Lesson 3: Planning the Deployment of Security by Using Security Templates
Once you've designed your custom security templates and determined that they meet the security baseline for your network, you must deploy the templates to the required computers. You may have to deploy several templates, one for each role that you've defined on the network. The decision on how to deploy the templates will vary depending on whether the underlying network uses Active Directory or is based on another network operating system or a workgroup environment.
After this lesson, you will be able to
- Plan the best way to deploy security templates to ensure consistent application of security to computers with similar roles on the network
Estimated lesson time: 30 minutes
Deploying Security Templates in a Workgroup
A workgroup or non-Microsoft network is unable to use Group Policy to provide continued deployment of the security template. The only way to ensure continued application of the security template is to import the security template into local computer policy.
You can apply the security template manually during the Windows 2000 installation. Once the operating system is loaded and the computer is ready to be deployed, you can apply the custom security template for that class of computer to the computer by using the Security Configuration And Analysis console.
You can also apply the security template automatically by saving the security template locally to the computer and using the Secedit command within a batch file to apply the security template. You do this by using Secedit with the /CONFIGURE parameter:
SECEDIT /CONFIGURE [/DB filename] [/CFG filename ] [/OVERWRITE] [/LOG logpath] [/VERBOSE] [/QUIET]
where
- /DB filename provides the path to the database file that contains the stored configuration from the desired security template indicated in the /CFG option.
- /CFG filename provides the path to the security template that's imported into the database for analysis. If this option isn't provided, it's assumed that a security template has already been imported in the indicated database.
- /OVERWRITE ensures that any previous security template imported into the security database is overwritten with the information in the indicated security template rather than having the security template information appended to the stored template.
- /LOG logpath provides the path that's used to log the reports of the analysis.
- /VERBOSE indicates that the log file contains more detailed progress information than is regularly recorded.
- /QUIET suppresses all log and screen output. This option is useful to prevent the user from realizing the continued application of the security template.
NOTE
If your organization is using another network operating system, such as Novell, you can add the Secedit command to your network's logon scripts to ensure the regular application of the security template.
Making the Decision
In a workgroup or non-Microsoft networking environment, deploy security templates by performing the following tasks:
- Distribute the configured security templates to the client computers. If the template is defined in advance, include the template in the base image for the computer role. Otherwise, you could mail or manually install the template to each client computer or distribute it through the logon process in a networked environment.
- Configure the computer initially with the security template. You can set the installation process to include the application of the security template by using the Security Configuration And Analysis console.
- Ensure continued application of the security template. Use the SECEDIT/CONFIGURE command in batch files or network logon scripts. This ensures that the security template is regularly applied to the required computers.
Applying the Decision
Market Florist's Web servers won't participate in the domain structure. Because of this fact, you must use the Secedit command to ensure that the Web Server security template is applied to the Web server.
You can automate the application of the security template by using the Scheduled Tasks program in Control Panel. The best choice is to configure Scheduled Tasks to run Secedit daily to ensure continued application of the security template. Assuming that the template is named Webserv.inf, Market Florist must perform the following tasks:
- The Webserv.inf file must be manually distributed to the four Web servers.
- A batch file must be created that includes the following content:
SECEDIT /CONFIGURE /DB SECURITY.SDB /CFG WEBSERV.INF /OVERWRITE /LOG C:\SECTEMP.LOG /QUIET
- This batch file must be configured under Scheduled Tasks to be run daily. This ensures continued application of the security template settings.
Deploying Security Templates in a Windows 2000 Domain
An administrator of a Windows 2000 domain can leverage Active Directory for the continued application of security templates. Security templates can be imported into Group Policy objects defined at the site, domain, or OU. Importing the security template ensures that the settings defined in the template are applied with the application of Group Policy objects.
NOTE
All security template settings are computer configuration settings and should only be applied at OUs that contain computer accounts. There is no benefit in applying the security templates to OUs that contain only user accounts because the settings aren't applied to the user configuration within Group Policy.
To facilitate the deployment of security templates, you must define an OU structure that reflects the categories of computers that you've defined for your network. You should have at least one OU for each security template that you wish to deploy. You can still create sub-OUs within an OU where you deploy the security template. For example, the OU structure in Figure 8.9 has the File Server security template at the File and Print OU, while the computer accounts are contained within the Sales and Accounting OUs.
Figure 8.9 Group Policy allows for policy inheritance to be leveraged
Group Policy supports policy inheritance by default. This allows child OUs to inherit a Group Policy object applied at a parent OU. In this example, both the Sales and Accounting OUs inherit the security template settings applied at the F&P OU.
Making the Decision
When using Group Policy to deploy security templates, consider the following factors in your security design:
- Your OU structure must reflect the categories of computers that require security templates. This is a one-to-one mapping, in that you only apply the security template directly to a single OU.
- Place all computers that require a security template in the same OU or OU structure. Doing this allows the Group Policy object to be applied only once in the Active Directory structure. It's best to minimize the areas where Group Policy is applied to ensure faster startup times for Windows 2000–based computers.
- Import the custom security template into the correct OU. Once you've tested the security template, you can import the completed security template into a Group Policy object. You must apply the Group Policy object at an OU that contains the computer accounts requiring the security template. Don't apply the Group Policy object to an OU that contains user accounts.
- Group Policy application isn't immediate. A computer that's in an OU where Group Policy is applied won't immediately receive the newly configured Group Policy settings. By default, a DC refreshes Group Policy settings every 5 minutes and a Windows 2000–based computer refreshes Group Policy settings every 90 minutes.
NOTE
You can force a Windows 2000–based computer to apply any computer-based security settings immediately by running the following command at a Command Prompt: SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE.
Applying the Decision
Market Florist must develop an OU structure that meets their security template deployment needs. Because there are three domains, this process must be repeated for each of the three domains, with the exception of the SQL Server templates, which are applied only in the marketflorist.tld domain, and the Web Server templates, which are deployed in a workgroup environment.
Assuming that the OU structure has been defined for Market Florist as shown in Figure 8.10, you can make the assignments shown in Table 8.7.
Figure 8.10 Proposed OU structure for the deployment of security templates
Table 8.7 Designing Security Template Deployment for Market Florist
| Security Template | Apply to |
|---|---|
| Domain Controller.inf | OU=Domain Controllers, DC=marketflorist, DC=tld |
| FileandPrint.inf | OU=File and Print, OU=Corporate Computers, DC=marketflorist, DC=tld |
| InternalSQL.inf | OU=Internal SQL Servers, OU=Corporate Computers, DC=marketflorist, DC=tld |
| ExternalSQL.inf | OU=External SQL Servers, OU=Corporate Computers, DC=marketflorist, DC=tld |
| Workstn.inf | OU=Workstations, OU=Corporate Computers, DC=marketflorist, DC=tld |
| Laptop.inf | OU=Laptops, OU=Corporate Computers, DC=marketflorist, DC=tld |
Within the OU=Workstations, OU=Corporate Computers, DC=marketflorist, DC=tld organizational unit, there may be further OUs that break out the departments for the computers. If this is the case, the Group Policy object with the imported Workstn.inf security template would still be applied at the Workstations OU because inheritance will apply the settings to all sub-OUs.
Lesson Summary
Once you've created security templates that enforce the required security configuration for Windows 2000–based computers, you must develop a method to ensure the continued application of the security templates. In an Active Directory environment, you can use Group Policy to ensure that the security template is regularly applied to Windows 2000–based computers. In a non-Active Directory environment, you can use the Scheduled Tasks program in Control Panel to regularly run the Secedit command to apply the desired security templates.
EAN: 2147483647
Pages: 172