Deploying Security Templates

You use security templates to create a security policy for your computer or network. Rather than using the techniques you learned about in this chapter to hunt-and-peck security on a computer, security templates give you a single place to configure a range of security settings and then deploy those settings to numerous computers. It's a little used, often misunderstood tool that organizes many of the available security settings in one place to make managing security a far easier job. It saddens me when administrators tell me their security woes and yet they've never heard of security templates, which would deal with most of their problems admirably. Security templates are an IT professional's best friend. Sold yet? I hope so.

You use a variety of tools to create and apply templates. First you use security templates to create and edit templates. Then you use either Security Configuration And Analysis or Group Policy to apply templates. This section walks you through the process of using these tools, starting with creating the Microsoft Management Console (MMC) that you'll use to edit templates, and ending with deploying templates on a network.

First here's an explanation of the different security settings in a template. The following list shows the different categories of settings you see in a security template. Following each category is a description of the settings you can define within it.

  • Account Policies. Password Policy, Account Lockout Policy, and Kerberos Policy

  • Local Policies. Audit Policy, User Rights Assignment, and Security Options

  • Event Log. Application, System, and Security Event Log settings

  • Restricted Groups. Membership of security-sensitive groups

  • System Services. Startup and permissions for system services

  • Registry. Permissions for registry keys (the topic of this section)

  • File System. Permissions for files and folders

Security templates are nothing more than text files that have the .inf extension. You can copy them, edit them, and so on. The file looks much like an INI file. You can create your own security templates from scratch, which I don't recommend because it's too much work with so much risk, or you can customize one of the predefined templates that come with Windows XP. Customizing a predefined template is definitely the way to go because most of the work is already done for you. Note that because only the Administrators group has permissions to change the default security template folder, %SYSTEMROOT%\Security \Templates, only administrators can edit and apply security templates.

Creating a Security Management Console

To make your job easier, create an MMC console that includes all the tools you'll need for editing, analyzing, and applying security templates:

  1. Click Start, Run; then type mmc, and click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, click Add.

  4. Click Security Templates, and click Add.

  5. Click Security Configuration And Analysis, and click Add.

After creating your console, save it to a file for quick access. On the File menu, click Save. I like to call the file Templates.msc. MMC saves your file in your Administrative Tools folder. To open it again quickly, click Start, All Programs, Administrative Tools, and then Templates (or what ever you called it). Figure 7-4 shows the console that I created as described in this section.

click to expand
Figure 7-4: You build templates with security templates, and you analyze and apply templates using Security Configuration And Analysis.

Choosing a Predefined Security Template

Windows XP comes with a small gaggle of predefined security templates. You almost never need to create a new template because you can usually just customize one of the predefined templates and save it to a different file. They provide starting points for applying security policies in different scenarios, whether those scenarios include one, one hundred, or thousands of computers. The following predefined security policies are in %SYSTEMROOT% \Security\Templates by default:

  • Default security (Setup security.inf). This template contains the default security settings that the setup program applies when you install Windows XP. It includes file system and registry permissions, too. If you need information about the operating system's default permissions, you'll find that information here. You can use this template to restore a computer to the original Windows XP security settings, which you'd do by applying it with Security Configuration And Analysis, but don't deploy it using Group Policy.

  • Compatible (Compatws.inf). This template contains security settings that relax restrictions on the Users group enough to allow legacy applications to run. This is preferable to moving users from the Users group to the Power Users or, oh my, the Administrators groups. Specifically, this template changes the file system and registry permissions granted to the Users group so that they're consistent with legacy and other applications that aren't certified for Windows XP. This template also assumes that the administrator doesn't want users in the Power Users group, so it moves users from Power Users to the Users group. This template applies to workstations only, and you shouldn't apply it to servers.

  • Secure (Secure*.inf). These templates tighten security settings that are least likely to affect application compatibility. Securedc.inf is for domain controllers, and Securews.inf is for workstations. It applies strong password, lockout, and audit settings, for example. It also limits the user of LAN Manager and NTLM authentication protocols by configuring Windows XP to send only NTLM version 2 responses and configuring servers to refuse LAN Manager responses. Last, this template restricts anonymous users by preventing them from enumerating account names, enumerating shares, and translating SIDs (see Chapter 1, "Learning the Basics"). Test this template carefully before deploying it.

  • Highly Secure (hisec*.inf). These templates are supersets of the previous templates, and they apply even more restrictions. Hisecdc.inf is for domain controllers, and Hisecws.inf is for workstations. For example, this template sets the levels of encryption and signing that Windows XP requires for authentication and for data moving over secure channels. It requires strong encrypting and signing. Last, it removes all members of the Power Users groups and makes sure that only the Domain Admins group and the local Administrator are members of the local Administrators group. Test these templates to ensure compatibility with your infrastructure and applications because only certified applications are likely to run after applying it.

  • System root security (Rootsec.inf). This template defines root permissions for the Windows XP file system. It contains no registry permissions. It does apply permissions for the root of %SYSTEMDRIVE%. You can apply this template to a computer to restore these permissions to the root of the system drive or to apply the same permissions to additional volumes.

  • No Terminal Server user SID (Notssid.inf). This template removes unnecessary Terminal Server SIDs from the file system and registry when running Terminal Server in application compatibility mode. If possible, run Terminal Server in full security mode instead, a mode in which the Terminal Server SID isn't used at all.

Most of these security templates are incremental. They modify the default or existing security settings if those settings are already configured on the computer. Other than the Setup Security template, they don't configure the default security settings before changing the computer's security configuration. Also, you can't use security templates to secure Windows XP when you use the FAT file system.

You can view these templates in your new MMC console. In the console's left pane, double-click a security template to open it. By default, the templates are under C:\Windows \Security\Templates in Security Templates. You can add a new path, however. Right-click Security Templates, and then click New Template Search Path. You'll see both paths in Security Templates. If you want to remove a path from Security Templates, right-click it, and then click Delete.

Building a Custom Security Template

The hard way to create a custom security template is to start from scratch:

  1. In Security Templates, right-click the folder in which you want to create the new template, and then click New Template.

  2. In Template Name, type the name of the new template in Description, type a brief but useful description of your new template, and click OK.

  3. In the left pane, double-click the new security template to open it. Select a security area, such as Registry, in the left pane, and configure that area's security settings in the right pane.

That's the hard way, and definitely not the way I recommend. First it's too labor-intensive. Second it's error-prone. The best way to create a security template is to start with one of the predefined templates, save it to a new file, and then edit it—carefully. Most of the times I've done this, I started with the Compatws.inf template file and customized it as necessary to give a legacy application enough room to work. Here's how:

  1. In Security Templates, double-click C:\Windows\Security\Templates.

  2. Right-click the predefined template you want to customize, click Save As, type a new file name for the security template, and click Save.

  3. In the left pane, double-click the new security template to open it. Select a security area, such as Registry, in the left pane, and configure that area's security settings in the right pane.

Because this is a registry book, I'll give you a little more detail about configuring registry security in a template. In the left pane of Security Templates, double-click your template, and then click Registry. You'll see a list of registry keys in the right pane. To add a key to the list, right-click Registry, and then click Add Key. Because the list already covers all of HKLM, add exceptions to the settings that the template defines for HKLM\SOFTWARE and HKLM\SYSTEM. To edit a key's settings, double-click it, and then select one of the following options:

  • Configure This Key Then. After selecting this option, select one of the following:

    • Propagate Inheritable Permissions To All Subkeys. The key's subkey inherits the key's security settings, assuming that the subkeys' security settings don't block inheritance. In case of a conflict, the subkey's explicit permissions override the permissions they inherit from the parent key.

    • Replace Existing Permissions On All Subkeys With Inheritable Permissions. The key's permissions override all its subkey's permissions. In other words, each subkey's permissions will be identical to the parent key's permissions. If you select this option and apply the template, the change is permanent unless you change it by applying a different template to the registry.

  • Do Not Allow Permissions On This Key To Be Replaced. Select this option if you don't want to configure the key or its subkey's permissions.

To edit the actual permissions that you want the template to apply to the key, click Edit Security. You do this in the same Security For Name dialog box that you saw earlier in this chapter. You can add and remove groups. You can allow or deny permissions for different users and groups to perform various tasks. You can audit users' and groups' access to the key. You can also change ownership of the key. When you apply the template to a computer or deploy the template through Group Policy, the key receives the permissions you define here.

Analyzing a Computer's Configuration

With your custom template in hand, you can use it to analyze a computer's security configuration. Security Configuration And Analysis enables you to compare the current state of the computer's security configuration to the settings defined in the template. You can use this tool to make immediate changes to the computer's configuration, such as when troubleshooting a problem. You can also use it to track and ensure a certain level of security as part of your enterprise risk management program, detecting flaws in security as they occur over time.

Here's how to analyze a computer's security using Security Configuration And Analysis:

  1. Right-click Security Configuration And Analysis, which you added to your console in the section titled "Creating a Security Management Console," earlier in this chapter, and then click Open Database.

  2. In the Open Database dialog box, do one of the following:

    • To create a new analysis database, type the name of your new database in File Name, and click Open (you don't have a database initially). Then in the Import Template dialog box, click a template and click Open.

    • To open an existing analysis database, type the name of an existing database in File Name, and click Open.

  3. Right-click Security Configuration And Analysis, click Analyze Computer Now, and then accept the default log file path or specify a new one.

Security Configuration And Analysis compares the computer's current security against the analysis database. If you import multiple templates into the database, which you can do by right-clicking Security Configuration And Analysis and then clicking Import Template, the tool merges the templates together to create one template. If it detects a conflict, the last template you loaded has precedence (last in, first out). After Security Configuration And Analysis analyzes the computer, it displays results that you can browse. The organization of these results is the same as in security templates. The difference is that Security Configuration And Analysis displays indicators that show whether a current setting matches or is inconsistent with a setting defined in the template:

  • Red X. The setting is in the analysis database and on the computer, but the two versions don't match. The trick is to drill down through settings that have a red X next to them until you isolate the specific problem.

  • Green Check Mark. The setting is in the analysis database and on the computer, and the two match.

  • Question Mark. The setting is not in the analysis database and was not analyzed. This might also mean that the user who ran Security Configuration And Analysis didn't have permissions necessary to do so.

  • Exclamation Point. The setting is in the analysis database but not on the computer. A registry key might exist in the database but not on the computer.

  • No Indicator. The setting is not in the database or on the computer.

What do you do with any discrepancies you find between the analysis database and the computer's settings? First you can update the database by double-clicking the troublesome setting and clicking Edit Security (see Figure 7-5). This updates the database but not the template, however. Also, it doesn't change the computer's settings. To do that, see the next section. You can also import a more appropriate template for that computer or an updated template into the database and then analyze it again. To avoid problems that result from merging templates, consider creating a new database if you use a new or updated template.

click to expand
Figure 7-5: You can view and edit settings in this dialog box.

Modifying a Computer's Configuration

After you've created a security template and verified it by analyzing computers using Security Configuration And Analysis, you're ready to apply it to the computer:

  1. Right-click Security Configuration And Analysis, and then click Open Database.

  2. In the Open Database dialog box, do one of the following:

    • To create a new database, type the name of your new database in File Name, and click Open. Then in the Import Template dialog box, click a template, and click Open.

    • To open an existing database, type the name of an existing database in File Name, and click Open. If you modified a database without updating the template on which it's based, make sure you open the existing database.

  3. Right-click Security Configuration And Analysis, click Configure Computer Now, and then accept the default log file path or specify a new one.

Deploying Security Templates on the Network

In "Modifying a Computer's Configuration," you learned how to apply a security template to a computer manually. This is fine for one-off scenarios, but it's not the way to deploy security templates to multiple computers on the network. To deploy templates on a network, use Group Policy: Create a new GPO, and then edit it. In the Group Policy editor, right-click Security Settings, and then click Import Policy. Click the template you want to apply, and then click Open.

It's so simple, but I don't want to make light of this. Deploying security templates on your network requires careful planning. You must first identify the templates that your network requires. Then you must identify which organizational units get which security templates. For example, if the sales department uses a legacy application that requires the Users group to have full control of certain registry keys, document and test the security template, and then import the template into a GPO that you assign to the sales department's organizational unit. Ideally, you'll account for security templates early in the deployment planning process. What really ends up happening, unless they planned carefully, is that IT professionals use security templates as a big fire hose to put out fires created by lack of foresight and planning.



Microsoft Windows XP Registry Guide
Microsoft Windows XP Registry Guide (Bpg-Other)
ISBN: 0735617880
EAN: 2147483647
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net