Understanding Security Templates
Security templates consist
of policies and settings that you can use to control a computer’s
security configuration using local policies or group policies. You can
use security templates to configure any of the following types of
policies and parameters:
Account Policies Enables you to specify password restrictions, account lockout policies, and Kerberos policies
Local Policies Enables you to configure audit policies, user rights assignments, and security options policies
Event Log policies Enables you to configure maximum event log sizes and rollover policies
Restricted Groups Enables you to specify the users who are permitted to be members of specific groups
System Services Enables you to specify the startup types and permissions for system services
Registry permissions Enables you to set access control permissions for specific registry keys
File System permissions Enables you to specify access control permissions for NTFS files and folders
You
can deploy security templates in a variety of ways, using Active
Directory directory service Group Policy Objects, the Windows Server
2003 Security Configuration And Analysis snap-in, or the Secedit.exe
command-line utility. When you associate a security template with an
Active Directory object, the settings in the template become part of the
GPO associated with the object. You can also apply a security template
directly to a computer, in which case the settings in the template
become part of the computer’s local policies.
There are
several advantages to storing your security configuration parameters in
security templates. Because the templates are plain text files, you can
work with them manually as with any text file, cutting and pasting
sections as needed. Second, templates make it easy to store security
configurations of various types, so that you can easily apply different
levels of security to computers performing different roles.
Tip
Storing
your security settings in templates also provides an adequate backup of
a computer’s security configuration that you can use to quickly and
easily restore the system to its original configuration. For example,
when working with GPOs, it is easy to forget what changes you have made,
and manually restoring the GPO to its original configuration can be
difficult. If you have a security template containing your original
settings, you can simply apply it to the GPO to return to your default
settings. |
Using the Security Templates Console
To work with
security templates, you use the Security Templates snap-in for Microsoft
Management Console. By default, the Windows Server 2003 Administrative
Tools menu does not include an MMC console containing the Security
Templates snap-in, so you have to create one yourself using the MMC
Add/Remove Snap-in function. When you do this, the console provides an
interface like the one shown in Figure 1.
The
scope pane of the Security Templates snap-in contains a list of all the
template files the program finds in the Windows\Security\Template
folder on the system drive. The snap-in interprets any file in this
folder that has an .inf extension as a security template, even though
the extensions do not appear in the console.
Tip
You
can add security templates in other folders to the console by selecting
New Template Search Path from the Action menu and then browsing to the
folder containing your templates. Please note, however, that not all the
files with .inf extensions on a computer running Windows Server 2003
are security templates. The operating system uses files with .inf
extensions for other purposes as well. |
When you expand one of the templates in the scope pane, you see a hierarchical display of the policies in the template (see Figure 2),
as well as their current settings. You can modify the policies in each
template just as you would using the Group Policy Object Editor console.
Tip
It is important to gain a familiarity with the functions and the interface of the Security Templates snap-in. |
Using the Supplied Security Templates
Windows
Server 2003 includes a selection of predefined security templates that
you can use as is or modify to your needs. These templates provide
different levels of security for servers performing specific roles. The
predefined templates are as follows:
Setup Security.inf
Contains the default security settings created by the Windows Server
2003 Setup program. The settings in the template depend on the nature of
the installation, such as whether it was an upgrade or a clean install.
You can use this template to restore the original security
configuration to a computer that you have modified.
Important
When
you use a security template to restore a computer’s default settings,
remember that the template might overwrite existing permissions modified
by the installation of other applications. After you restore the
default settings, you might have to reinstall your applications or
modify certain file system or registry permissions manually. |
DC Security.inf
A computer running Windows Server 2003 creates this template only when
you promote the computer to a domain controller. The template contains
the default file system and registry permissions for domain controllers,
as well as system service modifications.
Caution
The
“Setup Security.inf” and “DC Security.inf” templates contain a large
number of settings, and in particular a long list of file system
permission assignments. For this reason, you should not apply these
templates to a computer using group policies. Computers running
Microsoft Windows operating systems periodically refresh group policy
settings by accessing the GPOs on the network’s domain controllers, and a
template of this size can generate a great deal of Active Directory
traffic on the network. Instead of using group policies, you should
apply the template using the Security Configuration And Analysis snap-in
or the Secedit.exe utility. |
Compatws.inf
By default, the members of the local Users group on a computer running a
Windows operating system can only run applications that meet
requirements of the Designed for Windows Logo Program for Software. To
run applications that are not compliant with the program, a user must be
a member of the Power Users group. Some administrators want to grant
users the ability to run these applications without giving them all the
privileges of the Power Users group. The Compatws.inf template modifies
the default file system and registry permissions for the Users group,
enabling the members to run most applications, and also removes all
members from the Power Users group.
Caution
The
Compatws.inf template is not intended for domain controllers, so you
should not apply it to the default domain GPO or the Domain Controllers
container’s GPO. |
Securedc.inf
This template contains policy settings that increase the security on a
domain controller to a level that remains compatible with most functions
and applications. The template includes more stringent account
policies, enhanced auditing policies and security options, and increased
restrictions for anonymous users and LanManager systems.
Securews.inf
This template contains policy settings that increase the security on a
workstation or member server to a level that remains compatible with
most functions and applications. The template includes many of the same
account and local policy settings as Securedc.inf, and implements
digitally signed communications and greater anonymous user restrictions.
Hisecdc.inf
This template contains policy settings that provide an even greater
degree of security for domain controllers than the Securedc.inf
template. Applying this template causes the computer to require
digitally-signed communications and encrypted secure channel
communications, instead of just requesting it, as Securedc.inf does.
Hisecws.inf
This template contains policy settings that provide higher security
than Securews.inf on a workstation or member server. In addition to many
of the same settings as Hisecdc.inf, the template remove all members
from the Power Users group and makes the Domain Admins group and the
local Administrator account the only members of the local Administrators
group.
Tip
The
Securedc.inf, Securews.inf, Hisecdc.inf, and Hisecws.inf templates are
all designed to build on the default Windows security settings, and do
not themselves contain those default settings. If you have modified the
security configuration of a computer substantially, you should first
apply the “Setup Security.inf” template (and the “DC Security.inf”
template as well, for domain controllers) before applying one of the
secure or highly secure templates. |
Rootsec.inf
This template contains only the default file system permissions for the
system drive on a computer running Windows Server 2003. You can use
this template to restore the default permissions to a system drive that
you have changed, or to apply the system drive permissions to the
computer’s other drives.
Tip
If
you want to make changes to any of the policies in the pre-defined
templates, it is a good idea to make a backup copy of the template file
first, to preserve its original configuration. You can copy a template
by simply copying and pasting the file in the normal manner using
Microsoft Windows Explorer, or you can use the Security Templates
snap-in by selecting a template and, from the Action menu, choosing Save
As and supplying a new file name. |
Tip
Be
sure to familiarize yourself with the security templates supplied with
Windows Server 2003 and what settings they use to provide different
levels of security. |
