also be managed with the User Rights policy. Most of these are useful only to programmers writing applications for computers running Windows NT Workstation or Windows NT Server, and will not usually be granted to a group or user. For information about advanced user rights, see the Windows NT Server programming documentation.
When to change the default settings
Normally, you will not have to change the default user rights settings. However, it may be desirable on some servers, to prevent users from logging in directly to the server console. In this case, you could remove the Users and Guests groups from the logon locally right. Conversely, if users from another domain need to logon locally to this server, the global group that contains the users that need this right should be added to the logon locally right.
To manage the User Rights policy
-
On the Policies menu, click User Rights.
-
Select a user right from those listed in Right. The users and groups who currently have that right appear under Grant To.
-
To grant the selected right to additional groups or user accounts, click Add, and complete the Add Users and Groups dialog box.
-
To remove a group or user account from the list, select a name in the Grant To box, and then click Remove.
-
Repeat steps 2 through 4, as necessary
-
To administer the advanced user rights, select the Show Advanced User Rights check box and repeat steps 2 through 4, as necessary.
Audit Policies
Setting the Audit Policy
Selected activities of users can be tracked by auditing security events and then placing entries in the computer's security log. Use the Audit policy to determine the types of security events that are logged. Because the security log is limited in size, carefully select events to be logged. The maximum size of the computer's security log is defined in Event Viewer. Entries in a security log can be reviewed using Event Viewer.
To manage the Audit Policy
-
On the Policies menu, click Audit.
-
To record events in the security log, click Audit These Events. Or, to not record any events in the security log, click Do Not Audit.
-
If you selected Audit These Events, click to select or clear the Success and Failure check boxes for each type of event.
Notes and Tips
-
When administering domains, the Audit policy affects the security logs of all domain controllers in the domain because they share the same Audit policy.
-
When administering a computer running Windows NT Workstation or Windows NT Server that is not a domain, the Audit policy affects only the security log of that computer.
-
Entries in a security log can be reviewed using Event Viewer.
-
Because the security log is limited in size, carefully select which events to log. The maximum size of each computer's security log is defined in Event Viewer.
Settings to be Used
For all domain controllers, PDCs and BDCs, use the following settings:
|
Event Type
|
Description
|
Recommended Setting
|
Explanation
|
|
|
|
|
|
|
Logon and Logoff
|
A user logged on, off, or made a network connection.
|
Audit as needed.
|
This setting makes break-in attempts easy to find in the event log.
|
|
File and Object Access
|
A user accessed a directory or file that is set for auditing in File Manager, or a user sent a print job to a printer set for auditing in Print Manager.
|
Audit as needed.
|
Logging successful attempts to access file and print objects will fill the system log. Failed attempts are more interesting from a security perspective.
|
|
Use of User Rights
|
A user used a User Right (privilege assigned by the system administrator other than those related to logon or logoff)
|
Audit as needed.
|
This setting results in log entries which show users trying to exercise rights they were not intended to have.
|
|
User and Group Management
|
A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed.
|
Audit successful and failed attempts.
|
All modifications to the SAM are of interest, especially in the Account Domain.
|
|
Security Policy Changes
|
A change was made to User Rights, Audit, or Trust Relationships.
|
Audit successful and failed attempts.
|
All changes in security policy are important. This setting tracks enabling and disabling of auditing.
|
|
Restart, Shutdown, and System
|
A user restarted or shut down the computer, or an event has occurred that affects system security or the security log.
|
Audit successful and failed attempts.
|
All server systems are considered critical. Analysis of these events can be used to derive availability.
|
|
Process Tracking
|
These events provide detailed tracking information for occurrences such as program activation, some forms of handle duplication, indirect object access, or process exit.
|
Audit as needed.
|
This setting can fill the system log quickly. Careful consideration should be given to process level auditing.
|
For application servers, auditing should be implemented as required by the application owner. Again, it is important to set the size and retention period of the Security Event Log to an appropriate level.
|
