You can access Group Policy settings by opening the Microsoft Management Console (MMC) and adding the Group Policy snap-in.
Of all the security measures you can take in a Server 2003 network environment, knowing who is trying to decipher passwords (or who has a terrible memory) could be highly advantageous to you. Knowledge is probably the best security measure, so lets take a look at the Audit Policies.
Access the Audit Policy from:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
There are dozens of configurations here, and fully enabling all of them wil only mean filling up your audit logs and giving yourself too much unimportant data to sort through. To just get the good, important stuff, set the following (audit both successes and failures where applicable):
- Account Logon Events
- Account Management
- Logon Events
- Policy Change
- Privilege Use
For everything else, it is less important to audit the successes, so I recommened just auditing failures.
Administrator Account Security
We all know that the Administrator account is essentially the god of the Windows Server environment. With it, you can do absolutely anything - both for harm and for good. Logically, then, anyone trying to break into the deep dark recesses of your network is going to view that Adminstrator account as their golden ticket. If you wanted something to stay hidden, would you give a malicious stranger half of the map to finding it? Of course not! Likewise, letting them know the Username of your Administrator account is giving up half of the puzzle. You need to rename that Administrator account, and then only use it when absolutely necessary. You also need to ensure that when you log off of a station that that username is not still sitting in the first field of the login box, like Windows has a habit of allowing. Both of these things can be set in the Security Options group policy.
Access the Security Options from:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Enable Accounts: Rename Administrator Account then rename it to something of your choice that is, preferably, very difficult to guess.
Enable Interactive Logon: Do Not Display Last User Name to ensure that every logon screen is entirely blank. You do not want any malicious persons to have half the combination to the safe.
There are literally hundreds of other possible group policies, but these and the two discussed in the second article of this series will go a long way to keeping your network both safe and functional. If you are unsure about a policy, do not enable it. Additionally, leaving the majority of the low-priority policies set to “undefined” will ensure that your network stays at a high efficiency and that users do not feel bogged down by too much pointless restriction. In our next article we will discuss how to assign Group Policies to groups (and what those groups are).
This post is part of the series: Windows Server 2003 Group Policy
We take a look at the huge subject of Group Policy. What it is, how it helps Administrators, and some common Group Policy settings that can increase security.