Testing with Security Templates

Previous page
Table of content
Next page

Testing with Security Templates

Windows 2000 and later ship with security templates that define recommended lockdown computer configurations, a configuration more secure than the default settings. Many corporate clients deploy these policies to reduce the cost of maintaining client computers by preventing users from configuring too much of the system. Inexperienced users tinkering with their computers often leads to costly support problems.

There is a downside to these templates: some applications fail to operate correctly when the security settings are anything but the defaults. Because so many clients are deploying these policies, as a tester you need to verify that your application works, or not, when the policies are used.

The templates included with Windows 2000 and later include those in Table 14-3.

Table 14-3 Security Configuration Editor Templates

Name

Comments

compatws

This template applies default permissions to the Users group so that legacy applications are more likely to run. It assumes you ve done a clean install of the operating system and the registry ACLs to an NTFS partition. The template relaxes ACLs for members of the Users group and empties the Power Users group.

hisecdc

This template assumes you ve done a clean install of the operating system and the registry ACLs to an NTFS partition. The template includes securedc settings see below with Windows 2000 only enhancements. It empties the Power Users group.

hisecws

This template offers increased security settings over those of the securews template. It restricts Power User and Terminal Server user ACLs and empties the Power Users group.

rootsec

This template applies secure ACLs from the root of the boot partition down.

securedc

This template assumes you ve done a clean install of the operating system and then sets appropriate registry and NTFS ACLs.

securews

This template assumes you ve done a clean install of the operating system and then sets appropriate registry and NTFS ACLs. It also empties the Power Users group.

setup security

This template contains out of the box default security settings.

At the very least you should configure one or more test computers to use the securews template if your code is client code and the securedc template for server code. You can deploy policy on a local test computer by using the following at the command line:

secedit /configure /cfg securews.inf /db securews.sdb /overwrite

Once a template is applied, run the application through the battery of functional tests to check whether the application fails. If it does, refer to How to Determine Why Applications Fail in Chapter 5, Running with Least Privilege, file a bug, and get the feature fixed.

note

If you deploy the hisecdc or hisecws template on a computer, the computer can communicate only with other machines that have also had the relevant hisecdc or hisecws template applied. The hi secdc and hisecws templates require Server Message Block (SMB) packet signing. If a computer does not support SMB signing, all SMB traffic is disallowed.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Project Management JumpStart
MySQL Cookbook
File System Forensic Analysis
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy