Security TemplatesTasks |
To speed the process of configuring security settings, you can create a template containing predefined security settings. WS2003 includes a number of default templates, but you can also create your own security templates using the Security Templates snap-in. Add this snap-in to a new or existing MMC console and do the following:
Right-click the template search path node New Template specify a name and description select and expand the new template in the console tree double-click on a policy define this policy setting in the template specify parameters repeat for any policies that need to be configured
Once you create a new security template, you can import it into a GPO to apply it to computers in a domain or OU (see the next task) or use it to analyze security on a local computer (see the later task).
You can import into a GPO either one of the default security templates included in WS2003 or a custom template you have created. To do this, open the desired GPO using Active Directory Users and Computers and then:
Computer Configuration Windows Settings right-click on Security Settings Import Policy select .inf file for template Open
Several steps are involved. First, you create a security-configuration database and specify a template to be imported into the database:
Security Configuration and Analysis console right-click Security Configuration and Analysis Open database specify a database name to create a new database Open select a security template select "Clear this database" before importing Open
In the previous steps, if you don't select "Clear this database" before importing, then the settings you import will be merged with the existing security settings instead of overwriting them. If you already have a database, you can open it instead of creating a new one (specifying a new name creates a new database) and then import a template into the database. Next, you need to configure your computer to use the imported template:
Right-click Security Configuration and Analysis Configure Computer Now
A dialog box will show progress as the settings are applied. Once this is finished, you should analyze your settings as follows :
Right-click Security Configuration and Analysis Analyze Computer Now
This compares the security configuration of your machine with the information stored in the configuration database file ( .sdb file). Once this process is finished, you can either read the log file created by doing this:
Right-click Security Configuration and Analysis View Log File
or you can view the comparison information by doing this:
Expand the Security Configuration and Analysis container view analysis results for each setting
A green check mark means a setting is consistent; a red flag means a discrepancy; nothing means the setting is not configured.
You can either create a new template from scratch or copy an existing one, which may be less work if the configuration you desire is close to one of the default configurations included in the template search path, C:\Windows\Security\Templates .
To create a new template from scratch:
Security Templates console right-click on templates search path container New Template specify a name and description configure settings for new template as desired
To copy an existing template and modify the copy:
Security Templates console right-click on a template to copy Save As specify a name for the copy Save configure settings for copied template as desired