basic security

P

Pamela

I am a relatively new adminsitrator of a 40 user 2000
network. I have implimented the basic security settings
we desire through creating two security setting GPOs and
applying them to the OUs.

Can someonme please tell me is there any need or added
value of also applying security settings through the
security configuration and analysis mmc snap-in? Do the
settings that you enforce through this mmc security snap-
in only apply to the one machine you created the template
on?

Do you need both local and GPO settings?

Thank you,

Pam
 
S

Steven L Umbach

All machines have a Local Security Policy where you can view machine
and "effective/overridden" settings. One of the advantages of a domain
environment is that you can use a GPO to modify select settings on a group
of computers or users as you have done to suit your needs. The SCA tool is
helpful in determining what the actual settings are applied to a particular
computer compared to a defined database created from one or more inf
templates [maybe a custom one you created]. Any defined settings at the
domain/OU level will override settings defined in the Local Security Policy
of computer/users that the GPO applies to. Yes settings configured to a
machine via SCA will apply only to the Local Security Policy of that
machine [again settings may be overridden] , however you can import/export
templates from an individual machine to a GPO if needed. You do not have to
use both a Local and a custom GPO - though quite often it proves very
useful. There is a default Domain Security Policy/GPO which you do not want
to delete. Account/password polices for domain members are defined ONLY at
domain level GPO. Try to avoid modifying the default domain GPO, but instead
create a new one at the domain level or OU level [as you have done]. It is
much easier to go back to default settings that way if a problem arises.
Keep in mind that computers/users must be IN the OU for the GPO to affect
them [unless loopback processing is applied for user configuration - not the
norm]. The gpresult tool can be helpful in tracking down Group Policy
problems. I would suggest you download the free Windows 2000 Security
Hardening Guide from Microsoft. It has specific recommendations on security
settings fro various types of network configurations and level of security
requirements. I also HIGHLY recommend that you purchase the fairly new
Microsoft Windows Security Resource Kit which includes many helpful
utilities from the W2K resource kit. --- Steve

http://www.bookpool.com/.x/af72ckqcd6/sm/0735618682 -- Security Resource Kit
http://security.ziffdavis.com/article2/0,3973,1043101,00.asp -- W2K
Security Hardening Guide
http://support.microsoft.com/?kbid=321709 -- Gpresult tool
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

how to remove security policy template that was once applied 1
Security Configuration and Analysis Console 4
Question for Roger Abell 5
Applying security templates 3
server would not start 1
Incorrect (?) mismatches in Security Configuration & Analysis Tool 3
Permissions issue with remote connection 5
Recovery Console Features Disabled 1

Top