Using Templates to Implement Security Policies
Windows 2000, as you now know or are quickly learning, has a rich and diverse range of security features. With these features, however, comes a multitude of security policies and attribute settings that need to be configured. Configuring a system with policies consistent with your company's security needs is, in itself, no small task. Multiply that by all of the computers at your site or in your organization, and you've got yourself quite a chore. And that doesn't include the maintenance time required whenever company policies need to be reevaluated.
Enter security templates. A security template, quite simply, is a configuration file for all of the security attributes of a system. Security templates are powerful and help ease the strain of administration. Using a single interface, an administrator can generate a security template that reflects the company's security needs and then apply it to a local computer or import it into a Group Policy object in Active Directory. When you incorporate the template into a Group Policy object, all computers affected by that object receive the template settings.
Running the Security Templates Snap-In
Security templates can be created and modified with the Security Templates snap-in of the Microsoft Management Console (MMC). To add the snap-in to the MMC, type mmc.exe in the Run dialog box, which is accessed from the Start menu. From the Console menu, choose Add/Remove Snap-In. Click Add in the Stand-Alone tab and select Security Templates from the list of snap-ins provided. Click Add in the Add Stand-Alone Snap-In dialog box to add the Security Templates entry to the Add/Remove Snap-In dialog box and then click Close. Click OK in the Add/Remove Snap-In dialog box, and the Security Templates snap-in is added to Console Root in the console tree.
In the console tree, expand Security Templates and the Security\Templates folder to display an initial list of templates. These are predefined templates that can be tweaked for a company's specific needs. When a new template is created or an existing one is copied, it's added to this list. Select any one of these preloaded policies, and the right pane of the console displays all of the security areas available for configuration (Figure 19-1).
Figure 19-1. Predefined security templates.
Essentially, each template in the list represents a single readable .INF file. The snap-in is merely an interface for modifying these security template files. The files can be found in the system root folder under %SystemRoot%\Security\Templates. The following is a small excerpt from the securews template (Securews.inf), showing the Account Policies area:
[System Access]
;———————————————————————
;Account Policies - Password Policy
;———————————————————————
MinimumPasswordAge = 2
MaximumPasswordAge = 42
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 6
RequireLogonToChangePassword = 0
ClearTextPassword = 0
Examining Template Policies
Each template contains attribute settings for the seven areas of security configurable in Windows 2000. Double-click a security area in the right pane of the console or expand the console tree in the left pane to display the specific sections.
Account Policies
The Account Policies area includes policies pertaining to user accounts. It contains Password Policy, Account Lockout Policy, and Kerberos Policy.
Local Policies
The Local Policies area includes policies pertaining to who has local or network access to the computer and how events are audited. This area contains Audit Policy, User Rights Assignment, and Security Options.
Event Log
The Event Log area contains attributes that determine how the application, security, and system event logs behave. Log attributes include maximum size and access restriction. Event logs can be viewed in Event Viewer.
Restricted Groups
The Restricted Groups security setting is for adding members to built-in user groups, which have predefined capabilities, or to other administrator-defined groups that might be privileged. Built-in user groups include Administrators, Power Users, and Backup Operators.
System Services
The System Services area includes security attributes of all system services on the local computer. System services include file services, print services, network services, and telephone services.
Registry
The Registry area contains security attributes for existing registry keys, including auditing information and the access permissions.
File System
The File System area allows the configuration of access permissions and auditing of specific directories and files on the local system.
Using Predefined Templates
The predefined templates supplied by Windows 2000 can be used as is, or they can be customized to conform to a more rigorous security requirement. These templates span a range of security levels and represent typical security scenarios for the different types of computers found in a system—namely workstations, servers, and domain controllers. Table 19-1 shows some of the predefined security templates, categorized by security level.
Table 19-1. Some predefined security templates
| Security Level | Template Name | Description |
|---|---|---|
Default | basicwk | Default workstation template |
basicsv | Default server template | |
basicdc | Default domain controller template | |
Secure | securews | Secure workstation or server template |
securedc | Secure domain controller template | |
Highly secure | hisecws | Highly secure workstation or server template |
hisecdc | Highly secure domain controller template | |
Compatible | compatws | Compatible workstation or server template |
Out of the box | Setup security | Out-of-the-box default settings template |
DC security | Out-of-the-box domain controller settings template |
Default Security Templates
The basic security templates for workstations, servers, and domain controllers contain Windows 2000 default settings for account and local policies, as well as typical values for event log maintenance and basic permissions for system services. In addition, these basic templates include default access permissions for system files, directories, and registry keys that, when applied, overwrite the existing security settings of these objects and their children. These basic templates, however, intentionally omit user rights assignments so as not to overwrite any assignments made by application setup programs. This omission means that the basic security templates can be applied to a machine to reset the security configuration of that system.
A closer look at the three basic templates reveals minor differences among them. Whereas the basic workstation template includes default configurations for necessary system services, the basic server template adds default configurations for automatic startup of server-only services, such as Microsoft SMTP Service and License Logging. The basic domain controller template omits system services configuration completely. The basic domain controller template is more suited for a domain controller that services users.
Secure Security Templates
Two secure templates are provided: one for the domain controller and a combined template for the workstation and server. With stricter password and lockout policies and with audit logs that restrict guest access and hold up to five times the audit information of the basic templates (10 times for the domain controller), the secure templates provide a medium layer of security.
The secure templates also enable more of the auditing features than the basic templates do. Unsuccessful logon events and privilege use, as well as successful and unsuccessful account management and policy changes, are configured for auditing. In addition, the secure domain controller template provides auditing for object and directory service access. Account and local policies also appear in the secure domain controller template, although they are absent from the basic domain controller template. Because the permissions of files, folders, and registry keys are configured securely by default, these security areas are omitted in this template type.
Real World
Strengthening the Secure Template Without Going Too Far
The secure template is generally a good template to apply to workstations and servers. Additionally, however, you should consider the following settings that can improve security without compromising functionality to the extent that the high-security templates do. All of the following settings are located in the Local Policies-Security Options container except the first one, which is located in the Local Policies-Audit Policies container:
- Audit System Events Success or Failure
- Additional Restrictions For Anonymous Connections No access without explicit anonymous permissions
- Audit The Use Of Backup And Restore Privilege Enabled
- Do Not Display Last User Name In Logon Screen Enabled
- LAN Manager Authentication Level Send NTLMv2 response only or refuse LM and NTLM (this blocks MS-DOS and OS/2 clients from logging on)
- Number Of Previous Logons To Cache 0 logons (but don't do this on laptops or your users will be unhappy)
- Rename Administrator Account Rename to something other than admin, root, or boss
- Restrict CD-ROM Access To Locally Logged-On Users Only Enabled
- Unsigned Driver Installation Behavior Do not allow installation
- Unsigned Non-Driver Installation Behavior Do not allow installation
Highly Secure Security Templates
The highly secure templates are actually quite lean and concentrate on the security of communications in native-mode (Windows 2000) environments. In short, security attributes are set for digitally signing client-side and server-side communications and for signing and encrypting the secure channel data. Because maximum protocol protection is set, however, systems to which these templates are applied will not be able to communicate with machines running Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows NT. Aside from there being no Authenticated Users in the Power Users restricted group in the highly secure workstation/server (hisecws) template, the highly secure workstation/server and domain controller templates are essentially the same.
Compatible Security Template
In the basic workstation template, Authenticated Users are, by default, Power Users. The secure and highly secure workstation templates remove Authenticated Users from the Power Users group. Because the goal of the compatible security template is to allow most applications to run successfully, but not at the cost of compromising the security levels of Power Users, this template also removes Authenticated Users from the Power Users group. With the Authenticated Users group downgraded, the template facilitates compatibility by lowering security on the folders, files, and registry keys typically accessed by applications.
We don't recommend that you use the compatible security template unless you're experiencing a specific compatibility problem that is fixed using this template. Instead, you should evaluate Windows 2000 compatibility technologies, Microsoft Windows XP, or a virtual PC program such as Connectix Virtual PC or VMware Workstation.
Out-of-the-Box Security Templates
The setup security template contains out-of-the-box security settings for workstations and servers. The domain controller security template builds on the setup security template, adding default security settings for domain controllers.
Modifying a Predefined Template
You can use a predefined template as a starting point for your own security scheme. First make a copy of it by right-clicking the template name and choosing Save As. Next specify a filename, being sure to retain the .INF extension. You can modify the attributes in any of the security areas of your new template by fully expanding the template tree to that area. For attributes, right-click an attribute name and choose Security from the shortcut menu to open the Template Security Policy Setting dialog box. For the Restricted Group, Registry, and File System folders, right-click the folder and choose Add Group, Add Key, or Add File, respectively.
Defining New Templates
You can also choose to generate a security template entirely from scratch. In the console tree of the Security Templates snap-in, right-click the parent default template folder (%SystemRoot%\Security\Templates) and choose New Template. In the dialog box that appears, type a template name and a description of the template's purpose. The new template is saved as an .INF file in the Templates folder and is added to the list of available templates.
At this point, the new template file is empty, except for some version and description info. Viewing any of the policy attributes in the new template will list attributes as Not Defined. The Restricted Groups, Registry, and File System folders simply contain no entries.
For each security area, you can configure any or all of the security attributes or you can choose to leave that area unconfigured. To modify an attribute's settings, right-click the attribute in the right pane and choose Security. The Template Security Policy Setting dialog box appears. Select the Define This Policy Setting In The Template check box to enable the settings and set the attribute. Figure 192 shows the dialog box for the Retention Method For Security Log attribute. The stored settings in the various attributes represent a range of data types, including Boolean (enable, disable), integers (maximum file size), and dates and times.
Figure 19-2. The dialog box for the Retention Method For Security Log attribute.
It's just as easy to configure those security areas that contain a list of items instead of individual attributes. Right-click Restricted Groups, Registry, or File System, and select Add Group, Add Key, or Add File, respectively. You can then browse for the object to add and choose access permissions, ownership, and auditing information in the Access Control dialog box.
Once the security template is complete, save it by right-clicking the template name and choosing Save. It's then ready to be applied to the local computer or to a Group Policy object.
When creating new security templates for your system architecture, remember that security can be applied through the layering of templates. The configuration database allows templates to be imported one after another, so that the security policies in the different templates have a masking effect. Conflicts of specific attributes are resolved by giving highest priority to the most recently loaded template. This means that templates with varying degrees of security do not need to contain redundant data. Instead, basic security attributes can be applied with a standard security template that you load first. Higher level security templates then need to contain only security differences between the two levels.
Applying Templates
A security template containing system security settings can be either applied to a local computer or pushed to a group of computers by importing it into a Group Policy object. Applying the template to a local computer is done through the Security Configuration and Analysis snap-in. See the section entitled Importing and Exporting Templates, later in this chapter, for detailed instructions.
To import the security template into a Group Policy object, choose the target Group Policy object in the MMC. Expand the object, and then expand Computer Configuration and Windows Settings to display Security Settings. Right-click Security Settings and choose Import Policy. A list of security templates appears, each template being an .INF file. Choose the desired template.
Reduce the administrative hassle of configuring large arrays of security attributes by modifying predefined templates whenever possible.
EAN: 2147483647
Pages: 320