Enforcing Windows 2000 Security with Group Policy and

Security Templates

One of the great benefits of Windows 2000 domains is the ability to centrally
control enterprise computing environments with Group Policy. Group Policies
allow administrators to configure computer settings and user rights and
permissions with extremely granular controls. Windows also allows you to
standardize security configurations on computers by applying security
templates. In this lab, you will create a new organizational unit (OU) and
create a new group policy object (GPO) for this new OU. You will then edit a
security template provided by the U.S. National Security Agency (NSA) and
import this template into the GPO. This will significantly harden the security
posture of computers assigned to this OU.

Your lab environment consists of 3 virtual computer systems.

Lab Network Diagram

Domain
File/Print Controller
W2K W2K

Patton IKE
10.0.2.7 10.0.2.4

10.0.0.0/16
Internet

VTE-Launchpad
10.0.254.254

1. A Windows 2000 domain controller. This is the system on which the

group policy object and security templates will be manipulated and
centrally applied. This system’s hostname is Ike and its IP address is
10.0.2.4.

2. A Windows 2000 (W2K) member server that is used for file and print
services. Domain group policy and security templates will be applied

Windows 2000 group policy and security templates Page 1 of 14

 to this server. This system’s hostname is Patton and its IP address is
10.0.2.7.

3. A Windows Server 2003 launchpad system that will allow you to

remotely access and configure the servers above. This system’s
hostname is VTE-Launchpad and its IP address is 10.0.254.254.

1 Remotely access the W2K domain controller via the Remote Desktop
Connection (RDC)

1. From the Desktop of your VTE-Launchpad system, double click the

Remote Desktop Connection icon and enter 10.0.2.4. Then click
‘Connect’.

2. At the Windows Login prompt, login with the following credentials:

User name: Administrator

Password: tartans

2 Creating Windows 2000 Organizational Units (OUs) and moving

appropriate computers into this OU.

2.1 Create a new Organizational Unit

Windows 2000 domains allow for the creation of OUs that enable more
granular application of security policies by placing users and/or computers
into isolated containers. A new OU will be created for Windows 2000 Member
Servers.

1. Click Start > Programs > Administrative Tools > Active Directory Users
and Computers. There is also a shortcut to this MMC on the desktop of
IKE.

2. Right click on the aia.class domain and select New > Organizational Unit

Windows 2000 group policy and security templates Page 2 of 14

 Figure 1: Create a new Organizational Unit

3. Name the new OU: Member Servers

2.2 Move appropriate computers into new OUs

1. From within the Active Directory Users and Computers OU, click on the
‘Computers’ folder. In the right pane, right click on the computer named
Patton, select ‘Move’ and then select the ‘Member Servers’ OU.
2. Click ‘OK’ to commit the move.

Windows 2000 group policy and security templates Page 3 of 14

 Figure 2: Moving computers into an OU

Note: It is always a good idea to separate systems and users by

roles within the Active Directory Structure. Security policies can be
applied with granularity in this manner.

3 Creating Group Policy Objects (GPOs)

3.1 Create GPO for newly created OUs

GPOs are containers within Active Directory

that store configuration information. The
new GPO that will be created will store and
be used to centrally apply security templates
for computers assigned to the OU.

1. In the left pane, right click on the

Member Servers OU and select Properties

2. Click the Group Policy tab and then click

the New button.

Figure 3: Create New GPO

Windows 2000 group policy and security templates Page 4 of 14

 3. Name your new GPO: ‘member_servers_GPO’, press Enter and then click
‘Close’.

Note: Group policy Objects created via this method (from within the
Active Directory Users and Computers MMC) are automatically linked to
the parent container. This means that the GPO will be applied to
whatever objects are inside the container (in this case, the OUs) when the
domain policies are refreshed. This is done at periodic scheduled intervals
and upon log in to the domain.

4. Exit the Active Directory Users and Computers MMC.

4 Security Templates

4.1 Open NSA w2k_server security template

Security templates allow administrators to centrally configure and control the

security settings on host systems. The U.S. National Security Agency has
provided pre-configured security templates for various network roles played
by Windows 2000 host systems. These templates (saved as .inf files)
accompany The Guide to Securing Microsoft Windows 2000 Group Policy:
Security Configuration Tool Set and are available for download at:
http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1

1. Click on the Start button and Select ‘Run’. Type MMC and click ‘OK’.

2. From within the Microsoft Management Console, Click ‘Console’ and select
‘Add/Remove Snap-In’. Click the ‘Add’ button and then scroll down and
select the ‘Security Templates Snap-In’ and then click ‘Add’. Click ‘Close’
and then click ‘OK’.

Note: All Windows 2000 systems have pre-defined security templates

built-in and configured by Microsoft. They are stored by default in the
c:\winnt\security\templates folder. In this lab, you will be editing and
applying the NSA’s security templates instead of Microsoft’s.

3. Expand the Security Templates icon by clicking the + sign. Now right
click on Security Templates and then select ‘New Template Search Path’
(see figure 4)

4. Now browse to C:\NSA Templates and click ‘OK’ (see figures 4 and 5)

Windows 2000 group policy and security templates Page 5 of 14

 Figure 4: New Template Search Path

Figure 5: Select NSA Templates location

Windows 2000 group policy and security templates Page 6 of 14

4.2 Edit NSA w2k_server security template

Now you will edit the w2k_server template so that unnecessary services will
be disabled and the local administrator account will be renamed. You will
also configure log on banner warning messages. Note: In normal production
environments, care should be taken when disabling services and thorough
testing should be conducted prior to implementation.

1. Double click the C:\NSA Templates folder, then double click on the
w2k_server template and in the right pane, double click on ‘System
Services’ folder.

Figure 6: NSA w2k_server template

You will be disabling the following services on the Windows 2000
member servers:

Alerter Internet Connection Sharing NetMeeting Remote Desktop Sharing

Telnet Messenger Routing and Remote Access
Table 1: Services to be disabled

Note: The above table represents only some of the services that can
be locked down in most production environments. There are other
services that are important to secure, however they are generally
more environment specific. When implementing this configuration in
production, you should review all services and minimize any that are
not appropriate for your environment, but again test thoroughly first.

Windows 2000 group policy and security templates Page 7 of 14

 2. Double click the ‘Alerter’ Service and then click the ‘Define this policy
setting in the template’ checkbox. The Security dialogue box will pop up
where you will change the default access controls for this service.

Note: When configuring system services with security templates, you

must configure the Access Control List for each service. When a service is
explicitly disabled, its ACL should also be secured by changing the default
ACL from Everyone Full Control to grant Administrators and SYSTEM Full
Control and Authenticated Users Read Access.

3. Select the ‘Everyone’ group and then click ‘Remove’. Now click the ‘Add’
button and add the ‘Administrators’, ‘System’, and ‘Authenticated Users’
Groups to the ACL. Ensure that you apply the appropriate permissions to
each group (see note above). Click ‘OK’ twice.

Figure 8: Editing Startup Mode

Figure 7: Changing Service ACL's

Windows 2000 group policy and security templates Page 8 of 14

 4. Repeat this process for all of the services listed in Table 1 above. Your
template should resemble Figure 9 below.

Figure 9: Minimized Services

Now you will configure the security template to rename the local
administrator account for all of the member servers in the OU. This is
done to obfuscate this built-in privileged account and supports the
defense-in-depth goal.

5. Click on the ‘Local Policies’ icon from within the Security Templates MMC
and then double click the ‘Security Options’ icon in the right-hand pane.

6. Click on the ‘Rename Administrator Account Policy’, click the ‘Define this
policy in the template’ check box and type ‘acarnegie’ in the box. Click
‘OK’.

Windows 2000 group policy and security templates Page 9 of 14

 Figure 10: Renaming administrator account with Security Templates

Finally, you are going to add log on banners to all Windows boxes in the AIA
domain. Banners can be set to anything from legal disclaimers, to
appropriate use reminders, to daily greetings. Each time a user attempts to
log on, they will see this message banner.

7. Scroll up to and then double-click on ‘Message text for users attempting

to log on’.

8. When the template policy window opens, check ‘Define this policy setting
in the template’ and in the text field, enter: ‘Warning! This computer is
for official use only!’ and Click ‘OK’.

Windows 2000 group policy and security templates Page 10 of 14

 Figure 11: Defining log on banners

9. Double-click ‘Message title for users attempting to log on’. Check ‘Define
this policy setting in the template’ and in the text field, enter: ‘Log on
Warning!’ and Click ‘OK’.

Figure 12: Defining Log on Warning Message Title

10. Now right click on the ‘w2k_server’ template file and select ‘Save As’.
Type w2k_server_edited in the box and click ‘Save’ and then close the
Security Templates MMC. Click ‘NO’ if you get a ‘Save Console Settings’
message.

Windows 2000 group policy and security templates Page 11 of 14

 11. Now let’s inspect the security template quickly in notepad. From IKE’s
desktop, double click My Computer and browse to C:\NSA Templates.
Now double click on the
w2k_server_edited.inf file to open it in
Notepad.

12. Inspect the file and observe the various

security settings. You should be able to
find all of the custom changes you made to
the template from within the MMC. Hint:
Look under the [Registry Values] header.
When you’ve completed this inspection,
close out of Notepad.

Figure 13 .inf file in notepad

5 Importing templates into Group Policy

5.1 Import w2k_server_edited template into Member Server OU GPO

In order to apply the newly edited security template, you will need to import
it into the group policy object for the member servers organizational unit.

1. Open Active Directory Users and Computers from the shortcut on the
desktop of IKE.

2. Expand the aia.class domain by clicking the ‘+’ sign.

3. Right click on the member servers OU and select ‘Properties’.

4. Select the ‘Group Policy’ tab, then select the ‘member_servers_GPO’ GPO
and then click the ‘Edit’ button.

Note: The security template’s policy will be applied to every computer

assigned to the Member Servers OU. It is important to recognize that
individual servers have different requirements for System Services and

Windows 2000 group policy and security templates Page 12 of 14

 other components, therefore you must apply your policies in layers to
account for these differences. This means that local system templates
should be applied in combination with templates from group policy.

5. Under Computer Configuration, select ‘Windows Settings’ and then in the

right pane, right click ‘Security Settings’ and click ‘Import Policy’.

Figure 14: Import Policy into The OU’s Security Settings

6. Now browse to c:\nsa templates\w2k_server_edited (make sure the

‘Clear this database before importing’ checkbox is checked) and click the
‘Open’ button. Then click ‘OK’ twice and exit out of the Active Directory
Users and Computers MMC. Note: If you see a ‘Windows cannot open
Template file’ message, ignore it. The template will be imported once the
MMC is closed.

Figure 15: Select the correct edited NSA

7. Finally, open a windows command prompt by clicking Start > Run and
typing ‘CMD’ in the box, then click ‘OK’. From the command prompt,

Windows 2000 group policy and security templates Page 13 of 14

 type: ‘Secedit /refreshpolicy machine_policy /enforce’ and then press
enter.

Figure 16: Refresh Group Policy from Domain Controller

6 Verifying application of policy settings

Note: With Windows 2000, it can indeed take several minutes for the policy
settings to be propagated to remote computers. Therefore for the sake of brevity,
you will reboot Patton and hence, quickly be able to verify that the new group
policy security settings have been applied.

6.1 Test to ensure log on banner policy is implemented

1. Close the remote desktop connection to IKE by clicking the X within the
Remote Desktop Window at the top of the screen.

2. From the Desktop of your VTE-Launchpad system, double click the

Remote Desktop Connection icon and then type 10.0.2.7 in the box next
to ‘Computer’.

3. Log in to the remote host using the following credentials:

User name: Administrator
Password: tartans

4. Once you’re logged in, Click Start > Shut Down, select Restart and then
click OK.

5. If necessary, close out of the Remote

Desktop session by clicking the X next
to in the Window at the top of the
screen. Wait approximately 2
minutes and then follow steps 1-4
above to re-login to Patton via remote
desktop.

6. You should see the following Pop-up

message, which confirms that the
group policy settings have been
applied successfully.
Figure 17: Log on Banner confirms
application of group policy

Windows 2000 group policy and security templates Page 14 of 14