This tool gives you access to advanced security settings. It contains a collection of security rules called policies.
A policy either restricts or allows some setting in your system. As this tool provides a very advanced access to your system, it should be used carefully, or else you may end up with a vulnerable system.
Local Security Policy is not restricted to a computer; its policies can apply on the network domain.
How to Launch It
Control Panel Way
- Open “Administrative Tools” applet from the traditional Control Panel.
- Launch “Local Security Policy” from the list of administrative tools.
- Invoke Run window or Search Charm. Select the Settings tab in case of Search Charm.
- Type in the command “secpol.msc”, and hit Enter.
The user interface is divided into 3 panes.
- The leftmost tree pane lists everything that the Local Security Policy has to offer, in a tree structure.
- The middle pane describes the selected item in the tree pane.
- The rightmost Actions pane acts as a context menu, listing all the options related to the currently selected item. This pane may be hidden. You can unhide it through the toolbar option “Show/Hide Action Pane”.
As the tree pane displays, the policies are classified into several categories, depending on the scope of their application. Selecting any policy folder in the tree pane lists all its policies in the description pane.
Local Security Policy tool is an enormous beast. You may be overwhelmed by the sheer number of settings it provides you to control your computer and network domain. I will list some of the interesting policies.
- You can strengthen the account passwords by enforcing policies like a password age, minimum password length, password history so that an old password can’t be reused, etc.
- You can specify the number of attempts after which a user account will be locked. Also, you can set the time for which the account will remain locked.
- You can ask Windows to audit system activities like logon events, privilege usage, system events, etc.
- For several system activities, you can specify which users and/or groups have the permission to perform them. Such activities include shutting down the computer, changing the time zone, remote shutdown, etc.
- You can do some interesting tweaks like renaming administrator account, rename guest account, disable the display of last name of a user, disable shutdown without a logged in account, force logoff after logon hours expire, etc.
- You can create or modify incoming and outgoing rules of Windows Firewall.
More than half of the policies are not configures by default. You can enforce a policy by setting or customizing its properties. Double-click on a policy to reveal its properties.
Generally, there are two tabs in the properties window.
- Local Security Setting – This tab is where you configure the policy settings.
- Explain – This tab provides a brief description of what the policy does, and any possible side-effects of enforcing or messing the policy up.
Suppose that I have set up a web server on my machine. Naturally, I want to fortify it by applying security settings.
One of the settings that I apply is to enforce the user accounts’ passwords to expire after a certain number of days. So, I go to Account Policies → Password Policy → Maximum password age.
Windows will ask a user for a new account password after the number of day specified in this policy passes.
Now, the machine being a server, I can’t afford a user to shut it down whenever he feels like doing it. So, I want to restrict the shutdown permission to only myself. For that, I go to Local Policies → User Rights Assignment → Shutdown the system
I just have to remove all the users and groups but myself from the list.
Now, only my user account can shut down the computer.