Default Security Templates

Default Security Templates

Windows 2000 and Windows XP include several built-in security templates that you can use as a baseline for creating your own templates or for resetting the security on a computer. The built-in templates include the following:

• Basic

  The Basic security templates apply the Windows 2000 default access control settings. You can use the Basic templates on Windows NT computers that have been upgraded to Windows 2000. This will bring the upgraded computer in line with the new Windows 2000 default security settings that are applied only to a newly installed computer. The Basic templates can also be used to revert back to the defaults after making any undesirable changes. There are Basic templates for Windows 2000 Professional computers, Windows 2000 Server computers, and Windows 2000 Active Directory domain controllers.

• Optional Component File Security

  The Optional Component File Security templates apply default security to optional component files that might be installed during or after Windows 2000 Setup. The Optional Component File Security templates should be used in conjunction with the Basic templates to restore default security to Windows 2000 system files that are installed as optional components.

• Compatible

  Some customers might not want their users to be Power Users group members in order to run applications that are not compliant with the Windows 2000 application specification. This is because Power Users have additional capabilities (such as the ability to create shares) that go beyond the more liberal access control settings necessary to run legacy applications. For customers who do not want their end users to be Power Users, the Compatible template opens up the default access control policy for the Users group in a manner that is consistent with the requirements of legacy applications such as Microsoft Office 97. A computer that is configured with the Compatible template is not considered a secure installation. One Compatible template exists for Windows 2000 Professional computers, and one exists for Windows 2000 Server computers.

• Secure

  The Secure template focuses on making OS and network behavior more secure by making changes, such as removing all members of the Power Users group and requiring more secure passwords. The Secure template does not focus on securing application behavior. This template does not modify permissions, so users with the proper permissions can still use legacy applications, even though all members are removed from the Power Users group by defining the Power Users group as a restricted group. Secure templates exist for Windows 2000 Professional, Windows 2000 Server, and Windows 2000 domain controllers.

• High Secure

  The High Secure template increases the security defined by several of the parameters in the Secure template. For example, the Secure template might enable SMB packet signing, but the High Secure template requires SMB packet signing. Furthermore, the Secure template might warn about the installation of unsigned drivers, while the High Secure template blocks the installation of unsigned drivers. In short, the High Secure template configures many operational parameters to their extreme values without regard for performance, operational ease of use, or connectivity with clients using third-party or earlier versions of NTLM. The High Secure template also changes the default access permissions for Power Users to match those assigned to Users. This allows administrators to grant Users privileges reserved for Power Users, such as the ability to create shares, without having to give those Users unnecessary access to the registry or file system. The High Secure template is primarily designed for use in an all Windows 2000 network because the settings require Windows 2000 technology. Using High Secure templates in an environment with Windows 98 or Windows NT can cause problems. High Secure templates exist for Windows 2000 Professional, Windows 2000 Server, and Windows 2000 domain controllers.

• No Terminal Server User SID

  The default file system and registry access control lists that are on servers grant permissions to a terminal server SID. The terminal server SID is used only when terminal server is running in application compatibility mode. If terminal server is not being used, this template can be applied to remove the unnecessary terminal server SIDs from the file system and registry locations. However, removing the access control entry for the terminal server SID from these default file system and registry locations does not increase the security of the system. Instead of removing the terminal server SID, simply run terminal server in full security mode. When the computer is running in full security mode, the terminal server SID is not used.

• System Root Security

  Rootsec.inf specifies the new root permissions introduced with Windows XP. By default, Rootsec.inf defines these permissions for the root of the system drive. This template can be used to reapply the root directory permissions if they are inadvertently changed, or the template can be modified to apply the same root permissions to other volumes. As specified, the template does not overwrite explicit permissions that are defined on child objects; it propagates only the permissions that are inherited by child objects.

• Default Security

  Setup Security.inf is a computer-specific template that represents the default security settings that are applied during the installation of Windows 2000 or Windows XP, including the file permissions for the root of the system drive. You can use this template or portions of it for disaster recovery purposes. Setup Security.inf should never be applied by using Group Policy.