Securing Workstations with Templates

Domain Controller .inf Template Files

These .inf settings apply to Windows 2003 Domain Controllers.

securedc Increases the security required in the Password policy and Account Policy, bumps up the amount of auditing that occurs on the Domain Controller, and increases some Event Log settings, such as the size . This template doesn't modify any file or Registry ACLs (Access Control Lists).

hisecdc Chokes off all communications with downlevel machines by turning off NTLM communication. Only those machines that use NTLM v2 or Kerberos will be able to communicate with any machines to which this template is applied.

XP Professional .inf Template Files

These settings apply to Windows XP Professional machines.

compatws Applications must pass certification guidelines to be considered "Windows Logo"compliant. Sometimes, an older application does not follow the new rules once it's up and running. Use this template to allow some older applications (such as Office 97), which are not Windows Logo certified, to run properly when mere mortals in the Users group run them.

This template elevates the permissions of the Users group by modifying common Registry keys, files, and folders. Often, administrators will give in and grant users who complain about incompatible applications admission into the Power Users group. Applying this template should satisfy their needs without putting them in the Power Users group. Because of this, this template removes all users and groups from the Power Users group.

You can see this behavior for yourself. As an administrator, load Word 97 with the Office 97 spelling check feature onto an NTFS volume on a Windows 2000 or Windows XP machine. Then, log back on as a regular user and, using that Word 97 installation, try to run the spelling utility. As a regular user , you cannot because certain files must be read/ writeable to the installation point of Office 97 (usually under Program Files). Apply this template, and your woes disappear. The compatws.inf template modifies NTFS permissions on the Program Files folder so that mere mortals can modify the settings.

securews These settings increase the security required in the Password policy and the Account Policy, bump up the amount of auditing that occurs on the workstation, and increase some Event Log settings such as the size. This template doesn't modify any file or Registry ACLs.

hisecws This template turns off NTLM communication and allows only communication with other machines that are running NTLM v2 or Kerberos. NTLM v2 is available on Windows 2000, Windows 2003, and Windows XP machines and on Windows 9x machines and Windows NT 4 machines that have the Directory Services client installed. Kerberos is available only on Widows 2000 machines (and higher). Like the compatsw template, all users and groups are flushed from the Power Users group. A note of caution here: The hisecws.inf template turns off NTLM authentication and allows communication only with other machines that are running NTLM v2 or Kerberos.

Depending on how a machine was born or upgraded, two templates will be different from machine to machine: DC security.inf and setup security.inf . The contents of DC security.inf are created "on the fly" when you upgrade or create a Domain Controller from scratch. During DCPROMO, a combination of defltdc.inf, dcfirst.inf , and defdcgpo.inf are used to configure the system; then DC security.inf is generated. The setup security.inf template is created on the fly when you upgrade or create a member machine from scratch.

These templates contain a snapshot of some of the security that was configured on the system just prior to performing an upgrade or running DCPROMO. (They'll contain default settings if you performed a fresh install.) This can be particularly helpful if something fails to work after an upgrade or DCPROMO. You can look inside these files to determine what the previously set security was on that system and try to adjust it on the new system.

The templates listed in the previous section won't affect User Rights Assignments that were specifically added to your machine. However, applying the setup security.inf and DC security.inf templates resets the changed User Rights Assignments to the defaults (or your previous configuration.). If you want to do this, my advice is to restore only the specific area you want; don't apply the whole template lock, stock, and barrel. You can see how to do this via the secedit command's /areas switch (described in Table 6.3). Usually, you don't want to roll back your entire security to the defaults. Rather, you can pick and choose which sections you want to restore.

Modification 1: Stop the Indexing Service

First, we'll disable the Indexing Service at startup. When disabled, this process won't kick off unless an administrator manually turns it on or a process running in the system context turns it on. Follow these steps (which you can also use to disable other services):

1. Drill down into hisecws_plus ˜ System Services ˜ Indexing Service.

2. Double-click Indexing Service to open the "Indexing Service Properties."

3. Click the "Define this Policy Setting in the Template" check box.

4. You can optionally select the "Edit Security" button to modify the security settings. You don't really have to change anything to enforce this policy. Though, for completeness, you could add the Domain Administrators group to ensure that they always have Full Control. If you want, add the Domain Administrators group, then select "Full Control" from the list of properties, and click OK.

5. Click the "Disabled" radio button if it is not already selected.

6. Click OK to close the Template Security Policy Setting dialog box.

The Indexing Service is now disabled, as shown in Figure 6.23.

Figure 6.23: The Indexing Service has been set to be disabled.

Modification 2: Tweak the Repair Folder

The Repair folder within Windows contains a backup of your Registry data. The files in this folder need to be well protected to ensure that password-cracking programs and the like are not run against the files, exposing the sensitive passwords.

To protect the Repair folder from prying eyes, follow these steps:

1. Drill down into hisecws_plus ˜ File System. Right-click File System and choose Add File from the shortcut menu to open the Security dialog box.

2. Locate the %systemroot%\Repair folder (usually c:\windows\repair).

3. You'll be prompted to edit security for this folder.

4. You can deny local users and add the HR-OU-ADMINS group, as shown in Figure 6.24.

Figure 6.24: Use the Security dialog box to allow or deny access to specific folders.

For this example, we want to ensure that the members of our own HR-OU-ADMINS group can access the files at any time. When you click OK in the Security dialog box, you are presented with several choices.

• If you choose "Propagate Inheritable Permissions to all Subfolders and Files," any files or subfolders will receive these NTFS permissions by inheritance only. If there are explicit ACLs on the files or folder, they will not be overwritten.

• If you choose "Replace Existing Permission on All Subfolders and Files with Inheritable Permissions," all current permissions on all affected files and folders are wiped out and replaced with what you have here. This is the default setting.

• If you choose "Do Not Allow Permissions on this File or Folder to Be Replaced," you're asking the operating system not to allow normal inheritance to flow from upper-level folders down to this folder. This option is not valid if an upper-level folder has the "Replace Existing Permission on All Subfolders and Files with Inheritable Permissions" setting.

In this instance, we'll choose the defaults, and click OK to exit the Template Security Policy Setting dialog box.

Now that you've created your templates, you can leverage them to create a safer, tighter, more secure computing environment. The next section will show you how to apply your template to a workstation.

Graphically Displaying Differences

Lots of settings are configured within the hisecws_plus.inf template. For example, in the Security Configuration and Analysis snap-in, drill down to Local Policies ˜ Security Options. You'll see the following possibilities when graphically analyzing the results:

• If the setting has a green checkmark, the template you used has a definition, and the computer has a setting that already matches. In other words, this computer is compliant with your guidelines for this setting.

• If the results have a big red X, the template has a definition, but the computer you're analyzing either doesn't have a setting or the setting doesn't match.

• If the results don't have either a green checkmark or a big red X (only the little 1s and Os icon), the computer has a setting, but nothing is defined in the templateso there's technically no "problem."

• If the results have a big red exclamation mark, the setting wasn't analyzed . This can happen for one of two reasons:

  • The item was not originally defined in the baseline policy.

  • An error (for example, Access Denied) occurred when querying the item.

As Figure 6.27 shows, many Security Options have a big red X, meaning that they were defined in the template but the test machine is not compliant.

Figure 6.27: A big red X indicates that the machine is not complying with specific settings in the template.

Using the Log File to Find Differences

You might want to rerun the analysis, but save the log file in an easy-to-get-to location, such as the c:\temp folder. You can then open and read the log in any text editor, such as Notepad or WordPad. You can, if you're feeling adventurous, paw through the file and manually locate the changesthough this is messy and cumbersome. If you want to go the nongraphical route, you can sometimes speed things up by using your text editor's search feature to find all instances of "Mismatch."

If you're particularly command-line savvy, use the FINDSTR.EXE command to sift through the hisecws_plus.1og and output just those lines that contain the word "Mismatch."

Graphically Applying the Template

After you perform the baseline analysis using the Security Configuration and Analysis snap-in tool, you can apply the settings to your test machine. To do so, right-click the Security Configuration and Analysis snap-in tool and choose "Configure Computer Now " from the shortcut menu. An analysis is not technically required before applying the template, but it's highly recommended so that you know where you currently stand. You'll be prompted for a location to save the log file.

At this point, the computer is configured to the settings you specified in the template. You could, if desired, rerun the analysis phase to see if the application took place. When you see the red Xs change to green checkmarks, you'll know the application was successful.

Using secedit to Analyze and Apply the Template

You can use secedit in Windows 2003, Windows XP, and Windows 2000 if you want to write batch files that analyze or apply the policy as we did with the graphical Security Configuration and Analysis tool.

USING SECEDIT TO ANALYZE

You can use secedit to analyze the template against the computer's database at any time. To start secedit in analyze mode, you'll need to know the parameters it takes. The following is a sample command line (to be typed all on one line):

 secedit /analyze /db c:\temp\hisecws_plus.sdb           /cfg      c:\windows\security\templates\hisecws_plus.inf            /log       c:\temp\hisecws_plus.log           /verbose 

Let's break this command into bite- sized chunks .

The secedit /analyze chunk requires a /DB parameter, which you must point toward an existing .Sdb database. If no database exists, secedit creates a new one on the fly. In this case, we're specifying /DB to use the file and path of c:\temp\hisecws_plus.sdb. This assumes that c:\temp exists. (It may not.)

If you want to generate a new database on the fly, you'll need to specify the /CFG parameter to point toward your . inf template file, say c:\windows\security\temp1ates\hisecws_plus.inf . Use the /log flag to specify a location and name for your log, for instance, c:\temp\hisecws_plus.log .

Optional parameters are /verbose , which spells out in detail the status, or /quiet , which spits out nothing. The verbose parameter can be useful in debugging situations, and quiet can be useful in batch files when you don't want anyone to know anything is happening.

Now that you understand the command and its parameters, open a command shell and type the secedit command, as shown in Figure 6.28.

Figure 6.28: Use the secedit command to perform batch analysis.

You can analyze the data in two ways, as discussed earlier. You can do so graphically, using the Security Configuration and Analysis tool, or you can use the log at c:\temp\hisecws_plus.log . To analyze the data graphically, right-click the Security Configuration and Analysis tool, and choose Open Database from the shortcut menu. To analyze the data using Notepad or another text editor, open c:\temp\hisecws_plus.log .

USING SECEDIT TO GENERATE A ROLLBACK TEMPLATE

The Windows 2003 version of the secedit command can do something that the Windows XP and Windows 2000 secedit command cannot. It can be used to create a new template that can be used if you want to rollback after a botched template application. Here's the trick though: you must do this before you actually apply the template (next step).

To run secedit in this mode, you'll need to know the appropriate parameters. A sample command line using secedit to generate a rollback template on a Domain Controller might be:

 secedit /generaterollback /db c:\temp\anyname.sdb           /cfg      c:\windows\security\templates\securedc.inf          /rbk      c:\save_my_bacon 

In this example, we use the /cfg command that we're about to apply the securedc.inf template. And, should we need to roll back, it will create the file rollback_before_securedc.inf to roll back to the state before we applied the securedc.inf template (again, you'll see how to apply templates in the next step).

Here's the big warning though (first of two): if you later decide to apply another security template, you'll need to run this command again . If you need to perform a rollback, simply apply the security templates back in order such that the most recently created is applied first, and so on back to the first one that was created.

The second big warning is that the resulting template will not have data sufficient to rollback file or registry ACLs. These templates will rollback everything else though.

Again, note, however, that Windows XP doesn't have the /generaterollback switch, so, unfortunately , you can't use it here, before the next step.

USING SECEDIT TO CONFIGURE

You can use secedit to configure the machine using the template you defined. To run secedit in configure mode, you'll need to know the appropriate parameters. The following is a sample command line:

 secedit /configure /db c:\temp\hisecws_plus.sdb           /cfg      c:\windows\security\templates\hisecws_plus.inf           /log      c:\temp\hisecws_plus.log           /verbose 

Again, let's break the command into bite-sized chunks. The secedit /configure chunk requires a /DB parameter, which you must point toward an existing .sdb database, say, c:\templatecopy\hisecws_plus.sdb .

Use the /CFG parameter to point to your .inf template file, c:\templatecopy\hisecws_plus.inf . If you don't specify a /CFG entry, secedit applies the currently stored template in the database specified in the /DB parameter.

Use the /log flag to specify a location and name for your log, for example, c:\temp\hisecws_plus.log .

Use the /overwrite switch to overwrite the current information in the database with the information in the security template.

The secedit can also surgically replace a specific area in the template to the target machine. Use the /areas switch to isolate and specify one or several areas, as shown in Table 6.3.

To specify multiple areas, you can simply string them together (with a single space between each one), such as /areas REGKEYS SERVICES . To apply all areas, don't specify the /areas switch, since they'll all apply by default. Optional parameters are /verbose , which spells out in detail the status, or /quiet , which spits out nothing at all.

The use of the parameter /cfgc:\temp\hisecws_plus.inf is optional because we already used that .inf file to create our .sdb database in the last step.

Once this process is complete, your system is as secure as the template file dictates.