Once you've designed your custom security templates and determined that they meet the security baseline for your network, you must deploy the templates to the required computers. You may have to deploy several templates, one for each role that you've defined on the network. The decision on how to deploy the templates will vary depending on whether the underlying network uses Active Directory or is based on another network operating system or a workgroup environment.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
A workgroup or non-Microsoft network is unable to use Group Policy to provide continued deployment of the security template. The only way to ensure continued application of the security template is to import the security template into local computer policy.
You can apply the security template manually during the Windows 2000 installation. Once the operating system is loaded and the computer is ready to be deployed, you can apply the custom security template for that class of computer to the computer by using the Security Configuration And Analysis console.
You can also apply the security template automatically by saving the security template locally to the computer and using the Secedit command within a batch file to apply the security template. You do this by using Secedit with the /CONFIGURE parameter:
SECEDIT /CONFIGURE [/DB filename] [/CFG filename ] [/OVERWRITE] [/LOG logpath] [/VERBOSE] [/QUIET]
If your organization is using another network operating system, such as Novell, you can add the Secedit command to your network's logon scripts to ensure the regular application of the security template.
In a workgroup or non-Microsoft networking environment, deploy security templates by performing the following tasks:
Market Florist's Web servers won't participate in the domain structure. Because of this fact, you must use the Secedit command to ensure that the Web Server security template is applied to the Web server.
You can automate the application of the security template by using the Scheduled Tasks program in Control Panel. The best choice is to configure Scheduled Tasks to run Secedit daily to ensure continued application of the security template. Assuming that the template is named Webserv.inf, Market Florist must perform the following tasks:
SECEDIT /CONFIGURE /DB SECURITY.SDB /CFG WEBSERV.INF /OVERWRITE /LOG C:\SECTEMP.LOG /QUIET
An administrator of a Windows 2000 domain can leverage Active Directory for the continued application of security templates. Security templates can be imported into Group Policy objects defined at the site, domain, or OU. Importing the security template ensures that the settings defined in the template are applied with the application of Group Policy objects.
All security template settings are computer configuration settings and should only be applied at OUs that contain computer accounts. There is no benefit in applying the security templates to OUs that contain only user accounts because the settings aren't applied to the user configuration within Group Policy.
To facilitate the deployment of security templates, you must define an OU structure that reflects the categories of computers that you've defined for your network. You should have at least one OU for each security template that you wish to deploy. You can still create sub-OUs within an OU where you deploy the security template. For example, the OU structure in Figure 8.9 has the File Server security template at the File and Print OU, while the computer accounts are contained within the Sales and Accounting OUs.
Figure 8.9 Group Policy allows for policy inheritance to be leveraged
Group Policy supports policy inheritance by default. This allows child OUs to inherit a Group Policy object applied at a parent OU. In this example, both the Sales and Accounting OUs inherit the security template settings applied at the F&P OU.
When using Group Policy to deploy security templates, consider the following factors in your security design:
You can force a Windows 2000–based computer to apply any computer-based security settings immediately by running the following command at a Command Prompt: SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE.
Market Florist must develop an OU structure that meets their security template deployment needs. Because there are three domains, this process must be repeated for each of the three domains, with the exception of the SQL Server templates, which are applied only in the marketflorist.tld domain, and the Web Server templates, which are deployed in a workgroup environment.
Assuming that the OU structure has been defined for Market Florist as shown in Figure 8.10, you can make the assignments shown in Table 8.7.
Figure 8.10 Proposed OU structure for the deployment of security templates
Table 8.7 Designing Security Template Deployment for Market Florist
|Security Template||Apply to|
|Domain Controller.inf||OU=Domain Controllers, DC=marketflorist, DC=tld|
|FileandPrint.inf||OU=File and Print, OU=Corporate Computers, DC=marketflorist, DC=tld|
|InternalSQL.inf||OU=Internal SQL Servers, OU=Corporate Computers, DC=marketflorist, DC=tld|
|ExternalSQL.inf||OU=External SQL Servers, OU=Corporate Computers, DC=marketflorist, DC=tld|
|Workstn.inf||OU=Workstations, OU=Corporate Computers, DC=marketflorist, DC=tld|
|Laptop.inf||OU=Laptops, OU=Corporate Computers, DC=marketflorist, DC=tld|
Within the OU=Workstations, OU=Corporate Computers, DC=marketflorist, DC=tld organizational unit, there may be further OUs that break out the departments for the computers. If this is the case, the Group Policy object with the imported Workstn.inf security template would still be applied at the Workstations OU because inheritance will apply the settings to all sub-OUs.
Once you've created security templates that enforce the required security configuration for Windows 2000–based computers, you must develop a method to ensure the continued application of the security templates. In an Active Directory environment, you can use Group Policy to ensure that the security template is regularly applied to Windows 2000–based computers. In a non-Active Directory environment, you can use the Scheduled Tasks program in Control Panel to regularly run the Secedit command to apply the desired security templates.