Fall 2011Nassau Community College ITE153 – Operating Systems

Session 22 Local Security Polcies

1

Overview

• Introducing Local Security Policies• Four Categories• Configuring Password Policy• Account Lockout Policy• Security Options• IP Security Policies

Fall 2011 2Nassau Community College ITE153 – Operating Systems

Fall 2011Nassau Community College ITE153 – Operating Systems

Session 22Windows 7 ProfessionalLocal Security Policies

3

Local Security Policies• A Group Policy object contains an extensive profile

of security permissions that apply primarily to the security settings of a domain or a computer (rather than to users)

• Group policies for local computers that do not use the Active Directory are set using Local Security Policies

• Because a computer can have more than one policy setting applied to it, security policy settings can conflict with each other.

• The order of precedence from highest to lowest is: OU => domain => local computer

Fall 2011Nassau Community College ITE153 – Operating Systems 4

Local Security PoliciesLocal Security Policies apply to a computer and

contain these subsets:• Audit policy. Determines whether security events are

written to the security log in Event Viewer on the computer. Also determines whether to log successful attempts, failed attempts, or both

• User rights assignment. Determines which users or groups have logon rights or privileges on the computer 

• Security options. Enables or disables security policy settings for the computer, such as digital signing of data, Administrator and Guest account names, floppy disk drive and CD drive access, driver installation, and logon prompts

Fall 2011Nassau Community College ITE153 – Operating Systems 5

Local Security Policies

There are four categories of local security policies:•Account Policies•Local Policies•Public Key Policies•IP Security Policies

Fall 2011Nassau Community College ITE153 – Operating Systems 6

Local Security PoliciesTwo ways to get to it:

• Control Panel => Systems and Security =>Administrative Tools => Local Security Policy

• mmc secpol.msc

Fall 2011Nassau Community College ITE153 – Operating Systems 7

Account Policies

• Password and account lockout policies

• Set number of invalid logon attempts

• Lock account indefinitely

Fall 2011Nassau Community College ITE153 – Operating Systems 8

Local Policies

Fall 2011Nassau Community College ITE153 – Operating Systems 9

• Prevents last user name logged on from appearing

• Shutdown without being logged on

• Lock account indefinitely

• Force logoffs

Public Key Policies

Fall 2011Nassau Community College ITE153 – Operating Systems 10

• Deals mainly with recovery and encryption

IP Security Policies

Fall 2011Nassau Community College ITE153 – Operating Systems 11

• Network security rules

• IP Filtering

… And More Policies

Fall 2011Nassau Community College ITE153 – Operating Systems 12

Lab A: Local Security Policies

Fall 2011 13Nassau Community College ITE153 – Operating Systems

Configuring Password Policy

• Enforce password history – how many old passwords

• Maximum password age – days to keep a particular password

• Minimum password age – prevents changing the password back

• Minimum password length - # of characters

• Password complexity requirements – disabled by default

Fall 2011Nassau Community College ITE153 – Operating Systems 14

Lab B: Configuring Password Policy

Fall 2011 15Nassau Community College ITE153 – Operating Systems

Account Lockout Policy

• Prevents users from guessing passwords

• Account lockout duration – minutes account is locked out

• Account lockout threshold – number of invalid logons

• Reset account lockout counter after – number of minutes that must elapse after a failed logon attempt

Fall 2011Nassau Community College ITE153 – Operating Systems 16

Lab C: Account Lockout Policy

Fall 2011 17Nassau Community College ITE153 – Operating Systems

Security Options

Fall 2011Nassau Community College ITE153 – Operating Systems 18

Security Options

• Interactive logon: Do not display last user name

• This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.

Fall 2011Nassau Community College ITE153 – Operating Systems 19

User Rights Assignment

• Change the Time Zone

• This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset.

Fall 2011Nassau Community College ITE153 – Operating Systems 20

Lab D: Security Options

Fall 2011 21Nassau Community College ITE153 – Operating Systems

IP Security Policies

• Used for building firewalls

• Uses a wizard and IP filters

Fall 2011Nassau Community College ITE153 – Operating Systems 22

Important URLS• Local Users and Groups - use Local Users and Groups

to create and manage users and groups that are stored locally on a computer

• Local Users and Groups - similar to link above but for Windows 7, Windows Server 2008, Windows Server 2008 R2

• Local Users and Groups best practices - excellent tips• Microsoft Security Administrators Guide - security

administrators guide. Also available in PDF format.• Microsoft Security TechCenter - links to technical

bulletins, advisories, updates, tools, and prescriptive guidance. This is a very good site to visit frequently

Fall 2011Nassau Community College ITE153 – Operating Systems 23

Homework

Review the SlidesReview Lesson 12 In The Text

Fall 2011Nassau Community College ITE153 – Operating Systems 24