Security templates allow you to define baseline security for computers that share similar security requirements. Using security templates ensures that security can be applied consistently to multiple computers.
After this lesson, you will be able to
Estimated lesson time: 60 minutes
Windows 2000 has made it easier to apply consistent security by introducing security templates. Security templates define security based on seven categories of configuration. You use each category to apply specific computer-based security settings. These categories include
NOTE
Account policy settings applied at the OU level affect the local Security Accounts Management (SAM) databases but not the user accounts within the OU. This is because the user accounts apply their account policy settings from the Default Domain Policy.
You can define the security template settings by loading the Security Templates Microsoft Management Console (MMC), shown in Figure 8.2.
Figure 8.2 The Security Templates MMC console
The Security Templates MCC console allows you to create new templates or modify existing templates to meet your security needs.
Before defining security templates, you must identify computers on your network that require similar security configurations. You usually do this by determining the specific role that each Windows 2000–based computer will play on the network and by identifying each role's unique security requirements.
Each role will ultimately be associated with a security template that identifies the baseline (or required) security for that class of computer. Some of the more common roles that you can define for computers include
When you determine the roles of Windows 2000–based computers within your organization, use the following guidelines:
NOTE
You can apply Windows 2000 security templates only to Windows 2000–based computers. Therefore, consider only Windows 2000–based computers in your role definitions.
Based on the information given in this scenario, Market Florist could use the following categories of computers:
NOTE
Because the marketflorist.tld forest has three separate domains, you have to deploy the security templates in each of them.
NOTE
You might be able to use a single security template for all SQL servers. It depends on your analysis of the security requirements for the two roles played by SQL servers. Despite the different data stored on the servers, they may use identical security configuration.
One of the common complaints about Windows NT 4.0 was that the operating system wasn't secure after a default installation was performed. Windows 2000 addresses this concern by defining default security to increase the security applied to the operating system. These default settings are applied in one of two ways:
WARNING
For the default security settings to be fully applied, Windows 2000 must be installed to an NTFS partition.
NOTE
Windows 2000–based computers that have been upgraded from Microsoft Windows 95 or Microsoft Windows 98 have the default security settings applied, with the exception that all local user accounts are configured to be members of the local Administrators group if the current file system is converted to NTFS. When upgrading from Windows 95 or Windows 98, always review the membership of the local Administrators group to ensure that excess privileges aren't being assigned to the local computer.
As mentioned earlier, newly installed Windows 2000–based computers will have the Default security template applied during the computer's installation. There are actually three Default security templates, depending on the role the computer plays on the network:
NOTE
The Default security templates are stored in the systemroot\inf directory (where systemroot represents the folder where Windows 2000 is installed). Once a Default template is applied to a computer, the applied template is stored in systemroot\security\templates as "Setup security.inf."
When Windows 2000–based computers are upgraded from previous versions of Windows NT, they won't have the Default template applied. In this situation the existing security configuration is maintained. You can still increase the security of the computer by applying the Basic templates. The Basic templates will apply the same settings configured in the default security templates with the exception of restricted groups and user rights. This ensures that any existing user rights (for example, user rights assigned to allow service accounts to operate) aren't removed. You can apply the following Basic templates to upgraded Windows 2000–based computers:
NOTE
You can find the three Basic templates in the systemroot\security\templates folder.
Use the design matrix shown in Table 8.2 to ensure that the default settings are applied to all Windows 2000–based computers.
Table 8.2 Applying Windows 2000 Default Security Configuration
If the Computer Is | Do the Following |
---|---|
Upgraded from Windows 95 or Windows 98 to Windows 2000 Professional | Ensure that during the upgrade you choose to convert the file system to NTFS. Do nothing else. The Defltwk.inf security template will be applied automatically. |
Upgraded from Windows NT 4.0 Workstation to Windows 2000 Professional | Ensure that the file system is converted to NTFS. Apply the Basicwk.inf security template to ensure that default security is applied. |
A member server upgraded from Windows NT 4.0 to Windows 2000 | Ensure that the file system is converted to NTFS. Apply the Basicsv.inf security template to ensure that default security is applied. |
A DC upgraded from Windows NT 4.0 to Windows 2000 | Ensure that the file system is converted to NTFS. Apply the Basicdc.inf security template to ensure that default security is applied. |
A new install of Windows 2000 | Ensure that the system and boot partitions are configured to use NTFS. Do nothing else. The default security templates will be applied automatically and stored in the Setup Security.inf file. |
To ensure consistent default security on the Market Florist network, use Table 8.3, which shows whether the Default or Basic security templates are used to apply Windows 2000 default security.
Table 8.3 Ensuring Default Security for Market Florist
DCs | The default DC security template (Defltdc.inf) is automatically applied at installation. |
File and print servers | The default server security template (Defltsv.inf) is automatically applied at installation. |
Internal SQL servers | The default server security template (Defltsv.inf) is automatically applied at installation. |
External Web servers | The default server security template (Defltsv.inf) is automatically applied at installation. |
Client computers running Windows 2000 Professional (new installations) | The default workstation security template (Defltwk.inf) is automatically applied at installation. |
Client computers running Windows 2000 Professional (upgraded from Windows 95) | The default workstation security template (Defltwk.inf) is automatically applied during the upgrade. The upgrade process must convert the file system to NTFS for all security settings to be applied. |
Client computers running Windows 2000 Professional (upgraded from Windows NT 4.0) | The basic workstation security template (Basicwk.inf) must be manually applied as part of the upgrade process to ensure that default security is applied to the upgraded computers. |
Laptop computers running Windows 2000 Professional (new installations) | The default workstation security template (Defltwk.inf) is automatically applied at installation. |
Additionally, you should inspect the membership of the local Administrators group of the Windows 2000 Professional clients that were upgraded from Windows 95. By default, an upgrade from Windows 95 to Windows 2000 Professional places any existing user accounts into the local Administrators group. You must modify the membership of the local Administrators group to ensure that excess privileges aren't assigned to user accounts.
Although the default Windows 2000 security configurations provide adequate security for many situations, sometimes additional security configuration is required. To help you define additional security, Microsoft has included several incremental security templates. These incremental templates provide security settings that are best applied in specific scenarios, such as when Terminal Services is deployed on a Windows 2000 Server.
NOTE
The incremental templates are effective only if the default or basic templates have already been applied.
Windows 2000 provides the following incremental security templates:
Alternative Methods of Providing Application Compatibility
When you upgrade to a new operating system such as Windows 2000, some older applications might fail to operate correctly in the new environment. For example, Microsoft Office 97 isn't a Windows 2000–certified application. Under default security, the spelling checker doesn't operate because it attempts to write to folders that aren't accessible to normal user accounts.
When designing security templates, consider using the following methods to ensure that the applications run in a Windows 2000 environment:
- Add all users to the Power Users group. In Windows 2000, the Power Users group is the equivalent of the Users group in Windows NT 4.0. Adding all users to the Power User group isn't recommended because membership in Power Users provides some administrative capabilities, such as adding local users or managing NTFS permissions on the local computer.
- Apply the Compatws.inf security template. As mentioned earlier, the compatible workstation template weakens the default security to match Windows NT 4.0 security. Applying the Compatws.inf security template isn't recommended because default security is very important to a secure network.
- Use the Apcompat.exe utility included in the Windows 2000 Support Tools. In some cases the reason an application won't run isn't due to security restrictions, but that it doesn't recognize the Windows 2000 operating system. In these cases, use the Apcompat.exe utility to have Windows 2000 emulate a previous Windows operating system, as shown in Figure 8.3.
Figure 8.3 Configuring Apcompat to allow Dragon Naturally Speaking to execute
- Upgrade to a newer version of the application.Consider upgrading to a Windows 2000–certified version of the application. This may involve an upgrade or may only require the installation of a patch to the application.
NOTE
This incremental security template is always applied when a member server is promoted to a DC. This isn't truly an optional security template. You can use this security template to ensure that initial DC security is still applied.
WARNING
Implementing the High Secure templates may prevent down-level Windows clients from participating in the network. Only deploy the High Secure templates when all client computers are running Windows 2000.
Comparing the Secure and High Secure Options
Table 8.4 shows the differences between the Secure and High Secure templates.
Table 8.4 Comparing the Secure and High Secure Templates
Setting Secure Template
(Securedc.inf)High Security Template
(Hisecdc.inf)Additional restrictions for anonymous connections Don't allow enumeration of SAM accounts and shares No access without explicit anonymous restrictions Clear virtual memory pagefile when system shuts down Disabled Enabled Digitally sign client
communications (always)Disabled Enabled Digitally sign client
communications (when possible)Enabled Enabled Digitally sign server
communications (always)Disabled Enabled Digitally sign server
communications (when possible)Enabled Enabled Do not display last user
name in logon screenDisabled Enabled LAN Manager Authentication Level
Send NTLM responses only Send NTLMv2 response only \ Refuse LM & NTLM Secure channel: Digitally
encrypt or sign secure channel data (always)Disabled Enabled Secure channel: Digitally
encrypt or sign secure channel data (when possible)Enabled Enabled Secure channel: Digitally
sign secure channel data (when possible)Enabled Enabled Secure channel: Require
strong (Windows 2000 or later) session keyDisabled Enabled Unsigned driver installation
behaviorDon't allow installation Don't allow installation Unsigned nondriver
installation behaviorWarn but allow installation Silently succeed As you can see, there isn't a great difference between the Secure and High Secure templates. The key differences is the enforcement of server message block (SMB) signing (digitally sign server communications) and secure channel session keys.
Use the decision matrix shown in Table 8.5 to determine when it's appropriate to use each of the incremental security templates.
Table 8.5 Designing Incremental Security Template Usage
Use This Template | When You Have the Following Security Requirements |
---|---|
No Terminal Services ID | You've deployed Windows 2000 servers with Terminal Services configured to use Application Mode. You wish to secure access to Terminal Services and the resources on the terminal server on a per user basis. You are deploying Terminal Services as a desktop replacement and want to provide maximum security for all users. |
Compatible Workstation | Your budget doesn't allow for an immediate upgrade to a Windows 2000–certified version of the application. You don't want to make all users members of the Power Users group. You can't identify which individual NTFS files or registry keys require modified permissions. |
Optional Components | You've installed additional components to Windows 2000 and want to maintain the highest level of security. |
DC Security | You want to ensure that initial DC security is still applied to a DC. |
Secure | You're in a mixed environment of Windows 2000 and down-level clients. You wish to have the strongest security without excluding down-level clients. |
High Security | No down-level clients remain on the network. You want to provide the strongest form of security for all data usage. |
Market Florist has decided that they want to prevent down-level clients from connecting to the network while maintaining the highest level of security on the internal network. By applying the High Security templates to all its Windows 2000–based computers, Market Florist will accomplish both goals.
You must apply High Security templates (Hisecws.inf and Hisecdc.inf) only to computers that have Windows 2000 default security applied, as mentioned earlier. You can apply the Hisecws.inf security template to all client computers, including those upgraded from previous versions of Windows, and you can apply the Hisecdc.inf to all Windows 2000 servers, including both DCs and file and print servers.
While the Default templates meet most security requirements, you may need to create modified templates to define security baselines for some computer roles. If the settings that you require are in the Security Templates interface, you can simply create custom security templates by using an existing template as the starting point for your custom security template.
When defining a custom security template, be careful to avoid applying too many settings. The security template should meet, but not exceed, the required security baseline.
When designing custom security templates, consider the following points:
Market Florist must create a custom security template for the Web servers hosting the ww.marketflorist.tld Web site and the Flower Power application. You must include the following items in the custom security template:
NOTE
Disabling the Server service would prevent Windows 2000 SMB file connections to the Web server from both the internal and external networks. An alternative would be to configure IPSec to protect connections to the server from the internal network. This would require defining IPSec on the Web servers. For more information, see Chapter 12, "Securing Data at the IP Level."
Although you can create custom security templates from existing settings, sometimes the settings you require might not be included in the Security Configuration Tool Set (SCTS). For example, you may want to use Group Policy to prevent Windows 2000 client computers from attempting to register the Host (A) and Pointer (PTR) resource records with Domain Name System (DNS) by using dynamic updates. You can extend the SCTS to include the registry entry to prevent dynamic updates for all network adapters.
NOTE
The registry value to prevent Windows 2000 client computers from performing dynamic update of the A and PTR resource records is HKEY_Local_Machine \System\CurrentControlSet\Services\TcpIp\Parameters\DisableDynamicUpdate. By setting this REG_DWORD to a value of 1, you can prevent the client computer from performing dynamic updates. This is useful in a network where the dynamic updates are restricted to DHCP servers.
To add registry entries, complete the following steps:
WARNING
The next section is relevant if you wish to extend security templates to include additional registry values in the Security Options settings. You won't have to know the parameters within the Sceregvl.inf file for the 70–220 exam.
The Sceregvl.inf file is a setup file provided with Windows 2000. The Sceregvl.inf file is split into three distinct sections:
NOTE
Choices is commonly used for registry values that allow specific entries. The Choices data type allows for any number of options and their display string to be included for a security option.
The best way to show the syntax is to show the specific entries for one of the security options. A commonly set security option is to suppress the last user's logon name from the Windows 2000 security box. This prevents a user from knowing who previously used the console. For this option, the following values exist in the [Register Registry Values] and [Strings] section of the Sceregvl.inf file:
[Register Registry Values] MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System \DontDisplayLastUserName,4,%DontDisplayLastUserName%,0 [Strings] DontDisplayLastUserName = Do not display last user name in logon screen
The line in the [Register Registry Value] section can be broken down as follows:
NOTE
When you're adding a custom registry entry to the Sceregvl.inf file, it's a good idea to copy an existing registry value within the text file and modify as required to reduce the possibility of incorrect syntax being applied.
When designing custom registry values to be included in the Security Templates console, use the decision matrix shown in Table 8.6.
Table 8.6 Extending the Security Configuration Tool Set
To | Do the Following |
---|---|
Determine what registry values need to be added | Identify registry values that are commonly modified at Windows 2000–based computers for security configuration as part of the installation process. The registry values may be defined in documentation or knowledge base articles. |
Identify the properties of the registry value that must be added to the Sceregvl.inf file. | Identify the properties for a specific registry value by reviewing the Regentry.chm compressed help file included with the Microsoft Windows 2000 Resource Kit, or by reading knowledge base articles or the software documentation. |
Protect the original Sceregvl.inf file | Save a copy of the original Sceregvl.inf file in a secure location before making any modifications. |
Register the changes in the Security Templates console | Run REGSVR32 SCECLI.DLL at the command prompt. Ensure that the modified Sceregvl.inf file is located in the systemroot\inf folder. |
Verify the configuration changes | Open the Security Templates console and verify that the new entry appears in the Security Options settings. Also attempt to apply the setting by using the Security Configuration And Analysis console. |
Ensure that all required stations see the modified entries | Register the modified Sceregvl.inf file at all Windows 2000–based computers where the security template will be modified. |
You must extend the security templates to allow the listening port for the Flower Power application to be changed. This change requires modification of the Sceregvl.inf file at any Windows 2000–based computers where the security templates will be modified.
You must make the following modifications to the Sceregvl.inf file to allow the listening port to be modified:
[Register Registry Values] Machine\Software\MarketFlorist\FlowerPower\Parameters \Port,4,%ListenPort%,1 [Strings] ListenPort= Configure the Flower Power Listening Port
Once you've made the modifications to the Sceregvl.inf file, you must reregister the file by running the command REGSVR32 SCECLI.DLL at the computer with the modified Sceregvl.inf configuration file. You must repeat this process at any workstations where the security template will be defined.
Windows 2000 has increased the base security settings from previous versions of Windows NT. By using security templates, you can ensure that consistent security is applied to all Windows 2000–based computers.
When planning the use of security templates, be sure to include decisions on applying default security to all Windows 2000–based computers, when to use the incremental security templates included with Windows 2000, and when to create custom security templates to meet your security goals. The creation of custom security templates may also require extending the Security Configuration Tool Set.