Tech Tip: Configure security options via group policy/Manage Dynamic DNS server settings

Learn how you can configure a handful of group policy settings to better secure your network, and find out some configuration steps you can take on the server side to implement DDNS.

Configure security options via group policy

In a standard Windows 2000 Professional configuration, users see a Logon dialog box that prompts for their username and password. In the case of a domain member, this dialog box also includes a drop-down list that allows users to choose between the domain and local computer.

If you want to control what users see in the dialog box as well as fine-tune logon and shutdown security for the computer, you can configure a handful of group policy settings. These policies reside in the Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options branch of the local security policy. You can access and set these policies via the Local Security Policy console in the Administrative Tools folder, or you can set them through group policy.

For example, if you want to display a message informing users of company security policies, you can use the Message Text For Users Attempting To Log On policy. To enter text that appears in the title bar of the dialog box, you can use the Message Title For Users Attempting To Log On policy.

Another policy you should review is the Disable CTRL+ALT+DEL Requirement For Logon policy. When set to Disabled (the default), this policy causes Windows 2000 to require the user to press [Ctrl][Alt][Delete] to open the Logon dialog box. Using this keystroke combination improves security.

You can also improve security by not showing previous logon names in the Logon dialog box. Use the Do Not Display Last User Name In Logon Screen policy.

Manage Dynamic DNS server settings

Windows 2000 supports Dynamic DNS (DDNS), which enables the automatic addition of host and pointer records to clients' DNS domains and updates it as their IP addresses change.

DHCP clients support DDNS and can directly request that a DNS server (Windows 2000 or later) update their host records when the client IP address or host name changes. A DHCP server (Windows 2000 or later) can also submit requests to update both the client's host and pointer records.

A Windows 2000 DHCP server can also serve as a proxy for DHCP clients that don't support DDNS. For example, a Windows 2000 DHCP server can request updates for Windows 9x and Windows NT clients that are unable to submit DDNS requests on their own.

There are a couple of configuration steps you can take on the server side to implement DDNS. You can enable dynamic updates on a zone-by-zone basis. The types of updates allowed depend on whether the zone resides in the Active Directory.

AD-integrated zones offer the option of allowing only secured updates, which uses the ACL of the zone to determine who can perform an update. But you can only configure standard zones (those not stored in AD) for either unsecured updates or no updates at all.

To configure DDNS behavior for a zone, right-click the zone in the DNS console, and choose Properties. Specify the update option using the Allow Dynamic Updates drop-down list on the General tab.

  • Choose No to prevent DHCP clients or servers from updating resource records in the zone.
  • Choose Yes to allow DHCP clients and servers, including those outside of the domain, to perform unsecured updates to the zone's resource records.
  • Choose Only Secure Updates to restrict the ability to submit updates to only the groups you specify.

Editor's Picks

Free Newsletters, In your Inbox