Installing, Configuring, and Administering Microsoft®
Windows® XP Professional
Chapter 14, “Configuring and Managing Computer Security”
Learning Objectives
After completing this lesson, students will be able to:
 Configure and manage Local Security Policy.
 Manage security configuration with templates.
 Establish and monitor a security audit policy.
Lecture Notes
To effectively teach students the features and capabilities of Windows XP Professional,
show examples of the following:
 Security policy planning.
 How to evaluate the security configuration of a computer by using the Security
Configuration And Analysis tool.
 How to use the Security Configuration And Analysis tool to analyze and apply
security policy templates.
 How to use the Secedit.exe command to analyze and apply security policy
templates.
 How to create a security template by using the Security Template snap-in.
 How to import a custom security policy.
 How to determine which events should be audited.
 How to configure auditing through Local Group Policy.
 How to configure a password policy through Local Group Policy.
Understanding Security Policy
Local Security Policy
 Review the fact that the Local Security Policy is part of the Local Group Policy
and can be accessed through Group Policy Editor (Gpedit.msc) as well as the link
in the Start menu under the Administrative Tools submenu through the Local
Security Policy menu item.
 Discuss the Account Policies section of the Local Security Policy
o Describe and show the Audit Policy settings
o Describe and show the User Rights Assignment settings
o Describe and show the Security Options settings.
 Discuss the following system-related security options:
o Accounts: Administrator Account Status
o Accounts: Guest Account Status
o Accounts: Rename Administrator Account
o Accounts: Rename Guest Account
o Audit: Shut Down System Immediately If Unable To Log Security Audits
o Devices: Prevent Users From Installing Printer Drivers
o Devices: Restrict CD-ROM Access To Locally Logged-On User Only
o Devices: Restrict Floppy Access To Locally Logged-On User Only
o Devices: Restrict Floppy Access To Locally Logged-On User Only
o Devices: Unsigned Driver Installation Behavior
 Silently Succeed
 Warn But Allow Installation
 Do Not Allow Installation
 Not Defined
o Interactive Logon: Do Not Display Last User Name
o Interactive Logon: Do Not Require CTRL+ALT+DELETE
o Interactive Logon: Message Text For Users Attempting To Log On
o Interactive Logon: Number Of Previous Logons To Cache (In Case
Domain Controller Is Not Available)
o Interactive Logon: Prompt User To Change Password Before Expiration
o Interactive Logon: Require Smart Card
o Interactive Logon: Smart Card Removal Behavior
 No Action
 Lock Workstation
 Force Logoff
 Not Defined
o Network Access: Let Everyone Permissions Apply To Anonymous Users
o Shutdown: Allow System To Be Shut Down Without Having To Log On
o Shutdown: Clear Virtual Memory Page File
Domain Security Policy
 Demonstrate how to access the Domain Security Policy.
 Remind students that Group Policies can also be defined at the organizational unit
(OU) level as well.

Explain that Group Policies linked to Domain level are inherited by all computer
and user accounts in the entire domain by default.
o Briefly explain that GPOs of OUs will override (by default) settings
configured at the domain when there is a conflict.
 Briefly explain that OUs can be configured with GPO inheritanceblocking to prevent Group Policy settings from being inherited
from GPOs linked to the domain or other OUs that are higher in
the domain structure.
 Explain that the No Override or Enforce setting can be enabled on
a per policy basis that will ensure the GPO will flow down through
the hierarchy, even through OUs that have inheritance-blocking
enabled.
Discussion Question:
You manage 12 Windows XP Professional computers. All the computers you manage
have computer accounts in the Production organizational unit (OU) in the contoso.com
domain. You are responsible for ensuring that users you manage who are using Windows
XP Professional computers are not allowed to access the floppy disk. Your manager
creates a Group Policy object (GPO) named DiskLock1 that enables the Devices: Restrict
Floppy Access To Locally Logged-On User policy setting. However, the domain
administrator has configured the Default Domain Policy to disable the Devices: Restrict
Floppy Access To Locally Logged-On User policy setting. What configuration change
would ensure that the client computers that you manage will prevent users from accessing
the floppy drive?
Managing Security Policy
Predefined Security Templates
 Explain the purpose of the predefined Security Templates.
 Setup security.inf — Stores all the security configuration settings that were in
effect when the system was installed.
 Compatws.inf — Relaxes certain file system and registry settings to allow
programs not compatible with Windows XP to operate without the need to elevate
users to power user status. This template also removes all users from the Power
Users group.
 Securews.inf — Configures security settings that are least likely to affect
application compatibility.
o Restricts anonymous access to enumerating shares and user names
o Strong authentication for connections to servers
o Stronger password, account lockout, and audit settings
 Hisecws.inf — Removes all but the Local Administrator and Domain Admins
from the Administrators group and removes all users from the Power Users group.
It also requires strong authentication between clients and servers.
 Rootsec.inf — Configures the default root file system security settings.
Creating a Custom Security Policy Management Console



Demonstrate how to create a custom MMC.
Demonstrate how to add the Security Templates snap-in.
Demonstrate how to add the Security Configuration And Analysis snap-in.
Viewing, Modifying, and Creating a Security Template
 Demonstrate how to open the default security templates.
 Demonstrate how to modify one of the default security templates.
 Demonstrate how to create and modify a new security template.
Analyzing and Configuring Security Settings
 Demonstrate how to create a security configuration database with the Security
Configuration And Analysis snap-in.
 Demonstrate how to analyze the security settings.
Exporting Security Templates
 Demonstrate how to export a security template to another computer.
 Demonstrate how to import the exported template.
Managing Security Policy with Secedit.exe
 Demonstrate the Secedit command
 Demonstrate how to use Secedit to analyze a computer.
 Demonstrate how to use Secedit to validate a security template.
 Explain the Secedit /Refreshpolicy Machine_policy is a command that was used
in Windows 2000 to refresh Group Policy. Tell students that Gpupdate is the
command to refresh Group Policy on newer operating systems or on Windows
2000 if the newest Group Policy management console is downloaded and
installed.
Discussion Question:
A computer with Microsoft Windows 98 installed and running the Microsoft Office 97
program is upgraded to Windows XP. Some computer users can no longer run Microsoft
Office 97. You discover that accounts which are part of the Administrators or Power
Users group, are able to run Office 97. User accounts with the local group Users that have
membership in only the Users group are not able to run the application. You do not want
to make all users a member of Administrators or Power Users. What else could you do to
allow all users to run the Microsoft Office 97?
Managing Security Audit Policy
Actions That Can Be Audited
 Discuss and define the events that can be audited
 Successful and unsuccessful account logon events
 Successful and unsuccessful user account management
 Directory service access
 Successful and unsuccessful logon events






Successful and unsuccessful object access
Policy changes
Use of user rights and privileges
Audit process tracking
System events such as startups and shutdowns
Security Options area of Local Security Policy
o Audit The Access Of Global System Objects
o Audit The Use Of Backup And Restore Privilege
o Shut Down The System Immediately If Unable To Log Security Audits
Planning an Audit Policy
 Explain what is involved in determining audit requirements
 Demonstrate how to select objects for auditing
 Explain that assigning responsibility for monitoring is an essential part of the
auditing process.
Implementing and Managing an Audit Policy
 Explain how to implement and manage an audit policy
 Demonstrate how to configure the Security event log
 Show students how to modify log size
o Overwrite Events As Needed
o Overwrite Events Older Than X Days
o Do Not Overwrite Events (Clear Log Manually)
Monitoring Audit Logs
 Demonstrate how to configure NTFS object access auditing
o Show students how to enable auditing in Local Security Policy
o Enable auditing in the Security tab of the Properties dialog box for the
object to be audited, click Advanced to open the Advanced Security
Settings dialog
 Discuss how to monitor user account administration events
 Discuss how to monitor shutdown and restart events
 Discuss how to monitor Audit Logs
Discussion Question:
What type of auditing configuration would be required to ensure that no auditing
information would be overwritten or missed by the security log?
Class Activities
Hands-On Activity
Lesson 14 — Assignment 1
Configure the Local Security Policy to prevent the installation of unsigned drivers.
Save a screenshot of the modified Devices: Unsigned Driver Installation Behavior
Properties dialog box to submit to the instructor.
Project Ideas
Lesson 14 — Project 1
You are responsible for managing the security configuration of several computers
running Windows XP Professional. These computers are configured in a workgroup. You
need to ensure the following requirements are met:
 User password length must be at least 14 characters.
 Auditing must be configured to monitor any attempts to modify the boot.ini, ntldr,
or ntdetect.com files.
 The last user name that was used should not appear in the logon dialog box.
 The security policy must be consistent on all computers in the workgroup.
Describe how you would implement the security measures above. Cite specific automated
policies that you would enable and where you would enable these policies. Describe also
how you could most easily implement these changes on all the computers in the
workgroup.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Performance Test Items
Lesson 14 — Test Item 1
Describe the main differences between the following concepts, objects, or terms.
1. Local Security Policy and Domain Security Policy
2. Setup Security.inf and Securews.inf
3. Compatws.inf and Rootsec.inf
4. Secedit.exe and Security Configuration And Analysis
5. Audit Logon Events and Audit Account Logon Events
Lesson 14 — Test Item 2
Describe the Audit Policy that will allow for the tracking of the following actions.
o Someone shutting down the computer.
o Someone querying Active Directory® directory service to locate a printer.
o A user taking ownership of a file.
o An audit policy disabled.
o Someone accessing a particular subkey in the Windows registry.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________