HCL CAREER

DEVELOPMENT
CENTRE

PROJECT ON
GROUP POLICIES

Under The Guidance Of:

Md. Mohsinul Malik

Submitted By:
Satpal
(MCSE01)
HCNA
 ACKNOWLEDGEMENT

I would sincerely like to thank my instructor,

Md. Mohsinul Malik who has been there

always to help me in carrying out this

project, acting as the guiding spirit behind

the compiling of this project for putting a

tremendous effort from his side to assist me

as much as possible.

Satpal
MCSA
(HCNE01)
 CONTENTS

1. Introduction of Group Policy

2. Creating An Effective Local Security Policy

3. How Group Policies Work

• How To Use The Templates

• Auditing The Computer

• Building A Custom Template

• Applying The Template

4. Password Policy
 DESCRPITION

Introduction of Group Policy

Every organization uses site, domain, or organizational unit
(OU) Group Policies, we can use the Windows XP's Security
Configuration and Analysis Snap-in to configure and enforce
local group policies to make our XP workstations more secure.

We need to understand a few things about the way that group

policies work. Group policies are hierarchical in nature. They
are applied at various levels and are combined to form what’s
known as the resultant set of policy.

The hierarchy comes into play when a workstation connects to

a network that utilizes Active Directory. When a user logs on,
the local Windows XP group policy is applied. After that,
additional group policies are applied at various levels of
Active Directory. Group policies can be applied at the site,
domain, and organizational unit level.

Each group policy contains identical group policy elements

(settings). Most of the time, a group policy won’t even come
close to using every available policy element. Even so, the
potential exists for setting contradictions to occur. Windows
resolves conflicts by using a “most recent policy wins”
algorithm. For example, the final group policy to be applied in
the hierarchy is the OU level policy. So if a policy element in
the OU level group policy contradicts a policy element
implemented at a lower level, the previous policy element will
be overwritten by the policy element in the higher level group
policy.
The local group policy is the first one applied at login. So
elements within the local group policy are very likely to get
overwritten by higher level group policy elements. Even so,
it’s important to make sure your local group policies are
strong, because there are situations in which higher level
group policies may not be available. In these situations, the
local group policy becomes the machine’s only line of
defense. This situation would occur if a user logged in using a
local user account rather than a domain account. It might also
occur if a user attempted to log into a domain, but the domain
controller could not be contacted. In either case, any group
policies contained within Active Directory are unavailable and
the local security policy forms the machine’s entire resultant
set of policy.

Creating An Effective Local Security Policy

Although Windows XP’s local security policy doesn’t have a
single policy element set by default, Windows XP includes a
number of templates that we can use to configure precisely the
policy elements needed to secure Windows XP within our
particular environment. These templates have two different
purposes. First, they can be used to activate the necessary
group policy elements within the local security policy. Second,
they can be used to audit the local security policy. Remember
that security isn't a "set it and forget it" operation. We need
to make sure that the security policy elements that you set are
still properly set. The templates can assist with this by
comparing the existing security settings with the desired
security settings to make sure that everything still matches.
How Group Policy Works

How to use the templates

We must begin by opening an empty Microsoft Management

Console (MMC) session. To do so, enter the MMC command
at the Run prompt. Next, select the Add/Remove Snap-Ins
command from the console’s File menu. You'll see the
Add/Remove Snap-In properties sheet. Click the Add button
on the properties sheet’s Standalone tab and you'll see a dialog
box containing all of the available snap ins. Scroll toward the
bottom of the list and select the Security Configuration And
Analysis option from the list and click the Add button. Then
click Close and OK.

If this is the first time you've used the Security Configuration

And Analysis tool on this machine, you'll need to create a new
database. Right-click on the console’s Security Configuration
And Analysis container and select the Open Database
command from the shortcut menu. Windows will launch the
Open Database dialog box. Since no databases presently exist,
just type a name that you would like to call your database and
then click Open.

Windows will display the Import Template dialog box. This

dialog box allows you to select which template to use to
secure or to audit the workstation. Technically, you aren’t
limited to using a single template. You can import multiple
templates into the database. If you do import multiple
templates, the group policy elements within those templates
will be combined. In the event of contradictory group policy
elements within the templates, the template that was the most
recently imported takes precedence.
In case you are wondering, a template is really nothing more
than an .INF file that’s located in the
\WINDOWS\SECURITY\TEMPLATES folder. The template
basically tells Windows which registry keys to modify or
check. You can see a small portion of a template file’s contents
in Figure A.

A template file looks like in text form.

Windows XP gives you seven templates to choose from or

you can create your own. Each of these templates gives you
a different level of security. But not all of these templates
are appropriate for Windows XP. Microsoft actually ported
 the Security Configuration And Analysis Snap-in and all of
the templates directly from Windows 2000. So some of the
templates are intended to be used on servers and are
inappropriate for a Windows XP workstation.

Auditing the computer

While it might be tempting to jump right in and apply the

security template, I recommend auditing the system first,
because an audit will compare the computer’s current settings
against the settings within the template and notify you of any
differences. This provides a great opportunity to study the
group policy element settings within the template and to check
for any undesirable settings. We can change the settings or
make a custom template.

To perform an audit of the current security settings, select the

Analyze Computer Now option. Windows will prompt you to
enter the error log file path. The default location is the \My
Documents\Security\Logs folder. Make your selection and
click OK to begin the audit.

When the audit completes, Windows will display the group

policy tree within the console window. As you navigate
through the tree, select any branch that you would like to
examine. When you do, the pane on the right will display all
of the group policy elements within that branch. Along side of
these elements, you'll see the database setting for that group
policy element and the computer’s current setting. This allows
you to look for discrepancies.

Building a custom template

Basically, if we want to create a custom template any time
none of the built-in templates meet your needs. Creating a
custom template if you've had to import multiple templates
into the database is easy. Even if you haven’t changed
anything after importing multiple templates, creating a custom
template will save work in the long run, because when we next
audit the system, we don’t have to import a bunch of
templates. Instead we can use a single template that contains
the resultant set of policy from the multiple templates that we
originally assembled. We have only imported a single template
and need to make some changes to it. Making the change is
easy. Simply right-click on the group policy element you want
to modify, and then select the Properties command from the
shortcut menu. You'll see a properties sheet for the policy
element, similar to the one.
The value displayed within this screen is the computer’s
current value, not the template’s value. If we want to modify
the template, select the Define This Policy within the Database
check box. We may also modify the policy element’s value if
necessary. For example, in Figure, the computer is configured
to keep a single password in the password history. When
modifying the database, we could keep this value or we could
change it to remember 24 passwords. Just remember that if
you change the value, it doesn’t have any direct effect on the
computer. It only modifies the database. Click OK to make the
modification within the database.

Applying the template

When you're ready to apply the policy elements within the
database to the computer, right-click on the Security
Configuration And Analysis container and select the Configure
Computer Now command. When you do, Windows will
prompt you for the path to the error log file. Make your
selection, and then click OK to apply the template.

PASSWORD POLICY

Purpose:

The purpose of this article is to teach you how to configure

password policies and account policies in windows xp.

Password Policy:

A collection of policy settings that define the password

requirements for users.

Account Lockout Policy:

Account lockout policy options disable accounts after a set
number of failed logon attempts. Using these options can help
you detect and block attempts to break passwords.

To configure password policies

Follow these steps in order to accomplish the task

1. Click Start à Programs à Administrative Tools à

Local Security Policy.

2. Expand Account Policies and you will see Password

Policy and Account Lockout Policy. Click on Password
Policy.
Enforce password history. The number of unique, new
passwords that must be associated with a user account before
an old password can be reused. When used in conjunction with
Minimum password age, this setting prevents reuse of the
same password over and over. Most IT departments set a value
greater than 10.

Maximum password age. The number of days a password

can be used before the user must change it. Changing
passwords regularly is one way to prevent passwords from
being compromised. Typically, the default varies from 30 to 42
days.

Minimum password age. The number of days a password

must be used before the user can change it. The default value
is zero, but it is recommended that this be reset to a few days.
When used in conjunction with similarly short settings in
Enforce password history, this restriction prevents reuse of the
same password over and over.

Minimum password length. The minimum number of

characters a user's password can contain. The default value is
zero. Seven characters is a recommended and widely used
minimum.

Passwords must meet complexity requirements. The default

password filter (Passfilt.dll) included with Windows 2000
Server and Windows XP Professional requires that a password
have the following characteristics:

Does not contain your name or user name.

Contains at least six characters.

Contains characters from each of the following three

groups:

1. Uppercase and lowercase letters

(A, a, B, b, C, c, and so on)

2. Numerals

3. Symbols (characters that are not

defined as letters or numerals, such
as !, @, #, and so on)

3. Double click the policy that you want to set and define the
policy.
To configure account lockout policies

1. Click on Account Lockout Policy.

Account lockout duration. The number of minutes (from 1 to
99999) an account remains locked out before it unlocks. By
setting the value to 0, you can specify that the account remains
locked out until an administrator unlocks it.

Account lockout threshold. The number of failed logon

attempts before a user account is locked out. A locked out
account cannot be used until an administrator resets it, or until
the account lockout duration expires.

Reset account lockout counter after. Determines how many

minutes (1 to 99999) must elapse after a failed logon attempt
before the counter resets to 0 bad logon attempts. This value
must be less than or equal to the account lockout duration.

2. Double click the policy that you want to set and define
the policy.
Summary:

You have successfully configured your computer to use the

password and account lockout policies that you have defined.
Account policies affect Windows XP Professional computers
in two ways. When applied to a local computer, account
policies apply to the local account database that is stored on
that computer. When applied to domain controllers, the
account policies affect domain accounts for users logging on
from Windows XP Professional computers that are joined to
that domain.
ACCOUNT LOCKOUT POLICY
Sometimes you, or other users of a server or workstation, have
a hard time remembering the correct username and password.
It may be from a simple typo while entering the information or
it may be a result of having too many different usernames and
passwords to remember. Whatever the reason, there are times
when incorrect authentication information will be entered
when someone is trying to log in. You don't need to be
alarmed by a single failed attempt. You probably don't even
need to be concerned about two or three attempts.

At some point though you have to figure that it is no longer an

honest mistake and is either a program or individual
systematically trying to guess different username or password
combinations to gain unauthorized access to the machine.
Windows offers a way to protect the machine from such
attempts through the Account Lockout Policies. By
configuring the operating system to lock the account and bar
access after a certain number of failed login attempts
you allow the system to proactively block such attempts.

You can open the Local Security Settings console by following

the following steps:

1. Click on Start

2. Click on Control Panel

3. Click on Administrative Tools

4. Click on Local Security Policy

You can also get to the same place by typing "secpol.msc" at a

command prompt. Once you have the Local Security Settings
interface open you should click on Account Policies and then
click on Account Lockout Policy. You will see three policies in
the right pane along with the current status of each. The three
policies are the Account Lockout Threshold, Reset Account
Lockout Counter After and Account Lockout Duration. Here is
a brief synopsis of each.

Account Lockout Threshold: The Account Lockout Threshold

policy specifies the number of failed login attempts allowed
before the account is locked out. If the threshold is set at 3 the
account will be locked out after a user enters incorrect login
information 3 times within a specified timeframe.

Reset Account Lockout Counter After: This policy defines a

timeframe for counting the incorrect login attempts. If the
policy is set for 1 hour and the Account Lockout Threshold is
set for 3 attempts a user can enter the incorrect login
information 3 times within 1 hour. If they enter the incorrect
information twice, but get it correct the third time the counter
will reset after 1 hour has elapsed (from the first incorrect
entry) so that future failed attempts will again start counting at
1.

Account Lockout Duration: The Account Lockout Duration

policy allows you to specify a timeframe after which the
account will automatically unlock and resume normal
operation. If you specify 0 the account will be locked out
indefinitely until an administrator manually unlocks it.

Again, users may at times enter incorrect information for

innocent reasons such as a typo or simply forgetting what the
password is. For a typical server or workstation you don't want
to configure the policy settings so tight that users are locked
out frequently for honest mistakes. For most computers I
would recommend using settings within the following
parameters:
Account Lockout Threshold: A number between 3 and 5
should suffice to account for honest mistakes and
typographical errors.

Reset Account Lockout Counter After: Using a timeframe

between 30 and 60 minutes is sufficient to deter automated
attacks as well as manual attempts by an attacker to guess a
password.

Account Lockout Duration: Once the threshold is triggered

and the account is locked out you want to leave it locked long
enough to block or deter any potential attacks, but short
enough not to interfere with productivity of legitimate users. A
lockout duration of 1 hour to 90 minutes should work well.