Within each local computer
policy and within a GPO Computer Configuration node, there is a section
named Security Settings, as shown in Figure 1. This section includes settings for computer audit policies,
account management settings, and user rights assignments. This section
of the policy is unique because it can be imported and exported
individually. In previous versions of Windows, several security
templates were provided out of the box to give administrators the
ability to quickly load a set of best-practice security configuration
settings. These templates included basic workstation and server
templates along with high security, compatible security, and domain
controller security templates.
To manage and apply a
standard set of security configurations to workgroup or standalone
systems, administrators can leverage the management functions of
security templates. Either using the Group Policy Object Editor, the
Local Security Policy editor, or the Security Configuration and Analysis
MMC snap-in, administrators can import a base template, configure or
adjust settings to meet the desired security settings, and export and save the settings to a custom template file. This
custom template file could then be imported or applied to all the
desired systems using the tools referenced previously.
Security templates exist
for Windows Vista, Windows 7, Windows Server 2008, and Windows Server
2008 R2. These base security templates are located in the
%systemroot%\inf folder or on a default install, c:\windows\inf. The default security templates all start with the
name deflt and end with an .inf extension. For example, on Windows Server 2008
R2, the templates that exist are named defltbase.inf, defltsv.inf,
and defltdc.inf. These files can be
used to configure a system’s security settings to a standard set of
security configurations.
Caution
Importing security
templates to servers or workstations already deployed can cause several
issues, including losing the ability to log on or access the system from
the network. Please make sure to test any changes to security settings
when working with the import and application of security templates.
