Windows 2000 Security Overview

Learn more at

Computer network security is a large topic. You can't configure strong security if you don't have a "top-down" overview of the security features available and how to configure them. Windows 2000 security includes the following security features.

User Accounts
Security Policies
File Encryption

Windows 2000 provides strong security by centralizing security around Active Directory. Active Directory stores user accounts, provides authentication services, and provides centralized security management.

User Accounts

Windows 2000 has two types of user accounts, local and domain. A local user account exists on a single computer and is used to log onto that computer. A local user account gives the user access only to resources on that single computer.

A domain user account exists throughout the domain and lets the user log on to the domain from any computer in the domain. A domain user account gives the user access to resources on the network.

Windows 2000 uses groups to simplify security and access to resources. A group is a collection of users who need the same access rights. Instead of assigning access rights to individual users, access rights are assigned to groups. A User is a member of several groups.

Domain user accounts and domain groups are created and managed through a Windows 2000 server. Domain user accounts and domain groups are created and managed with the Active Directory Users and Computers utility. Local user accounts are created and managed through the Local Users and Groups utility on a Windows 2000 Professional workstation. The Users and Passwords utility found in the Control panel is used to make a local user account from an existing domain account.

When a user logs onto a Windows 2000 system, they provide a user name and a password. Windows 2000 must then authenticate the users account. If the user logs on to their local computer, the authentication is performed by the local security system. If the user logs on to the network, the authentication is performed by the domain security system. After a user logs on, they are associated with an "access token". The access token defines the users group membership and user rights.

Windows 2000 uses the Kerbos authentication protocol. Kerbos is an authentication protocol developed at MIT and maintained by the Internet Engineering Task Force. Kerbos encrypts the user name and password and passes the encrypted user name and password along with the encryption key to any network service the user requests.


Everything on a Windows 2000 network is an object. Files, folders, printers, and applications are all objects. Each type of object has a specific set of permissions to access that object. For example Read, Modify or Write permissions.

Every object on the network has a list of which users and groups are permitted to access the object and what type of access they are granted. This is called an "Access Control List" (ACL). When Windows 2000 is first installed, a group called "Everyone" has permission to do anything. The first thing you should do is remove the Everyone group.

A user has "Full Control" permission of an object they create. This gives them the right to change the permissions of the object. An object can inherit permissions from its parent. For example subfolders can inherit the permissions of their parent folder.

Each time a user attempts to access an object, the users access token is compared against the objects ACL to determine whether access is allowed and what type of access is allowed. It is the job of the system administrator to set permissions that grant users and groups only the permissions required to perform their jobs.

Security Policies

Windows 2000 Security Policies are managed as "group policies". A group policy can exist at the local system, domain, or organizational unit level. Group policies can be created and managed through a Windows 2000 server. There may be many layers of Group Policy settings that apply to an individual user. The effective policy settings for an individual user are determined by the order of application of the group policies.

Examples of security policies are Password Policy, which can be used to set rules requiring users to have strong passwords and to change their passwords after a set number of days. Audit Policy can be used to log access to objects, or to log logon failures to detect attempts to invade the network.

The "Security Configuration and Analysis Tool" can be used to make setting security policy easier. This tool can be used to create, modify, and apply security policy through the use of "security templates". It provides several predefined templates from which the administrator can select.

To access the "Security Configuration and Analysis Tool", you must load the snap-in from within a Microsoft Management Console. This tool can also be used to evaluate the existing security configuration.

File Encryption

File encryption is built into Windows 2000's NTFS file system. NTFS can perform encryption and decryption transparently. When a user saves a file to a folder with encryption turned on, the file is automatically encrypted. When a user opens an encrypted file, it is automatically decrypted. Individual files can be encrypted by simply setting the files compression attribute.

A secret encryption key is stored as part of the file. A public key to decrypt the file is stored in the users Encrypting File System Certificate and in the Encrypting File System Certificate of a system administrator configured as the "recovery agent".

Once a file is encrypted, only the user who encrypted the file, or the recovery agent, can decrypt that file. If the user who encrypted the files leaves the company, access to the information in the encrypted files could lost permanently if a qualified recovery agent was not assigned before the files were encrypted.


The Windows security system relies heavily on certificates for many security features, but the area of most visible use of certificates is secure Web access. When you provide personal information like your credit card number to a Web site, you must be sure that the Web site is who they say they are. The Web site identifies itself by providing a certificate to your browser.

The certificate was authenticated by a Certificate Authority. The Certificate Authority is a third party that requires the Web site to verify its identity and requires the Web server to meet certain security standards before it will authenticate the certificate.

When you use a secure Web site, the certificate is encrypted and transferred by secure sockets layer to your browser. Your browser must be configured to trust the Certificate Authority. Your password is encrypted and transferred by secure sockets layer to the Web site.

This article provided you with a brief overview of the security features available in Windows 2000. Computer network security is a large topic, requiring a book to cover in detail. Each of the security features mentioned in this article will be covered in more detail in future articles.

Learn more at

More Windows Administration Information:
• Disable Cutesy Effects to Speed Up Windows 10
• Restrict Web Browsing With Internet Explorer
• PC Technician Certifications and Professional Organizations
• Retrieving Information from Computers Belonging to an Active Directory OU
• Script to Identify Your Systems HAL
• Configure Windows 10 to Search Windows Only
• Common Issues With Windows Firewall
• Defend Your Business with a Firewall
• Uninstall OneNote from Windows 10
• Environment variables in PowerShell