Considerations For Security Shrine Contents

By Author: iris
Total Articles: 286

You can find recommendations for security settings from many sources, including the Windows XP Professional Security Guide and other documentation on the Microsoft Web site. Many of these recommendations can be implemented in Group Policy by creating a security template and then importing it into a GPO. Consider the following audit policies and user rights in your plans to secure client computers:
Consider granting the Deny Log On Through Terminal Services right to the Everyone group. Doing so will prevent any
use of terminal services to manage the client computer. This right is also necessary for the use of Remote Assistance. If your organization's policy is to have help desk employees who use Remote Assistance to manage client systems, create a Windows group and grant that group the Allow Log On Through Terminal Services right. (Do not, in this case, grant the Deny Log On Through Terminal Services right to the Everyone group, as that will also deny access to the Help Desk group.) You might also choose to grant the Allow Log On free IT certification test questions Services right to Administrators.
You might want to have one policy for sensitive systems in which you deny the right to the Everyone group, and another one for less sensitive systems in which the help desk operators are given access. An example of a sensitive group in regard to this setting is laptops. Securing them from remote assistance access can help prevent them from becoming victims to remote attacks while being used outside the organization.
Consider restricting the ability to make changes to system time to Administrators. Windows XP, for example, grants this right only to Administrators
and Power Users. Because users sometimes must be made Power Users to run legacy applications, many users are likely to have this right. Changing the system
time can have an adverse effect on domain logons and other network operations,as the time difference between the client and server must be small for Kerberos to validate access requests. An incorrect time on a client computer will also skew
audit records, which results in the audit record having little value. You might also need to consider, however, that granting this right where necessary is far preferable to granting full administrator privileges.
Restrict the Log On Locally right Consider restricting this right. Users need this right to log on at the console of the client computer. They also need this right to use Terminal Services or access Internet Information Services (IIS) remotely. By restricting this right to Administrators and Users, you prevent Guest logon. By further restricting this right on sensitive security+ certification systems to custom Windows groups, you prevent access by domain users who are not authorized to use the system.