Policies

User Manager Policies

1. User Rights
2. Account
3. Auditing

User Rights Policies

User Manager for Domains > Policies > User Rights ...

userrightspolicy.gif (3525 bytes)

Default User Rights from an NT Server

User Right	Description	Default Groups

Access this computer from workstation	Allows remote access to shared resources on this network	Administrators
Backup files and directories	Allows backups	Administrators, Backup Operators, Server Operators
Change system time	Allows clock changing	Administrators, Server Operators
Force shutdown from remote system	Allows remote system shutdown	Administrators, Server Operators
Load and unload device drivers	Allows drivers to be changed	Administrators
Log on locally	Allows the workstation to be used locally	Administrators, Account Operators, Backup Operators, Print Operators, Server Operators
Manage and audit Security log	Allows security policy changes	Administrators
Restore files and directories	Allows restoration	Administrators, Server Operators, Backup Operators
Shut down the system	Allows system shutdown	Administrators, Server Operators, Account Operators, Backup Operators, Print Operators
Take ownership of files or other objects	Allows users to gain authority over system objects	Administrators, Backup Operators
Add Workstations to the Domain		Administrators

Account Policies

User Manager for Domains > Policies > Account Polices ...

"... governs passwords for user accounts and the lockout feature. Settings made to the account policy will apply to all users on the Workstation. Users who are currently logged in will not be affected by the new settings until they log out and then log on again. These settings must be managed carefully to maximize security while minimizing the burden placed on users."

If any conflicts occur between the Account Policy for a Workstation and a user's Individual Account Policy, the user's Individual Account Policy settings will be used.

Policy	Action	Settings	Default

Maximum password age	When password change is required	1 to 999 days or never	42 days
Minimum password age	When password change is prevented	1 to 999 days, or immediately	Immediately
Minimum password length	Minimum length	1 to 14, or blank password	Permit blank
Password uniqueness	Forces password uniqueness	1 to 24 history list, or none	No history
Account lockout	Enables failed log account lockout	Selected or not	No lockout
Lockout after	Number of attempts before lockout	1 to 999	Blank
Reset count after	Time until automatic reset of counter	1 to 99,999 minutes	Blank
Lockout Duration	Length of lockout	1 to 99,999 minutes or forever	Blank
Users must login to in order to change password	Requires users to logon to change password	Selected or not	Not Selected

Auditing

Auditing is not possible on Windows NT until the "master switch" is turned on. This switch turns on NT's entire auditing system. To enable the Windows NT Auditing system, User Manager for Domains > Policies > Audit > Audit These Events ...

auditpolicy.gif (4413 bytes)

For Success and Failure'

Logon And Logoff tracks logons, logoffs, and network connections. Checking Logon for failures, might be a good way to look for hackers trying to access the network without authorization.
File And Object Access tracks access to files, directories, and other NTFS objects, including printers. Note: If you choose the File And Object Access option, you must also edit the auditing settings for each NTFS object. See below.
Use Of User Rights tracks when users make use of user rights.
User And Group Management tracks changes in the accounts of users and groups (password changes, account deletions, group mem-berships, renaming, and so forth).
Security Policy Changes tracks changes of user rights, audit policies, and trusts.
Restart, Shutdown, And System tracks server shutdown and restarts; also logs events affecting system security.
Process Tracking tracks process start and exit etc.

Auditing information is found in Event Viewer > Security database.

If you try to audit File and Object Access through Windows Explorer without turning on the "master switch," you will receive the following error message:

auditno.gif (1354 bytes)

To audit File and Object Access, such as files, directories, and printers: Right click on the object in Windows Explorer > Properties > Security Tab > (only available on NTFS, NOT AVAILABLE FOR FAT).

auditexplorer.gif (2672 bytes)

Auditing Button

directoryaudit.gif (5436 bytes)

Options

Replace ... existing files is checked (default): Changes apply to directories and files in the directory.
Replace ... existing files is unchecked: Auditing applies to the directory only.
Replace ... subdirectories is checked: applies to all subdirectories.

Do not Audit unless absolutely necessary!!! Large amounts of overhead, especially if the event monitored occurs often.