Planning Baseline Security | MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System

Security templates allow you to apply security settings to machines. These templates provide a baseline for analyzing security. Templates are .inf files that can be applied to computers manually or by using Group Policy Objects (GPOs).

Security Templates and Tools

EXAM 70-293 OBJECTIVE 1, 1.2

There are numerous settings, or customizable security policies, that you can apply through security templates, including the following:

Account Policies Include password policies, Kerberos policies, and account lockout policies.
Local Policies Include user rights, audit policies, and other security options.
Event Log Include configuration options for the Application, System, and Security event logs that can be viewed through Event Viewer.
Restricted Groups Used to specify group memberships.
System Services Used to configure permissions and startup options for services.
Registry Used to specify permissions and for auditing Registry objects.
File System Used to specify permissions and for auditing files and folders.

You can create and edit security templates using the Security Templates snap-in for the Microsoft Management Console (MMC), as explained in the “Creating Custom Security Templates” section later in this chapter. This tool allows you to manage your own templates, but you can also use predefined templates that come with Windows Server 2003. The next sections describe the predefined templates and the tools for working with security settings.

Predefined Templates

The Windows Server 2003 predefined templates are located in the %systemroot%/Security\Templates directory. The following templates are available:

compatws.inf Relaxes security settings on a workstation or server, so that otherwise incompatible applications have a chance of working.
DC security.inf Contains the default security settings for a domain controller.
hisecdc.inf Contains high-level security settings for domain controllers.
hisecws.inf Contains high-level security settings for workstations.
rootsec.inf Contains the default security settings for the system volume (%systemdrive%).
iesacls.inf Contains settings to lock down Internet Explorer.
securedc.inf Contains enhanced security settings for domain controllers.
securews.inf Contains enhanced security settings for workstations.
setup security.inf Contains the default security settings for a default installation of Windows Server 2003.

These templates are described in more detail in the following sections.

Compatws Template

The compatws template is used to provide users with access to applications that do not function properly with full system security in place. The compatws template relaxes user permissions so that programs are more likely to run without errors. It also removes any members of the Power Users group. Many administrators solve their application problems by adding users to the Power Users group. However, members of this group also have the ability to create users, groups, shares, and printers. Overall, this template erodes system security and should be used with caution.

DC Security Template

The DC security template is created when a server is first promoted to being a domain controller. It contains a number of default settings, including settings for the file system, Registry, and system services. This template allows you to reapply these default security settings. Registry keys and system services that have been added or modified since the initial installation may be overwritten, as may permissions on new files. Therefore, considerable planning should be done before applying this template to a domain controller in your network.

Hisecdc Template

The hisecdc template is used to apply high-level security settings to a domain controller. Using this template will cause the domain controller to require encrypted authentication. Using this setting will also prevent most pre-Windows 2000 computers from being able to communicate with the server, because the domain controller will require clients to communicate using NTLM version 2 (NTLMv2). Finally, this template will cause many applications to malfunction.

Hisecws Template

The hisecws template applies settings similar to those in the hisecdc template, but it is designed for use with workstations and servers that are not configured as domain controllers. When this template is applied to a computer, all of the domain controllers that have accounts for users that can log on to the client must be running Windows NT 4.0 Server with Service Pack 4 installed, Windows 2000 Server, or Windows Server 2003. Also, any domain controllers in domains that the client is a member of must be running Windows 2000 Server or Windows Server 2003.

Clients are also are unable to connect to computers using LAN Manager for authentication or from machines running operating systems earlier than Windows NT 4.0 Service Pack 4 using an account on the local machine. In addition, attempts to connect to a server running Windows NT 4 where the time on each machine has a difference of 30 minutes or more will fail. If the client connects to a computer running Windows XP, the time difference between them cannot exceed 36 hours.

The hisecws template also modifies settings to control memberships in security-sensitive groups. Once applied, all users are removed from the Power Users group, and only members of the Domain Admins group and the Administrator account are kept as members of the computer’s local Administrators group.

As with the hisecdc template, applying the hisecws template will cause many applications to malfunction because of the enhanced security. This template should be very carefully tested before deployment.

Rootsec Template

The rootsec template is used to define security settings for the system volume. It is used to set permissions at the root of the system drive, so that original settings can be reapplied. This can be particularly useful if the permissions on the system drive are inadvertently modified. This template can also be modified to apply the same root permissions on other volumes. In doing so, it will overwrite inherited permissions on child objects, but will not overwrite any explicit permissions on child objects.

Iesacls Template

The iesacls template is used to lock down security settings used by Internet Explorer (IE), which can be used to access data on the Internet or on a corporate intranet. Using this template, you can enhance security by enforcing stricter settings on Internet Explorer.

Securedc Template

The securedc template is used on domain controllers to enhance security while minimizing the impact on applications. This template also configures servers to refuse LAN Manager responses. Computers running operating systems such as Windows for Workgroups, Windows 95, and Windows 98 use LAN Manager to authenticate to servers. For these clients to be able to connect to a domain controller with the securedc template applied, the clients will need to have a patch or the Active Directory Client Extensions Pack installed on them.

Securews Template

The securews template provides the same settings as the securedc template, but it applies to workstations or servers that are not configured as domain controllers. It is designed to enhance security without impacting on applications that are running on the computer. This template also affects authentication, because it limits the use of NTLM by configuring clients accessing the machine to respond with NTLMv2 responses.

When this template is applied, the domain controllers that contain user accounts for those who will log on to the client must run Windows NT 4.0 with Service Pack 4 or higher, Windows 2000, or Windows Server 2003. Additionally, there are requirements dealing with time. If the domain contains Windows NT 4 domain controllers, the clocks between the domain controllers running this operating system must have their time synchronized within 30 minutes of one another. Computers also will not be able to connect to servers running Windows 2000 or Windows NT 4 if their clocks are off by more than 30 minutes from the server. Computers will not be able to connect to a Windows XP machine if their clocks are off by more than 20 hours.

Servers that have this template applied to it also have limitations. The server won’t be able to connect to clients running LAN Manager and will need to be authenticated using NTLMv2. However, NTLMv2 can be used to authenticate to Windows 2000 or Windows Server 2003 servers if the clocks on the client and server are within 30 minutes of one another. If the server is running Windows XP, the two machines must be synchronized within 20 hours of one another.

Setup Security Template

The setup security template is created when a computer is installed, and it varies from one machine to another, depending on whether its operating system was upgraded or a clean installation. Because of this, it should never be applied to a group of computers using Group Policy or manually to other systems, unless you have carefully reviewed its settings. This template allows you to reapply a system’s default security settings. Use the DC security template for domain controllers, not the setup security template.

Security Configuration and Analysis

A tool that makes significant use of security templates is the Security Configuration and Analysis tool. This tool is an MMC snap-in that allows you to analyze and configure system settings. Using it, you can perform the following tasks:

Analyze security settings for local and group policies.
Apply security templates to the local Windows Server 2003 computer.
Export settings to template files, so they can be applied later either manually or by using Group Policy.

The Security Configuration and Analysis tool assists you in determining whether a computer has an adequate security configuration by comparing the current settings to those in a security template. One or more templates are applied to a database, which is used to analyze the difference between the database settings and the current computer configuration. In viewing the results, you are able to determine what changes will be made to the machine if the template is applied. You can alter the settings to ensure that the desired configuration results are obtained, and apply them to the computer individually or to a range of computers using a GPO.

When the Security Configuration and Analysis snap-in is loaded into MMC, the console tree in the left pane shows the Security Configuration and Analysis node, as shown in Figure 2.16. When you initially select this node, it will provide information in the details pane (right pane) on how to open or create a database that can be used to analyze or configure the computer. After you have opened or created a database, the left pane is populated with a log or nodes containing settings that can be configured. You can then select any of these nodes and modify settings that can be applied to the local machine or multiple machines using Group Policy.

click to expand
Figure 2.16: Initial Information Provided by the Security Configuration and Analysis Tool

Group Policy Object Editor

The Group Policy Object Editor is another tool that allows you to view and modify security settings. Because this tool is also loaded into the MMC, it has the same basic appearance as the Security Configuration and Analysis snap-in. A tree of information appears in the left pane, and details on selected items appear in the right pane. GPOs can be applied to manage security settings at the OU, site, and domain level.

As shown in Figure 2.17, security settings are available under Computer Configuration and User Configuration. The settings under Computer Configuration apply to settings that affect the computer, and those under User Configuration apply to users. The policies that appear in this snap-in are those that have already been configured in the GPO.

click to expand
Figure 2.17: Configured Policies in the Group Policy Object Editor

Using the Group Policy Object Editor, you can import policies stored in templates or export current settings to a template file that can then be used to configure other computers. These are topics we’ll discuss later in this chapter, in the “Enforcing Default Security Settings on New Computers” section.

Secedit

Secedit is a command-line tool that allows you to analyze and configure computers using templates, and to automate security configurations. Commands are entered from the textual interface of the command prompt, which means that these commands can be added to scripts and batch files to automatically configure a machine. Unlike the other tools we’ve discussed so far, Secedit cannot be used to modify or export a template.

There are several commands that can be used with Secedit to specify which actions to perform. The different parameters for Secedit include the following:

secedit /analyze Used to analyze the security settings of a computer.
secedit /configure Used to apply the security settings in a template to a computer.
secedit /export Allows you to export the security settings in the database to a template.
secedit /import Used to import a template into the database so that its settings can be used to analyze the machine or to configure its security settings.
secedit /validate Used to validate the syntax of a template before importing it into the database.

secedit /GenerateRollback Used to create a rollback template that can be used to restore the computer’s security settings to the way they were before applying a configuration template.

Exam Warning

The Secedit command-line tool and Security Configuration and Analysis snap-in are the only tools that allow you to analyze security settings by having them compared to a security template. No other tools in Windows Server 2003 have this ability.

The following sections describe each of these commands and their parameters in more detail.

Analyze

The secedit /analyze command provides the ability to compare the security settings in a template to those of a computer. The syntax for this command is as follows:

secedit /analyze /db FileName.sdb [/cfg FileName] [/overwrite] [/log      FileName] [/quiet]

As is the case with each of the Secedit commands, the command’s parameters allow you to specify additional options. The parameters for secedit /analyze are shown in Table 2.2.

Table 2.2: Parameters for the secedit /analyze Command
Parameter	Description
/db FileName.sdb
/cfg FileName	Used to specify the security template that is to be imported into the database and used for the operation.
/overwrite	Used to specify that the database is to be emptied before the security template is imported into it. When this setting isn’t used, security templates are accumulated in the database, so that multiple templates can be used in the process. Any conflicting settings existing in the database are overwritten as the next template is imported.
/log FileName	Specifies the log file used to record events related to the command. By default, if this parameter isn’t specified, events will be logged to %windir%\ Security\Logs\scesrv.log.
/quiet	Ensures that the user is not prompted for input during the process.

Configure

The secedit /configure command is used for configuring security settings on a computer, by applying the settings in a database to the machine. With this command, the template can be imported into a database and applied to the local machine. The syntax for this command is as follows.

secedit /configure /db FileName.sdb [/cfg FileName ] [/overwrite][/areas   Area1 Area2 ...] [/log FileName] [/quiet]

The command’s parameters are the same as those listed in Table 2.2, with the addition of /areas Area1 Area2. This parameter is used to specify what security settings are exported to the template. When this parameter is used, security areas can be specified. When it isn’t used, all settings are exported. The following security areas can be specified:

SECURITYPOLICY Includes account and audit policies, event log settings, and security options.
GROUP_MGMT Includes settings for restricted groups.
USER_RIGHTS Includes settings for user rights assignments.
REGKEYS Sets Registry permissions.
FILESTORE Sets file system permissions.
SERVICES Includes system service settings.

Export

The secedit /export command allows you to export settings to a template. Using this command, you can take the settings from a computer, export it to a template, and then import it to another machine or GPO so that multiple computers now share the same configuration. The syntax for this command is as follows:

secedit /export /db FileName.sdb [/mergedpolicy] [/cfg FileName ]      [/areas Area1 Area2 ...] [/log FileName] [/quiet]

The command’s parameters are the same as those listed in Table 2.2, with the addition of /areas Area1 Area2, explained in the previous section, and /mergedpolicy, which is used to merge the security settings of the domain and local computer into a single template file.

Import

The secedit /import command is used to import a security template into a database, so it can be applied to the computer or used in analysis. The syntax for this command is as follows:

secedit /import /db FileName.sdb /cfg FileName [/overwrite]      [/areas Area1 Area2 ...] [/log FileName] [/quiet]

The command’s parameters are the same as those listed in Table 2.2, with the addition of /areas Area1 Area2, described earlier in the “Configure” section.

Validate

The secedit /validate command is used to validate the syntax of a template before importing it into the database. This command is particularly useful when you’ve created a new security template and want to ensure that it does not have errors before using it for configuration or analysis. The syntax for this command is as follows:

secedit /validate FileName

Unlike the other commands we’ve discussed, this command has only one parameter: FileName. The FileName parameter is used to specify the name of the template to be validated.

GenerateRollback

When applying a configuration template to a machine, the secedit /GenerateRollback command provides the option of creating a template that can be used to roll back settings on the machine. Before a security template is applied, the current settings of the computer are exported into a template file. If you wish to restore the old settings of the computer after the security template is applied, you can use the rollback template. The syntax for this command is as follows:

secedit /GenerateRollback /cfg FileName.inf /rbk FileName.inf [/log      FileName] [/quiet]

Table 2.3 describes these parameters.

Table 2.3: Parameters for the secedit /GenerateRollback Command
Parameter	Description
/cfg FileName.inf	Used to specify the security template that will be used in creating the rollback template.
/rbk FileName.inf	Used to specify the name of the rollback template to be created.
/log FileName	Specifies the log file used to record events related to the command. By default, if this parameter isn’t specified, events will be logged to %windir%\ Security\Logs\scesrv.log.
/quiet	Ensures that the user is not prompted for input during the process.

Planning Secure Baseline Installation Parameters

Because applying a security template can have a major impact on a computer, it is important that you take preliminary steps to ensure that the template can be applied correctly and will not make unwanted changes. By reviewing information about the template and performing an analysis of changes that will be made after the template is applied, you can ensure the computer will be configured correctly.

Before applying a security template, you should review its settings. Each of the templates addresses different levels of security and/or different settings that will be applied to the computer. Although template settings can be customized, you should determine whether a particular template configures the computer the way you want. If the wrong settings are applied, you need to either manually correct them or use a rollback template that was created before you applied this template.

The only predefined templates that will return a computer to an original state are the setup security and DC security templates. As we discussed earlier, the setup security template contains settings from when the computer was installed, and it is specifically created for each computer. This template can be used on workstations, stand-alone servers, and member servers, but domain controllers should not have this template applied to them. To return a domain controller to the state it was in when it was first promoted, use the DC security template. In both cases, any changes that have been made to settings since the template was initially created are not applied.

Using Security Configuration and Analysis to Analyze a Computer

By analyzing a computer with Security Configuration and Analysis, you can determine whether a machine has adequate security settings or if additional configuration is required. The analysis is performed by adding one or more security templates to a database, which is used for comparison against the computer’s current settings. In comparing this information, you can see where possible problems exist between your current configuration and the ones stored in the template.

Analyzing a computer begins by opening the MMC with the Security Configuration and Analysis snap-in installed. Then you can analyze a computer by performing the following steps:

In the left pane of the console, right-click Security Configuration and Analysis (see Figure 2.16) and select Open Database from the context menu. (Note that the context menu options also appear on the Action menu when Security Configuration and Analysis is selected.)
The Open database dialog box, shown in Figure 2.18, lists all the existing databases. To open an existing database, select the database from the list and click Open. To create a new database instead, enter the name of the new database in the File name text box, and then click Open. If you are opening an existing database, you will then be returned to the Security Configuration and Analysis tool, and you can skip to step 4. If you are creating a new one, the Import Template dialog box appears.

Figure 2.18: Opening an Existing Database or Creating a New One
As shown in Figure 2.19, the Import Template dialog box displays a list of the security templates stored in the %systemroot%\Security\Templates folder. This folder contains predefined security templates, but you can browse the hard disk for other security templates that you’ve created or downloaded and stored else where. Select a template from the list and click Open. The template is imported into the database, and you’re returned to the Security Configuration and Analysis tool.

Figure 2.19: Importing a Template

You can add more templates by right-clicking the Security Configuration and Analysis node again and selecting Import Template from the context menu. When multiple templates are added to the database used for analysis, the templates are merged together so that all settings are used for comparison. These templates are added one at a time, and any conflicts between them are resolved by the order in which they are imported. For example, if you added the compatws template and then the securews template to the database, the settings in the securews template would take precedence because it was the last one to be imported. If another template is then added and conflicts with the current composite template in the database, this new template’s settings would take precedence over the previous settings. To import a template into the database without having it appended to existing settings, check the Clear this database before importing check box in the Import Template dialog box. Any existing settings in the database will be purged, and only the settings in the template being imported will be used.
After you’ve opened or created a database and added the necessary templates, you are ready to begin taking steps to analyze the existing security settings. Select the Security Configuration and Analysis node, right-click it, and click Analyze Computer Now.
As shown in Figure 2.20, the Perform Analysis dialog box appears. Here, you can enter the name and path of a log file that will be used to record errors in the process. After clicking OK, another dialog box informs you that analysis of the computer is being performed.

Figure 2.20: Entering the Analysis Log File Path
When the analysis is complete, the left pane of the Security Configuration and Analysis tool is populated with information about the settings that have been analyzed. As shown in Figure 2.21, the left pane shows different areas of security. When selected, these display results of the analysis for that area in the right pane. A side-by-side comparison is offered, showing database settings used for analysis and the computer’s current settings. This allows you to quickly determine if changes need to be made to the current settings or if they provide the level of security desired for your organization.

Figure 2.21: Viewing the Results of a Security Analysis

When an analysis is performed, the results are organized into areas of security, and visual flags are used to indicate discrepancies. The following flags may appear beside entries in the results:

A red X indicates that the entry does not match the corresponding setting in the database.
A green check mark indicates that the entry in the database and the computer’s setting match.
An exclamation mark indicates that an entry in the database does not correspond to any setting on the computer. This may appear if a security setting for a group or other object is in a template added to the database, but the group or object isn’t one that is used on the computer being analyzed.
A question mark indicates that although the setting is on the computer, there is no corresponding entry in the database. This may indicate that the account you are using when performing the analysis does not have the appropriate permissions to analyze a security area or object, or that the entry was not used in any of the templates added to the database.
No highlight indicates that the entry isn’t defined in the database and isn’t used on the system.

To modify settings in the database, double-click an entry. For example, double-clicking the Maximum password age entry brings up a corresponding dialog box, which allows you to change the number of days before a password will expire. Once you’re finished making the modifications, you can save these changes to a new template file by selecting the Security Configuration and Analysis node and clicking Action | Export Template. In the Export Template To dialog box, shown in Figure 2.22, you can specify the name of the new template and where it should be saved. As you’ll see in the next section, you can then use your new template to apply the settings to the computer and other machines on your network.

click to expand
Figure 2.22: Exporting a Template

Exercise 2.03: Analyzing Security Using Security Configuration and Analysis

Select Start | Run, type MMC, and click OK.
In the blank console that appears, click File | Add/Remove Snap-in.
When the Add/Remove Snap-in dialog box appears, click the Standalone tab, and then click the Add button.
In the Add Standalone Snap-in dialog box, select Security Configuration and Analysis from the list and click Add.
Click Close to return to the previous screen. The Security Configuration and Analysis entry should appear in the Add/Remove snap-in dialog box. Click OK to close the dialog box.
The console tree in MMC should now contain a Security Configuration and Analysis node. Select this node and click Action | Open Database.
When the Open database dialog box appears, type the name of a new database in the File name text box and click Open.
When the Import Template dialog box appears, select hisecdc if you are working on a domain controller, or select hisecws if you are working on a workstation or server that isn’t configured as a domain controller. Then click Open.
When the Security Configuration and Analysis console appears, select the Security Configuration and Analysis node in the left pane and click Action | Analyze Computer Now.
When the Perform Analysis dialog box appears, click OK to accept the default path and filename for the error log to be created.
When the analysis is complete, browse through the settings and identify differences between the security settings in the database and the machine.

Enforcing Default Security Settings on New Computers

EXAM 70-293 OBJECTIVE 1.2.1, 1.2.2, 1.2.3

Security settings can be enforced on local computers or through AD. By using security templates in conjunction with the Security Configuration and Analysis snap-in, you can configure a local computer’s security settings. Security templates can also be imported into the group policy of a domain, site, or OU in AD, so that the settings can be applied to multiple computers.

Using Security Configuration and Analysis to Apply Templates a Local Computer

The Security Configuration and Analysis tool allows you to configure local computers by applying the settings in a security template to the local policy. The settings will apply only to the computer on which Security Configuration and Analysis is being run. They will not affect other machines in the domain.

The initial steps for configuring a local computer are similar to the steps involved in running an analysis. In the Security Configuration and Analysis console, select the Security Configuration and Analysis node in the left pane and click Action | Open Database. As described earlier in the “Using Security Configuration and Analysis to Analyze a Computer” section, use the Open database dialog box (see Figure 2.18) to either open an existing database or create a new one. If you are opening an existing database, you will be returned to the Security Configuration and Analysis tool. If you are creating a new database, the Import Template dialog box (see Figure 2.19) appears. In the Import Template dialog box, select the security template that will be applied to the local machine and click Open. The template is imported into the database, and you’re returned to the Security Configuration and Analysis tool. You can add other templates by selecting the Security Configuration and Analysis node again and clicking Action | Import Template. Check the Clear this database before importing check box if you want only the settings in the template being imported to be used in the database.

After you’ve added the templates to the database, you return to the Security Configuration and Analysis tool. You can apply the template by selecting the Security Configuration and Analysis node again and clicking Action | Configure Computer Now. In the dialog box that appears (see Figure 2.20), specify the filename and path of the error log file created for this process. Clicking OK in this dialog box will begin the configuration of the computer.

Using Group Policy Object Editor to Apply Templates

AD allows security templates to be applied at the domain, site, and OU level by using GPOs. When a security template is imported into a GPO, any computers that have the GPO applied to them will automatically receive the configured settings. The Group Policy Object Editor tool allows you to view and modify settings in a GPO.

You can view and modify the group policies of domains, sites, and OUs using tools that are installed on domain controllers. You can access the group policy configuration of a site through Active Directory Sites and Services. To access domain and OU settings, use Active Directory Users and Computers. By selecting a site in Active Directory Sites and Services and clicking Action | Properties, you can access the group policy configuration of that site. To see the group policy settings of a domain or OU, select it in Active Directory Users and Computers, and then click Action | Properties.

As shown in Figure 2.23, the Group Policy tab of a domain, site, or OU Properties dialog box allows you to view linked group policies. This tab includes a list of the group policies that are currently linked to this domain. Beneath the list are the following buttons for working with the GPO:

New Allows you to create a new GPO.
Add Allows you to link an existing group policy to the domain, site, or OU.
Edit Displays the Group Policy Object Editor, which can be used to configure the GPO.
Options Displays a dialog box containing two options for the GPO. The No Override option specifies that group policies lower in the hierarchy cannot override the settings in this policy. The Disable option specifies that settings in this group policy are not to be applied.
Delete Removes a selected group policy from the domain, site, or OU. There are two options. The Remove the link from the list option removes the link so it no longer appears in the listing. The Remove the link and delete the Group Policy Object permanently option removes the link so it no longer appears in the listing and also deletes it so it cannot be used in the future.
Properties Displays properties of the group policy. You can configure permissions associated with a selected GPO and see where else it may be linked.

Figure 2.23: Viewing Group Policy Properties of a Domain

To open the Group Policy Object Editor, click the Edit button on the Group Policy tab. You can also open this tool using the MMC, by adding the Group Policy Object Editor snap-in. After you’ve added this snap-in, you are prompted to choose whether you want to open the local computer policy or browse for a group policy in AD, as shown in Figure 2.24. If the default choice of opening the local computer policy is used, any modifications you make will apply only to the computer on which you are working. Remember any local policy settings you configure can be overridden by a group policy applied at the site, domain, or OU level.

click to expand
Figure 2.24: Selecting a Group Policy

As shown in Figure 2.25, the Group Policy Object Editor has two panes. The left pane contains a tree view that allows you to browse through various policy settings. This tree is divided into two separate sections: Computer Configuration (which applies to computer accounts) and User Configuration (which applies to user accounts). Located beneath each of these is a Windows Settings | Security Settings node, which contains groups of settings that you can view and modify. When you select a node in the left pane, policy settings appear in the right pane. When you double-click one of these policy settings, you’ll see a dialog box that allows you to modify the entry. Each entry has different values that you can set.

click to expand
Figure 2.25: Group Policy Object Editor

Figure 2.26 shows the Minimum password length Properties dialog box. Notice the Define this policy setting check box, which is common to all of the policies in the Group Policy Object Editor tool. If you check this option, you can then modify the value associated with that policy.

click to expand
Figure 2.26: Viewing Minimum Password Length Properties

You can also import security templates into policies that are viewed through the Group Policy Object Editor. Right-click the Security Settings node and select Import Policy in the context menu. You will see a dialog box that displays the default directory for predefined templates. If necessary, browse to and select a template, and then click Open to import the template into the policy.