Information Technology Reference
In-Depth Information
•
Kerberos Policy
—Administrators can use this suite of policies to fine-tune parameters for
Kerberos, the default authentication protocol in a Windows domain. The policies deal
with the length of time Kerberos authentication tickets are active. Shortening the active
time increases security but increases authentication overhead, too. In most cases, the
default values shouldn't be changed.
Security Settings Subnode: Local Policies
Local Policies is so named because all
settings in its subnodes pertain to security options applied to computers and what users can and
can't do on the local computer to which they log on. Because these policies affect computers,
they are usually defined in GPOs linked to OUs containing computer accounts, such as the
Default Domain Controllers Policy. There are three subnodes of Local Polices:
•
Audit Policy
—An administrator can audit events occurring on a computer, including
logon and logoff, file and folder access, Active Directory access, and system and
process events (see Figure 7-16). Auditing can be enabled for successful events, failed
events, or both. For example, you can audit a user's successful access to a file or
attempted accesses that fail or both. Auditing file and folder access should be used
sparingly and for only short periods because of the system overhead it creates. By
default, no audit policies are defined on either default GPO. However, in Windows
Server 2008, certain events, such as logons and directory service access, are audited by
default. Events created by auditing are listed in the Security log, which you can view
with Event Viewer.
7
Figure 7-16
Policies in the Audit Policy subnode
•
User Rights Assignment
—User rights define the actions that users can take on a computer,
such as shutting down the system, logging on locally, and changing the system time. More
than 40 user rights policies can be assigned (see Figure 7-17). For each policy, you can add
users or groups. The Default Domain Controllers Policy defines a number of User Rights
Assignment policies.
Search WWH ::
Custom Search