Using Windows to set up workstation security

This article looks at some features included in both Windows 2000 and 2003 that I am sure most administrators are aware of, but might often overlook when implementing security on a workstation.

Enforcing password Requirements

All organizations should have a written policy that stipulates guidelines for how users should maintain their user account passwords. With Windows security features you can set up such instances as password lengths and special characters requirements.

Standalone Workstation

Login with Administrator Privileges

Click Start | Programs| Administrative Tools | Local Security Policy

In the Local Security Settings Window expand Account Policies

Then Click Password Policy

In the right pane double-click "Passwords must meet complexity requirements"

Select "enabled" then click OK

Once enabled, you can then set the password features listed.

Workstations On a LAN

To implement this feature you can use Group Policy Object. Follow this Microsoft link for a detailed procedure on how to implement this.

Hiding the administrative tools

You can prevent users from poking around in the administrative tool applets by performing the following:

Run Regedit
Go to HKEY_CURRENT_USER
Select SubKey: SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Select StartMenuAdminTools
Select type: REG_WORD
You can edit the value to 0 so that the administrative tools will not be displayed.

Prevent Users From Mapping Network Drives

Administrators can implement a policy that will prevent users from mapping network drives to unauthorized files/folders share or even prevent them from disconnecting a mapped networked drive. The following shows the registry change that has to be performed:

Run Regedit

Go to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
Create a valuename: NoNetDrives

Data Type: REG_DWORD with a Value of 1

  0 - Display Drives
  1 - Remove Drives

If you would like to apply this for multiple workstations on a network you can modify the winnt.adm file and apply a system policy. An example of how this can be done is as follows:

Create a backup copy of the winnt.adm file
Using a text editor such as notepad open the winnt.adm file

Type the following:

CLASS USER

CATEGORY "Hide Network Drives"

END CATEGORY

Please note that making any changes to the winnt.adm file will obviously affect your current system policy. If you need further explanation on the use of winnt.adm and the variables used visit the following links before making any modifications:

http://www.ntfaq.com/Articles/Index.cfm?ArticleID=14971
http://www.jsifaq.com/SUBL/tip5900/rh5946.htm (this link also shows how to load the template to system policy editor)

Adesh Rampat has 10 years experience with network and IT administration. He is a member of the Association Of Internet Professionals, the Institute For Network Professionals, and the International Webmasters Association. He has also lectured extensively on a variety of topics.