System Administration with Group Policy in Windows XP – Part I

In Windows XP, there is a quite useful tool called Group Policy (GP). Many long-time Windows users may not be aware of this tool as it is not visible in the Control Panel, Administrative Tools, or System Tools. GP is one of the components of the Microsoft Management Console, and you must be a member of the Administrators group to use this program. If not, you will receive the following error message:

Starting the Program: There are two ways to start the program.

Method 1: Go to the Start menu > Run, then enter the command mmc to launch the Microsoft Management Console. After that, go to the File menu and select Open. In the Open window, click the Browse button and navigate to the System32 folder. You will see many files with the *.msc extension. These files are components created by the Microsoft Management Console. If you pay attention, you will notice some familiar tools such as: Event Viewer (eventvwr.msc), Services (services.msc) (these two tools are located in Administrative Tools)… and many more. For the purposes of this article, you need to select gpedit.msc to open Group Policy.

Method 2: If you frequently work with GP, this method will be quicker. Go to the Start menu > select Run and enter gpedit.msc, then press OK to launch the program. Once the program has started, you will see the interface window as shown below:

The program is organized in a tree structure and is very user-friendly. If you use software like Security Administrator, TuneUp Utilities, etc., you will find that most system configuration options are located within GP. You can fully utilize the GP provided by Windows for system administration without needing to install additional software.

* General Usage: Navigate to the branches, select Not Configured if you do not intend to configure that feature, Enable to activate the feature, and Disable to deactivate it.

* Computer Configuration: Changes in this section will apply to all users on the machine. This branch contains several sub-branches such as:
+ Windows Settings: Here you can configure account usage, account passwords, manage system startup and login…
+ Administrative Templates:
– Windows Components: You will configure installation components in Windows such as: Internet Explorer, NetMeeting…
– System: Configuration regarding the system. It is important to note that before configuring any component, you should research it thoroughly. You can select the component and right-click to choose Help.

Another option is to select Properties instead of Help. When the Properties window appears, switch to the Explain tab for detailed explanations about this component.

By default, the initial state of these components is “Not Configured.” To change the state of a specific component, select the Setting tab in the Properties window, which will offer you three options: Enable (active), Disable (inactive), and Not Configured.

* User Configuration: This helps you configure the account you are currently using. The components are slightly different, but the usage and configuration are similar to those mentioned above.

Part I: Computer Configuration:

Windows Setting:
Here you can fine-tune and apply policies regarding account usage, account passwords, and manage system startup and login…

+ Scripts (Startup/Shutdown):
You can specify for Windows to run a particular script during Windows Startup or Shutdown.

+ Security Settings: Security configurations for the system; these settings apply system-wide rather than to individual users.

Next, we will delve into a detailed exploration of each component.

1. Account Policies: Setting policies for accounts

a> Password Policies: This includes policies related to user account passwords on the machine.
Enforce password history: For users who do not have the habit of remembering multiple passwords, when required to change their password, they might reuse the old password for the new one, creating a significant security loophole. This setting requires that a new password must not match any of a specified number of previous passwords. The range is from 0 to 24 passwords.
Maximum password age: The maximum duration a password remains valid; after this period, the system will prompt a password change. Regularly changing passwords enhances account security, as a malicious actor may monitor your habits to easily discover your password. The value can be set from 1 to 999 days, with the default being 42.
Minimum password age: Determines the minimum time before a password can be changed. After this time, you can change your account password, or you can change it immediately by setting the value to 0. The range is from 0 to 999 days. You need to set the “Minimum password age” to greater than 0 if you want the “Enforce password history” policy to be effective, as users might reset their password multiple times cyclically to reuse old passwords.
Minimum password length: The minimum length required for account passwords (measured in the number of characters entered). The length can range from 1 to 14 characters. Set the value to 0 if you do not use a password. The default value is 0.
Password must meet complexity requirements: Determines the complexity of the password. If this feature is enabled, the password must meet at least the following criteria:
– Must not contain all or part of the user’s account name
– Minimum length of 6 characters
– Must contain at least 3 or 4 of the following character types: lowercase letters (a -> z), uppercase letters (A -> Z), numbers (0 -> 9), and special characters.
Password complexity is considered mandatory when creating or changing a password. Default: Disable.
Store password using reversible encryption for all users in the domain: Stores passwords using reversible encryption for all domain users. This feature supports applications using protocols that require user password comprehension. Storing passwords using reversible encryption is essentially akin to storing encrypted texts for password protection. Default: Disable.

b> Account Lockout Policy:
* Account lockout duration: Specifies the number of minutes a locked account remains inaccessible before it can be unlocked. The value can range from 0 to 99,999 minutes. You can set the value to 0 if you do not want automatic unlocking. By default, this policy is inactive because it only takes effect when the “Account lockout threshold” is set.
* Account lockout threshold: Specifies the number of failed login attempts before the account is locked. In this case, the account will be locked, and unlocking can only be performed by an administrator or after the lockout duration expires. You can set the value for failed login attempts from 1 to 999. If the value is set to 0, the account will not be locked.
* Reset account lockout counter after: Resets the number of failed login attempts to 0 after a specified time period. This setting is only effective when the “Account lockout threshold” is set.

2. Local Policies: Local policies:

User Rights Assignment: Assigns rights to users.
Here, user rights include access rights, data backup permissions, changing system time, etc.

In this section, to configure a specific item, you can double-click on that item and click the Add user or group button to grant rights to the desired user or group.

* Access this computer from the network: For the curious and nosy, why should we allow them to access our computer? With this setting, you can freely add or remove access rights to the machine for any account or group.
* Act as part of the operating system: This policy designates which accounts are permitted to operate as part of the system. By default, the Administrator account has the highest privileges and can change any system settings, being recognized like any user, thus accessing system resources like any user. Only low-level authentication services require this privilege.
* Add workstations to domain: Adds an account or group to the domain. This policy only functions on systems using Domain Controllers. When added to the domain, this account will gain additional privileges to operate on directory services (Active Directory), accessing network resources as a domain member.
* Adjust memory quotas for a process: Designates who is allowed to adjust memory quotas for a processing task. Although this policy can improve system performance, it can be abused for malicious purposes, such as Denial of Service (DoS) attacks.
* Allow logon through Terminal Services: Terminal Services is a service that allows remote login to the computer. This policy will decide who is permitted to use Terminal Services to log into the system.
* Back up files and directories: Similar to the above policies, this grants permission for those who will have backup data rights.
* Change the system time: Allows which users have the right to change the system time.
* Create global objects: Grants rights to those who can create shared objects.
* Force shutdown from a remote system: Allows those who have permission to shut down the machine via remote control.
* Shut down the system: Grants permission to whom can shut down the machine.

And many more policies are waiting for you to explore.

Nguyễn Quang Duy – IITM
Email: [email protected]