How Security Templates Work
How Security Templates Work
All computers that run Windows 2000 or Windows XP have a local GPO that includes security settings and is applied when the computer starts up. You can also configure security templates by using Group Policy at the site, domain, and OU levels.
Applying Security Templates to a Local Computer
The local security template provides the base security for Windows 2000 and Windows XP computers. A local security template is applied to all Windows 2000 and Windows XP computers when they are upgraded from Windows NT or during installation. Windows 2000 and Windows XP computers include the Security Templates Microsoft Management Console (MMC) snap-in, which enables you optimize the baseline security of a local computer. The Security Templates MMC snap-in allows you to create security templates text-based files that contain security settings for all the security areas supported by the Security Configuration Toolset. The Security Configuration Toolset includes the following:
-
Security Templates MMC snap-in
-
Security Configuration and Analysis MMC snap-in
-
Secedit.exe command-line utility
NTFS system and boot partitions that are converted by using the Convert.exe command do not have the same default DACLs as system and boot volumes that use native NTFS formatting. To resolve this issue with converted partitions, see 237399, The Default NTFS Permissions Not Applied to a Converted Boot Partition. You can access this article at the Microsoft Knowledge Base (http://support.microsoft.com).
Security Templates MMC Snap-In
The Security Templates MMC snap-in enables you to create and modify security templates. By default, the Security Templates MMC snap-in lists all the templates in the %windir%\security\templates folder, which includes the built-in security templates. Figure 11-1 shows the Security Templates MMC snap-in in Windows XP.
Figure 11-1. Security Templates MMC snap-in in Windows XP
You can create a blank security template by right-clicking the Security Template store and selecting New Template. You can then populate the settings. When a setting in the security template is marked as Not Configured, the computer s setting will not change.
Read the wording of the security settings carefully. Many settings disable a certain behavior; configuring some settings as Disabled will enable the behavior.
Security Configuration and Analysis MMC Snap-In
You can use the Security Configuration and Analysis MMC snap-in to complete two different tasks: analyze the security settings of the local computer, and configure the security settings on the local computer by using security templates.
Because the security settings configured when the local computer security policy was applied can change because of security settings in Group Policy or by installing applications, you might want to periodically review and verify the security settings on a Windows 2000 or Windows XP computer. The Security Configuration and Analysis MMC snap-in enables you to quickly perform a security analysis and review the differences between the current settings on a computer and the settings contained in a security template.
The Security Configuration and Analysis MMC snap-in performs security analysis by comparing the current state of system security against an analysis database. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. The database resolves conflicts in order of import the last template that is imported takes precedence.
To analyze the current security settings of a local computer by using the Security Configuration and Analysis MMC snap-in, follow these steps:
-
Open a blank MMC and add the Security Configuration and Analysis MMC snap-in to it.
-
In the console tree, right-click Security Configuration and Analysis and click Open Database.
-
In Open Database, create a new database by entering a name for the database in the File Name field and click Open.
-
In the Import Template window, select the Setup Security template and click Open.
-
In the details pane, right-click Security Configuration and Analysis and then click Analyze Computer Now.
-
In the Error Log file path, click OK to create a log file in the default location.
For example, you might want to analyze a Windows XP computer to compare its security settings to the default policy that gets applied during installation. Figure 11-2 shows the results of comparing a Windows XP computer s security settings with the Setup Security template.
Figure 11-2. Output of using the Security Configuration and Analysis MMC snap-in
You can use the output of the analysis to perform a side-by-side comparison of the security settings. The Security Configuration and Analysis MMC snap-in displays the result of the analysis by using the icons described in Table 11-4.
| Icon | Description |
| Red X | The entry is defined in the analysis database and on the system, but the security setting values do not match. |
| Green check | The entry is defined in the analysis database and on the system, and the setting values match. |
| Question mark | The entry is not defined in the analysis database and therefore was not analyzed. This occurs when a setting was not defined in the analysis database or when the user running the analysis did not have sufficient permissions. |
| Exclamation point | This item is defined in the analysis database but does not exist on the actual system. |
| No highlight | The item is not defined in the analysis database or on the system. |
You can also use the Security Configuration and Analysis MMC snap-in to directly configure local system security. You can import security templates that have been created with the Security Templates MMC snap-in and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template. To use the snap-in to configure the security settings on a local computer, follow the steps to analyze security outlined earlier only instead of choosing to analyze the security of the computer, choose to configure security on the computer.
Secedit.exe Command-Line Utility
The Secedit.exe command includes all the functionality of the Security Configuration and Analysis MMC snap-in and has the ability to force a refresh of Group Policy in Windows 2000. In Windows XP, you must use the Gpupdate.exe command-line utility to force a refresh of Group Policy. By calling the Secedit.exe command-line tool from a batch file or automatic task scheduler, you can use it to automatically apply templates and analyze system security. You can view the options for how to use Secedit.exe by typing secedit at the command prompt.
Applying Security Templates by Using Group Policy
In addition to the local security policy, you can use Group Policy to deploy the settings in security templates to provide incremental security. Security settings are deployed by the same rules that apply to other Group Policy settings, except that they are not as volatile as other Administrative Template settings. You can place all client computers that have the same security requirements into an OU and create a GPO that contains security settings to deploy the new security settings to the computers.
You can import a previously created and tested security template into a GPO by right-clicking Security Settings in the computer-related configuration section of a GPO. When you do this, the settings from the template are applied in an incremental fashion. If you import more than one template and you have conflicting settings, the settings from the last imported security template will take precedence. To completely clear the security settings in the GPO before importing the security template, ensure that you select the option to clear the database before importing when you select the security template that you want to import.
EAN: 2147483647
Pages: 189