| Windows Server 2003 makes it simple to deploy security configurations. A security template holds a number of security settings that Microsoft considers to be appropriate for a server, domain controller, or workstation. Windows Server 2003 comes with several predefined sample security templates. Each of the templates contains security settings for different levels of security based on the type of server to which the template is applied. For example, you can apply the high-secdc.inf template to all domain controllers in an environment requiring a high level of security. The templates can be used as-is or can be customized to meet the specific security needs of an organization. Security templates can be used to configure the following settings within a local security policy or a group policy: Account policies Local policies Event log Restricted groups System services Registry File system
Using the Default Security Templates The predefined security templates included with Windows Server 2003 can be viewed using the Security Templates snap-in. To view the default security templates, perform the following steps: 1. | Click Start, Run and type MMC. Press Enter.
| 2. | From the File menu, click Add/Remove Snap-In. From the Add/Remove Snap-In window, click Add.
| | | 3. | Scroll through the list of available snap-ins. Select Security Templates and click Add (see Figure 4.1). Click Close.
Figure 4.1. Adding the Security Templates snap-in 
| | | 4. | Click OK.
| 5. | Within the management console, expand Security Templates and click the default container. The preconfigured security templates are listed in the right pane, as shown in Figure 4.2.
Figure 4.2. Viewing the default security templates included with Windows Server 2003 
|
By default, the following security templates are stored within the %systemroot%\security\templates directory: Setup Security This template is created during the installation of Windows Server 2003 and contains the default security settings applied during the installation of the operating system. You should not change the settings within this template because it can be used to reapply default security settings. Compatible ( compatws inf) This template relaxes security so members of the Users group can run applications that are not a part of the Designed for Windows Logo Program. The default permission allows only members of this group to run applications that are part of the Windows Logo group. Instead of adding members to the Power Users group, permissions can be relaxed so that members of this group can run the necessary applications. Secure ( secure*.inf) This template modifies security settings that affect the operating system and network protocols such as the password policy, account policy, and various Registry settings. It also removes all members from the Power Users group. Highly Secure ( hisec*.inf) This template increases the security of the parameters defined within the secure template. This template also removes all members from the Power Users group.
Analyzing Security with the Security Configuration and Analysis Tool Windows Server 2003 includes a tool known as the Security Configuration and Analysis tool. Using this tool, you can analyze the current security state of a server or workstation by comparing the existing settings against a standard template provided with the operating system. By performing a security analysis on a regular basis, administrators can ensure that a server or workstation continues to meet the security requirements of an organization. Over time, discrepancies can occur in the security configuration of a server or workstation. The analysis pinpoints any discrepancies, allowing an administrator to resolve any security conflicts that exist. After an analysis is run, the results are displayed for review. To analyze the existing security configuration, perform the following steps: 1. | Click Start, Run, and type MMC. Press Enter.
| 2. | From the File menu, click Add/Remove Snap-In. From the Add/Remove Snap-In window, click Add.
| 3. | Scroll through the list of available snap-ins. Select Security Configuration and Analysis, and click Add. Click Close and then click OK.
| 4. | Within the management console, right-click Security Configuration and Analysis, and click Open Database.
| 5. | Type a new filename to create a new database, or select an existing database.
| | | 6. | If you are creating a new database, select an existing template and click Open.
| 7. | Within the Details pane, right-click Security Configuration and Analysis, and click Analyze Computer Now.
| 8. | Specify the path for the error log, or use the default location. Click OK.
| 9. | After the security settings have been analyzed, double-click Security Configuration and Analysis within the Details pane. Any security settings that do not match those within the security template are marked with an X, as shown in Figure 4.3. As you can see in the figure, the values configured on the computer for Minimum Password Age and Minimum Password Length do not match the values defined within the database.
Figure 4.3. Viewing the results of a security analysis 
|
Applying Security Templates A security template can be applied in two ways: locally or through a group policy. To apply a security template to a local policy, perform the following steps: 1. | Within the Security Configuration and Analysis console, right-click Security Configuration and Analysis, and click Open Database.
| 2. | Type a name for the database and click Open.
| | | 3. | From the Import Template window, select a template and click Open (see Figure 4.4).
Figure 4.4. Importing a security template into a local policy 
| 4. | Right-click Security Configuration and Analysis, and click Configure Computer Now. The security settings are immediately applied to the local computer.
|
To import a security template for a domain or Organizational Unit, perform the following steps: 1. | Click Start, Administrative Tools, and select Active Directory Users and Computers.
| 2. | Right-click the domain or Organizational Unit for which you want the security settings applied, and click Properties.
| 3. | From the Properties window, select the Group Policy tab (see Figure 4.5).
Figure 4.5. Using the Group Policy tab to import a security template 
| 4. | Click Edit to edit an existing group policy, or click New to create a new group policy.
| | | 5. | In the Group Policy console, under Computer Configuration, expand Windows Settings and right-click Security Settings. Click Import Policy.
| 6. | Select the security template that you want to import and click Open.
|
Exam Alert Security settings on a domain controller are automatically refreshed every five minutes. Security settings on a workstation or server are automatically refreshed every 90 minutes.
After you make changes to any security settings, you can force an immediate refresh using the gpupdate command. When the command is used on its own, it automatically refreshes any user and computer settings that have changed. Using the command with the /target switch enables you to specify whether computer or user settings are refreshed. Using the /force switch means that all settings are refreshed, regardless of whether they were changed. The gpupdate command replaces the /refreshpolicy option of the secedit command in Windows 2000. Creating Custom Templates The predefined security templates can be applied as-is. However, they can also serve as a starting point for configuring security. Any of the predefined templates can be customized to meet the specific security requirements of an organization. To customize an existing template, perform the following steps: 1. | Open the Security Templates snap-in. Expand the Security Templates container.
| 2. | Click the default path folder. In the right pane, right-click the security template that you want to modify and click Save As.
| | | 3. | Type a new name for the security template and click Save (see Figure 4.6).
Figure 4.6. Customizing a predefined security template 
|
The newly created template appears within the right pane. To modify the security settings, double-click the new template. Any of the settings contained within the template can be modified by right-clicking an attribute and selecting Properties. For example, to configure a password history, right-click the Enforce Password History option from within the Password Policies container for a security template, and click Properties. Select the option to Define This Policy Setting in the template and configure a value. If you do not want to customize one of the existing security templates and would rather define an entirely new template, you can do so again using the Security Templates snap-in. To do so, right-click the default path location within the Security Templates snap-in and click New Template. Type in a name and description for the template, and click OK. The new template is displayed within the right pane, from which you can begin configuring the security settings. |
