Testing with Security Templates
Windows 2000 and later ship with security templates that define recommended lockdown computer configurations, a configuration more secure than the default settings. Many corporate clients deploy these policies to reduce the cost of maintaining client computers by preventing users from configuring too much of the system. Inexperienced users tinkering with their computers often leads to costly support problems.
There is a downside to these templates: some applications fail to operate correctly when the security settings are anything but the defaults. Because so many clients are deploying these policies, as a tester you need to verify that your application works, or not, when the policies are used.
The templates included with Windows 2000 and later include those in Table 14-3.
Name | Comments |
compatws | This template applies default permissions to the Users group so that legacy applications are more likely to run. It assumes you ve done a clean install of the operating system and the registry ACLs to an NTFS partition. The template relaxes ACLs for members of the Users group and empties the Power Users group. |
hisecdc | This template assumes you ve done a clean install of the operating system and the registry ACLs to an NTFS partition. The template includes securedc settings see below with Windows 2000 only enhancements. It empties the Power Users group. |
hisecws | This template offers increased security settings over those of the securews template. It restricts Power User and Terminal Server user ACLs and empties the Power Users group. |
rootsec | This template applies secure ACLs from the root of the boot partition down. |
securedc | This template assumes you ve done a clean install of the operating system and then sets appropriate registry and NTFS ACLs. |
securews | This template assumes you ve done a clean install of the operating system and then sets appropriate registry and NTFS ACLs. It also empties the Power Users group. |
setup security | This template contains out of the box default security settings. |
At the very least you should configure one or more test computers to use the securews template if your code is client code and the securedc template for server code. You can deploy policy on a local test computer by using the following at the command line:
secedit /configure /cfg securews.inf /db securews.sdb /overwrite
Once a template is applied, run the application through the battery of functional tests to check whether the application fails. If it does, refer to How to Determine Why Applications Fail in Chapter 5, Running with Least Privilege, file a bug, and get the feature fixed.
If you deploy the hisecdc or hisecws template on a computer, the computer can communicate only with other machines that have also had the relevant hisecdc or hisecws template applied. The hi secdc and hisecws templates require Server Message Block (SMB) packet signing. If a computer does not support SMB signing, all SMB traffic is disallowed. | |