Contents
Overview 1
Introduction to Securing a Windows 2000
Network 2
Windows 2000 Security Policies 3
Implementing Security Policies 5
Implementing an Audit Policy 13
Recovering Encrypted Files 21
Lab A: Implementing Security in a
Windows 2000 Network 25
Best Practices 46
Review 47

Module 8: Implementing
Security in a
Windows 2000 Network

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any

Lead Product Manager: Sandy Alto
Group Product Manager: Robert Stewart Module 8: Implementing Security in a Windows 2000 Network iii

Introduction
This module provides students with the necessary knowledge and skills to
implement security in a Microsoft® Windows® 2000 network by using security
policies and auditing and by recovering encrypted files.
In the lab in this module, students will have a chance to create a customized
Microsoft Management Console (MMC) console for configuring security
settings and creating a new security template. Then they will analyze and
configure the security settings for a computer. They will also plan and
implement audit settings in a domain. Finally, they will recover an
encrypted file.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
?? Microsoft PowerPoint® file 1558A_08.ppt

Preparation
To prepare for this module, you should:
?? Read all the materials for this module.
?? Complete the lab.
?? Study the review questions and prepare alternative answers to discuss.
?? Anticipate questions that students may ask. Write out the questions and
provide the answers.

can be tested before security settings are applied to multiple computers.
Explain the purpose of a security template and demonstrate how to create a
security template. Emphasize that you can define a security setting once and
apply it in many places. Explain the purpose of Security Configuration and
Analysis and demonstrate how to configure and analyze the security settings
of a computer. Illustrate how to use Group Policy to apply security policies.
?? Implementing an Audit Policy
In this topic, you will introduce the procedure for implementing an Audit
policy. Explain the purpose of auditing. Tell students that auditing is used to
track user events. An event shows the action that was performed, the user
who performed the action, and the date and time of the action. Show the
events that Windows 2000 can audit and explain what the event indicates.
Explain how to plan an audit strategy and determine which events to audit.
Illustrate how to set up an Audit policy. Explain how to audit access to file
system, Active Directory
™
directory service, and printer objects, and list the
guidelines to be followed for auditing each resource.
?? Recovering Encrypted Files
In this topic, you will introduce recovering encrypted files. Briefly discuss
the purpose and the process of encrypting and decrypting files and folders.
Discuss the purpose of a recovery policy. Emphasize that the first
administrator to log on to a stand-alone computer is the recovery agent for
that computer, and the first administrator to log on to the domain after the
first domain controller is created is the recovery agent for the domain.
Illustrate how to recover files and folders. Point out that recovering files and
folders is the same as decrypting files and folders.
?? Lab A: Implementing Security in a Windows 2000 Network
Prepare students for the lab in which they will create a customized MMC
console and a new security template for configuring security settings. Next,


Setup Requirement 2
The labs in this module require the Log on locally right for domain controllers
to be assigned to the Everyone group. To prepare student computers to meet
this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08.cmd.
?? Assign the right manually.

Setup Requirement 3
The labs in this module require that a shortcut for Active Directory Domains
and Trusts, Active Directory Users and Computers, and Active Directory Sites
and Services exists on the desktop of the regular user account. To prepare
student computers to meet this requirement, perform one of the
following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08.cmd.
?? Create the shortcuts manually and place them in
C:\Winnt\Profiles\All Users\Desktop.

Setup Requirement 4
The labs in this module require the following organizational units (OUs) in the
student’s domain.
This OU In this organizational unit

East Domain Controllers
West Domain Controllers
Important
vi Module 8: Implementing Security in a Windows 2000 Network

To prepare student computers to meet this requirement, perform one of the
following actions:

to default values.
?? Students encrypt and decrypt files. You can run
C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08rm.cmd to remove most
configuration changes introduced during the labs in the module. Remove the
Log on locally right from the Everyone group manually. Manually delete the
GPOs created by students.

Important
Module 8: Implementing Security in a Windows 2000 Network 1

Overview
? Introduction to Securing a Windows 2000 Network
? Windows 2000 Security Policies
? Implementing Security Policies
? Implementing an Audit Policy
? Recovering Encrypted Files
? Best PracticesMicrosoft® Windows® 2000 provides policies and utilities to monitor security
settings for computers throughout a network, a set of templates to create and
deploy standard security settings throughout an enterprise, and an auditing
function for determining how resources are accessed. Windows 2000 also
provides administrators with the ability to recover Encrypting File System
(EFS) encrypted files, enabling the management of user encrypted files.
At the end of this module, you will be able to:
?? Identify the purpose of securing a Windows 2000 network.

? Use EFS to encrypt files so that only the persons who
encrypted the files and administrators can access themTo implement a secure network, you need to create a network that provides
users with all of the information and resources that they need, while protecting
the information and resources from damage and unauthorized access.
Implementing security in a network provides the following benefits:
?? Confirms the identity of users attempting to gain access to resources. This
prevents unauthorized users from accessing, stealing, or damaging system
resources, such as sensitive data or mission-critical applications.
?? Protects against inappropriate access to specific resources, for example,
ensuring that only corporate management personnel can gain access to
employee payroll information.

When implementing security in a Windows 2000 network, you can use the
following methods for securing a network:
?? Group Policy. Use Group Policy to establish and enforce security policies
for network computers by ensuring that settings are applied consistently
over the network and that they can be centrally managed.
?? Audit policy. Use Audit policy to monitor various security-related events in
Windows 2000. Monitoring security events is necessary to detect intruders
and attempts to compromise data on the system.
?? Encrypting File System. Use EFS to encrypt files so that only the user who
encrypted the file and administrators are able to access it, regardless of the
NTFS file system permissions assigned.

Slide Objective
To identify the purpose of
securing a Windows 2000

Account
policies
policies
Local policies
Local policies
Local policies
Event log
Event logEvent log
Restricted
group
Restricted
Restricted
group
group
System
services
System
System
services
services
Configure password and account policies
Configure password and account policies
Configure auditing, user rights, and security options
Configure auditing, user rights, and security options
Configures settings for application logs, system logs, and security logs
Configures settings for application logs, system logs, and security logs
Configures group memberships for security sensitive groups
Configures group memberships for security sensitive groups
Configure security and startup settings for services running
on a computer

configure in Group Policy:
?? Account policies. Account policy settings allow you to configure password
policies and account lockout policies for the domain. The account policy for
a domain defines the password history, the lifetime of account lockouts, and
more. These policies are effective only when they are applied at the
domain level.
?? Local policies. Local policy settings allow you to control settings that affect
individual computers rather than domain-specific settings. Local policies
include auditing policies, the assignment of user rights and privileges, and
other security options that are applied to and affect the local computer.
?? Event log. Event log settings allow you to configure the size, access, and
retention parameters for application logs, system logs, and security logs.
?? Restricted group. Restricted group settings allow you to manage the
membership of selected groups as part of security policy. Restricted group
policies also track and control reverse membership of each restricted group.
?? System services. System services settings allow you to configure security
and startup settings for services running on a Windows 2000-based
computer.
?? Registry. The registry settings allow you to configure security on
registry keys.
?? File system. The file system settings allow you to configure security for
specific local file paths on network computers. These settings set consistent
NTFS permissions for static files and folders on domain computers.
Slide Objective
To identify the different
types of security policies in
Windows 2000.
Lead-in
You can use security
policies to establish and

security incidents. Windows 2000 provides many utilities to analyze and
configure security settings for your network. These utilities are available as
stand-alone snap-ins in Microsoft Management Console (MMC).
Slide Objective
To introduce the topics
related to implementing
security policies.
Lead-in
There are many different
ways of implementing
security policies.
6 Module 8: Implementing Security in a Windows 2000 Network

Introduction to Implementing Security Policies
Computer1
User1
User2
OU2
OU1
OU3
Computer2
Group Policy
Group Policy
Group Policy
Group Policy
Security
Template
Security
Template
Implementing Security

security settings are applied
to computers.
Lead-in
You can implement security
policies by manually
configuring the security
settings in Group Policy or
by configuring a security
template and importing it
into a GPO.
Key Points
A preconfigured security
template ensures consistent
security settings.
Test the preconfigured
security settings on a single
computer before applying
them to other computers,
and then export the
tested settings to a
security template.
Module 8: Implementing Security in a Windows 2000 Network 7

What Is a Security Template?
Group Policy
Group Policy
? A Security Template Is a Text File That Contains the Security Settings
? Apply Security Templates by:
? Using Security Configuration and Analysis to apply a security template
? Importing a Security Template into a Group Policy object

applying Group Policy to an Active Directory container (site, domain, or
organizational unit).

Windows 2000 includes several default security templates. These predefined
templates can be customized by using the Security Templates snap-in and can
be imported into the Security Settings extension of Group Policy. These
templates incrementally modify the default security settings. They do not
include the default security settings plus the modifications. The following list
describes the default security templates:
?? Basic. The default security level for Windows 2000. These templates can be
used as a base configuration for security analysis and should be applied to
configure the upgraded computer with the new Windows 2000 default
security settings.
?? Compatible. Provides a higher level of security but still ensures that all the
features of standard business applications will run.
?? Secure. Provides an additional level of security, but does not ensure that all
of the features of standard business applications will run.
?? High. Enforces the maximum security for Windows 2000 without
consideration for application functionality. High security is primarily
intended for testing and development of high security applications.

Slide Objective
To explain the purpose of a
security template.
Lead-in
A security template contains
all the security settings to be
applied to a computer.
Show students the four
default security templates by

Save As
Save As
Existing
ExistingYou can use the Security Templates snap-in to create a security template. The
Security Templates snap-in is used for viewing, defining, or modifying existing
security templates.
You create a security template by using any one of the following methods:
?? Defining a new template and modifying the defaults.
?? Editing an existing security template and then saving it as a new template.

To create a new security template, perform the following steps:
1. In Security Templates, expand the Security Templates node, right-click
the path node where you want to store the new template, and then select
New Template.
2. Type a name and description for the new security template.
3. Expand the new security template node to display the security areas, and
then expand the node for the security area that you want to configure.
4. In the details pane, double-click the security attribute that you want
to configure.
5. If the Exclude this setting in analysis check box is selected, clear it to
allow editing, and then click OK.

Another method for creating a new security template is to edit an existing
security template. To create a new security template from an existing template,
perform the following steps:
1. In Security Templates, expand the default path node, right-click the existing
template that you want to modify, click Save As, specify a name for the new

? Import Additional Security Templates by:
? Merging settings or replacing previous templates
? Making manual changes to settings
Security Configuration and Analysis is a utility used to
directly configure and analyze local system security
Security Configuration and Analysis is a utility used toSecurity Configuration and Analysis is a utility used to
directly configure and analyze local system security
directly configure and analyze local system securitySecurity Configuration and Analysis is a MMC snap-in that is used to
directly configure and analyze local system security. This utility enables you to
configure and analyze the security settings for a specific computer.
?? Analyzing system security. Analyzing system security compares the current
security settings for the computer with the settings specified in the security
template and then displays the results. Because the state of the operating
system and applications on a computer is dynamic, regular analysis enables
an administrator to track and ensure an adequate level of security on each
computer. To analyze system security:
?? Create a security database in which to store the analysis results.
?? Apply a template to specify the settings that should be analyzed and the
expected configuration for those settings.

Security Configuration and Analysis then populates the database with the
current settings for the computer and marks settings that do not match
the template.
?? Configuring system security. Windows 2000 enables you to import security
templates created with the Security Templates snap-in, and then apply
these templates to local computer policy. This immediately configures the
local computer security settings with the values specified in the

Configure the Computer with the Security
Settings Contained in a Security Template
Configure the Computer with the Security
Settings Contained in a Security TemplateThe Security Configuration and Analysis snap-in enables you to configure
security, analyze security, view results, and resolve any discrepancies revealed
by analysis.
To configure and analyze system security, perform the following tasks:
?? Set up a working (security) database.
?? Analyze the current configuration.
?? Configure the computer with the security settings contained in a
security template.

Setting Up a Working Database
To set up a working database, perform the following steps:
1. In Security Configuration and Analysis, right-click Security Configuration
and Analysis.
2. To open or create a working database, click Open Database, and either
enter the name for an existing database or type a name for the new security
database, and then click OK.

Analyzing the Current Configuration
You can use Security Configuration and Analysis to perform a security analysis
on a computer by comparing the computer’s security settings with those in a
security template. You can use a comparison of security settings against a
baseline security template to quickly analyze whether a computer’s security
settings comply with your organization’s security policy or whether security
configuration settings were changed since the last time you reviewed the

2. To begin the analysis, right-click Security Configuration and Analysis,
and then click Analyze System Now.
3. Click OK to use the default analysis log, or type a file name and valid path
to create a new analysis log.
A progress dialog box indicates the different security areas being analyzed.
After this is complete, you can review the results. If frequent analysis of large numbers of computers is required, the
Secedit.exe command-line utility may be used for batch analysis. However,
analysis results must still be viewed with Security Configuration and Analysis.
For more information on Secedit.exe, see the white paper, Security
Configuration Tool Set on the course 1558A, Advanced Administration for
Microsoft Windows 2000, Student Materials compact disc.

Configuring a the Computer with Security Settings
You can make configuration changes to the security settings that are not
complying with the security template and then reconfigure the system with
these settings.
To configure security settings, perform the following steps:
1. In Security Configuration and Analysis, set a working database, and then
import one or more security templates into the database.
2. Right-click Security Configuration and Analysis, and then click
Configure System Now.

The settings contained in the security database are applied to the computer.
Note
12 Module 8: Implementing Security in a Windows 2000 Network

Using Group Policy to Apply Security Policies

current security settings should be modified to meet your organization’s
security requirements.

Slide Objective
To explain how to use
Group Policy to apply
security policies.
Lead-in
You use Group Policy to
define a number of
configuration settings and to
apply them to multiple
computers in one step.
Delivery Tip
Demonstrate how to import
a security template by using
Group Policy.
Key Points
Use Group Policy
to standardize
security settings.

Import security templates
into Security Settings in
Group Policy to apply
consistent and tested
security policies to
computers in an Active
Directory container.
Module 8: Implementing Security in a Windows 2000 Network 13

Identify Unauthorized Use of Resources, and Maintain a Record of
User and Administrator Activity
? View Security Logs in Event Viewer
Event ViewerEvent ViewerEvent Viewer
User1 logon failed
Access denied
Printing successful
Use of
Resources
Use of
Use of
Resources
Resources
Success or
Failure
Logged
Success or
Success or
Failure
Failure
LoggedLoggedAuditing in Windows 2000 is the process of tracking user and operating system
activities (called events) on a computer. When an audited event occurs,
Windows 2000 writes a record of the event to the security log.
An audit entry in the security log contains the following information:
?? The action that was performed.
?? The user who performed the action.
?? The success or failure of the event and when the event occurred.


Events to Audit
Event
Event
Event
Example
Example
Example
Account logon
Account logon
Domain controller receives a request to validate a user account
Domain controller receives a request to validate a user account
Account
management
Account
management
Administrator creates, changes, or deletes a user account or group
Administrator creates, changes, or deletes a user account or group
Directory service
access
Directory service
access
User gains access to an Active Directory object
User gains access to an Active Directory object
Logon
Logon
User logs on or off a local computer
User logs on or off a local computer
Object access
Object access

An administrator creates, changes, or deletes a user account or
group. A user account is renamed, disabled, or enabled, or a
password is set or changed.
Directory
service access
A user gains access to an Active Directory object. To log this type of
access, you must configure specific Active Directory objects for
auditing.
Logon A user logs on or off a local computer, or a user makes or cancels a
network connection to the computer.
Object access A user gains access to a file, folder, or printer. You must configure
specific files, folders, or printers for auditing.
Policy change A change is made to the user security options (password options,
account logon settings), user rights, or Audit policies.
Privilege use A user exercises a user right, such as changing the system time (this
does not include rights that are related to logging on and logging
off), or an administrator takes ownership of a file.
Process
tracking
An application performs an action. This information is generally
only useful for programmers who want to track details of application
execution.
System A user restarts or shuts down the computer, or an event has occurred
that affects Windows 2000 security or the security log.

Slide Objective
To identify the events
that Windows 2000 can
audit and what the
event indicates.

store sensitive or critical data frequently, but you can infrequently audit
client computers that are used solely for running productivity applications.
?? Determine the types of events to audit:
?? Access to files and folders
?? Users logging on and off
?? Shutting down and restarting a computer running Windows 2000 Server
?? Changes to user accounts and groups
?? Attempts to make changes to Active Directory objects
?? Determine whether to audit the success or failure of events, or both.
Tracking successful events can tell you how often Windows 2000 or users
gain access to specific resources. You can use this information for resource
planning. Tracking failed events can alert you to possible security breaches.
?? Some organizations are required to maintain a record of resource and data
access. Determine whether you need to track trends of system usage. If so,
plan to archive event logs.
Slide Objective
To explain how to plan an
audit strategy and determine
which events to audit.
Lead-in
Before you set up an Audit
policy, you need to
determine what you want to
audit and whether to audit
successful or failed events.
Delivery Tip
Show students the events
that Windows 2000
can audit.


Audit System Events
Attribute Stored Template Setting
Group Policy
asa [DENVER1558.namerica1558.
Computer Configuration
Software Settings
Windows Settings
Security Settings
Account Policies
Local Policies
Audit Policy
User Rights Assign
Security Options
Success,Failure
No Auditing
Not Configured
Success,Failure
Not Configured
Success
Failure
Not Configured
Not Configured
?First Column; Successful
?Second Column; Failed
?First Column; Successful
?Second Column; Failed
? Assign Security Settings to a Single
Computer by Configuring the Settings
in Local Policies in Group Policy
? Assign Security Settings to Multiple Computers by Creating a Group

Audit policy.
Delivery Tip
Demonstrate how to set up
an Audit policy.
Key Point
Directory service access
enables auditing a user’s
access to specific Active
Directory objects. Object
access enables auditing a
user’s access to files,
folders, and printers.
Module 8: Implementing Security in a Windows 2000 Network 19

Auditing Access to Resources
File System
File System
?Set the Audit Policy to Audit Object Access
?Enable Auditing for Specific NTFS Files and Folders
?Record Success or Failure of an Event
?Set the Audit Policy to Audit Object Access
?Enable Auditing for Specific NTFS Files and Folders
?Record Success or Failure of an Event
NTFSNTFS
Printers
Printers
?Set the Audit Policy to Audit Object Access
?Enable Auditing for Specific Printers
?Record Success or Failure of an Event
?Set the Audit Policy to Audit Object Access

confidential and archival files.
?? Record success and failure events for Change Permissions and Take
Ownership operations for confidential and personal user files. These
operations may indicate that someone is attempting to modify security in
order to gain access to data for which they do not currently have
permissions. If an Administrator takes ownership of a user’s file to assign
him or herself access, this setting ensures that this event is recorded.
?? Record success and failure events for all operations performed when
auditing members of the Guests group. This should be done especially on
folders and files to which Guests should not be granted access.
?? Audit file and folder access on all computers containing shared data that
should be secured.

Slide Objective
To explain the procedure for
auditing access to file
system, Active Directory,
and printer objects.
Lead-in
To alert you to potential
security breaches, you can
set up auditing for files and
folders, Active Directory
objects, and printers.
Delivery Tip
Demonstrate how to set up
auditing for files and folders,
Active Directory objects,
and printers.
Key Point