Well there is a lot that can be done depending on how you want to balance security
and functionality.
I would be careful about setting your lockout threshold too low. MS recommends
minimum of ten which will protect your network fine with complex passwords. In
addition I would enable auditing of logon events on the domain controller and any
servers being sure to increase the default log size substantially. If at all possible
do not let users be local administrators on their machines nor power users and the
default ntfs permissions on the root/drive folder is too permissive in W2K where you
want the everyone group to have no more than read/list/execute. keep in mind that
newly created shares will give everyone full control which you want to usually
change. Assuming internet access I would also look into configuring the web content
zones of your users to have minimum settings and taking advantage of the trusted web
content zone to place "authorized" sites that are know to be safe. Of course you will
have to prevent users from having access to IE settings to undo what you have done.
There is a setting in IE/advance to disable on demand install of third party addons
which I would disable, though I do not know of a way to do that through GP
unfortunately. If you do not want users to install unauthorized software it will help
to enter setup.exe and install.exe to the list of disallowed Windows applications in
user configuration/administrative templates/system. A firewall with a default block
all outbound rule and then the allowed exceptions can keep users from running
unauthorized internet programs such as chat and file swapping. Also keep in mind that
a malicious user can reset the local administrator password if they are able to boot
their computer from a cdrom, floppy, or other device. Therefore you will want to
configure the computers to boot only from the hard drive and password protect the
cmos settings and have locking computer cases if posible to prevent them from
resetting the cmos via jumper. If you do not need usb [pen drives]then diable that in
cmos and use GP to diable autorun of cdroms. The domain controller must be physically
secured to some degree even it is just a real heavy duty case with access to ports
and drives blocked. You should also run Microsoft Baseline Security Analyzer at least
on your domain controller and other servers. For instance in a default install of any
W2K server IIS is enabled which should be disabled or unistalled if not needed. That
should give you a good start.--- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://mvps.org/winhelp2002/unwanted.htm -- tips on securing IE settings.