Security Templates in Windows Server 2003
Security settings can be set through predefined Security Templates. There are various grades of these of increasingly restrictive security. Each of them can be customised, and saved to be used in various group policies for local machines and domains. This is such a handy and much-used facility that there is an MMC Snap in just for it:
Use the buttons below to navigate through the lesson
The Security Templates snap-in is used to manage security templates.
This tool permits an existing template to be customised if required and saved in the default folder systemroot\security\templates as an .inf file, for deployment later.
These templates have descriptive names. For example workstations (wk ws, or w), servers (sv or s) and domain controllers (dc) are clearly indicated. This is a useful aide-memoire for the exam.
This is needed for compatibility with older applications. These applications should be run under Power Users accounts.
Amongst other things, these have restricted settings for Security options in Account Policies. Windows NT 4.0 machines must have Service Pack 4 installed to use this
Highly Secure Templates
Communicates only with Windows 2000+ machines, empties the Power Users group, protects network traffic with IPSec.
This is the default policy applied to servers and clients and can be used to restore a machine to its original settings.
Rootsec applies permissions to the root of the system drive and all its subfolders
Iesacls sets permissions on registry keys for internet explorer.
While it’s perfectly possible to edit the .inf files in the Templates folder using Notepad, a safer alternative is suggested here.
Highlight an existing template and save it under a different name. (Right-click and select Save As)
Settings can then be viewed and altered just as if you are editing the local security policy.
Security templates can be easily transferred to other machines and applied. Templates are also a great way of backing up your security settings.
Security Configuration & Analysis
Analysis is done by comparing the current system security settings against a security template imported to a personal database. This template contains the preferred or recommended security settings (base configuration). Values found are compared to the base configuration. If the current system settings match the base configuration settings, they are assumed to be correct. If not, the attributes in question are displayed for investigation.
To perform analysis and configuration using a security template the Security Configuration and Analysis MMC snap-in is used.
The first time the Security Configuration and Analysis MMC is created and opened, no database has been defined. The instructions about how to proceed are quite clear, however!
No existing databases are available, so create one……and click Open
A template for comparison needs to be selected here, Now click Open.
The security settings may now be adjusted (Configured) or examined (Analysed). It’s recommended that an analysis is done first.
Right-click on Security Configuration and Analysis and Select Analyze Computer Now.
The results of the analysis need to be collected into a log file. Windows makes a suggestion for the location of this log but other locations can be selected.
Clicking here reveals the analysing display. This checks items as they are compared with the model in the database.
Nothing appears to have happened after all this, but the items which might need to be altered appear in the tree. To find out if anything needs to be altered, the log file needs to be viewed. Right click here and select view log file.
There are two displays of the analysis results here, shown in the left and right panes. Scroll the right pane, looking for the flagged mismatches.
The analysis can be displayed graphically by browsing through the various policy folders. Items with a red-cross do not match the settings in the template.
You can then apply the template to the machine by right-clicking on Security Configuration and Analysis.
And selecting Configure Computer Now.
All settings in the template are now applied to the computer. N.B. You will need to reanalyze the computer to obtain this page.
Using the Command Line
As well as using the easy to use MMC tools Microsoft Windows ships with the “secedit” utility which can be used to apply templates via the command line. Secedit is a more powerful option because it allows you to apply specific parts of a template rather than the entire template.
For more information on how to use the Secedit command run “secedit –help” from a command prompt.