Exam 70-124: Objective 1.2: Deploying Security Templates

Now it's time to deploy our security solution, either by Group Policy and Active Directory or by scripting. If you have worked with Windows NT 4.0 and earlier, you might have had some experience, good and bad, with scripting to set policies and establish environments. With all the improvements and updates in Windows 2000, scripting still remains a viable solution for configuring the environment. Unfortunately, some things can still only be done via scripting in Windows 2000 (as in Windows XP and Windows .NET Server), so scripting and command-line management continue to haunt Windows administrators.

So far in this chapter, we have spent a good deal of time discussing the basic tools that we have to work with when configuring Windows 2000 security across our computers and network. Now it's time to get down to the business of deploying our security solution.

Exercise 1.06 walks us through the process of configuring a template to suit our needs. We have already seen how to configure Restricted Groups in Exercise 1.02, Services in Exercise 1.03, Registry Security in Exercise 1.04, and File System Security in Exercise 1.05, but let's step back now and look at configuring some general security options that were presented in the Account Policies, Local Policies, and Event Log Policies sections.

The Security Configuration and Analysis snap-in, Security Templates, the secedit.exe command-line tool, and security extensions to the Group Policy Editor are powerful and efficient tools that allow you to manage and control your organization's security infrastructure. However, as with all the new tools and capabilities of Windows 2000, you should use appropriate caution before employing these tools in a live environment.

Before deployment, be sure to test your security configurations in a lab environment that resembles your live environment as closely as possible.

The secedit.exe command-line tool allows you to schedule regular security audits of local policies on the machines in any domain and OU. By running scripts that call on the secedit.exe program, you can update each computer's personal database with the results of your security analysis. You can then later use the Security Configuration and Analysis snap-in to analyze the results of your automated analysis. Always watch for the effective policy, because it can differ from the policy that you applied to the local machine. Any existing domain or OU security polices that apply to the machine will overwrite local machine policy.

Let's Configure!

The basic process of configuring security settings is the same whether you are configuring them into a security template for analysis, testing, and later application or are applying them directly to your organization via Group Policy at the various levels available to you. For our purposes, we will modify the basicdc.inf template from with the Security Templates snap-in and use this modified template as we go along.

Exercise 1.06: Configuring Security Templates

1. Open your custom security console you created in Exercise 1.01.

2. Navigate to the basicws.inf file in the Security Templates snap-in.

3. Enforce strict password policies by double-clicking Enforce Password History and configuring it for 18 passwords remembered, as shown in Figure 1.30.

   
   Figure 1.30: Configuring the Password History Setting

4. Configure account lockout policies by configuring the settings as shown in Figure 1.31.

   
   Figure 1.31: Configuring Account Lockout Settings

5. Continue to make customizations as desired.

6. When you are done, close out your custom console. You will be prompted to save it; do so.

7. You will be prompted to save changes to your modified security template (see Figure 1.32). Save the changes.

   
   Figure 1.32: Saving Template Changes

Now that you've got your customized security template, you should take this opportunity to export it. Exporting templates is typically done for one of two reasons: to transfer them over sneaker-net to another computer or to make a copy for safekeeping in another location. The process to export and import a template is very straightforward and is outlined in Exercise 1.07.

Exercise 1.07: Importing and Exporting Templates

1. Open your Security console and locate the security template you want to export.

2. To export a template, right-click it, and select Save As, as shown in Figure 1.33. Be sure to save the template with a descriptive name and in a location you can find later. Note that you can also export a template from the Security Configuration and Analysis snap-in after you have used it to analyze or configure a computer by right-clicking Security Configuration and Analysis and selecting Export Template (see Figure 1.35).

   
   Figure 1.33: Exporting a Security Template

   
   Figure 1.34: Defining a New Template Search Path

   
   Figure 1.35: Importing Security Templates from Security Configuration and Analysis

3. The process to import a saved security template is just as simple. From the Security Templates snap-in, right-click Security Templates and select New Template Search Path from the context menu, as shown in Figure 1.34. Navigate to the location of your template, and you are in business. Alternatively, you can use the Import Template option from within the Security Configuration and Analysis snap-in (see Figure 1.35).

Deploying Security via Group Policy

As useful as is the Security Configuration and Analysis snap-in for configuring local computer security policy, it has major limitation for its use in applying security to higher levels in the organization, such as a domain or OU. The Security Configuration and Analysis snap-in cannot be used to directly apply security settings at these levels, but it can be used to create and test security templates at the local level for deployment at a higher level.

Security policies designed and tested using the Security Configuration and Analysis snap-in can be exported and applied to a domain or OU using the Active Directory Users and Computers console. You can also configure security settings directly in a Group Policy object without using security templates if you desire, but this is not recommended except at the lower levels of your OU structure as you find the need to apply a few specific settings to a specific group of users. Figure 1.36 shows the processing order of Group Policy objects from the local level (first) to the OU level (last).

Figure 1.36: Group Policy Application Order

Exercise 1.08 presents the process to import a security template into an OU-level GPO. Exercise 1.09 presents the process to import a security template into a domain-level GPO. After you've imported a template, you can perform further customization if you desire by making edits directly in the Group Policy windows that you will have open while performing Exercise 1.08 and 1.09.

Exercise 1.08: Importing Security Templates at the Organizational Unit Level

1. Open the Active Directory Users and Computers console from the Administrative Tools menu. Right-click an organizational unit and select Properties.

2. The OU's properties box appears. Click the Group Policy tab (see Figure 1.37).

   
   Figure 1.37: The Group Policy Tab of the Organizational Unit Properties Page

3. Click New. Type a name for the Group Policy object. Make sure that the new object is selected, then click Edit.

4. Expand Computer Configuration, then expand Windows Settings. There are two subnodes of Windows Settings: Scripts and Security Templates. Select the Security Templates node (see Figure 1.38).

   
   Figure 1.38: Group Policy Security Settings

5. Right-click the Security Settings node, and select Import Policy. Notice that the policies are template files with the .inf extension. You have the option of merging the template's entries into the present OU's security setup, or you can clear the present OU's security settings and have them replaced by the settings in the imported template. Click Open to enact the new policy. You are not given the option to test the template settings against the present OU's security configuration. The settings are enabled after you import the policy via the .inf file.

6. Close all windows back to the Active Directory Users and Computers console.

7. To force Group Policy propagation throughout the domain, enter the following command from the command line: secedit /refreshpolicy machine_policy.

Now that we've examine how to apply a security template to an OU, let's look next at applying a security template to the domain as a whole. As you will see in Exercise 1.09, the process is fairly similar between the two procedures, with the primary difference being the location at which you import the policy. Furthermore, in most cases you need to allow a longer time for policy replication at the domain level compared with policy replication for those computers in an OU.

Exercise 1.09: Importing Security Templates at the Domain Level

1. Open the Active Directory Users and Computers console from the Administrative Tools menu. Right-click the domain and select Properties (see Figure 1.39).

   
   Figure 1.39: Selecting a Domain for Group Policy Editing

2. The domain's Properties box appears. Click the Group Policy tab.

3. Click New. Type a name for the Group Policy object. Make sure that the new object is selected, then click Edit.

4. Expand Computer Configuration, then expand Windows Settings. There are two subnodes of Windows Settings: Scripts and Security Templates. Select the Security Templates node.

5. Right-click the Security Settings node, and select Import Policy. Notice that the policies are template files with the .inf extension. You have the option of merging the template's entries into the present OU's security setup, or you can clear the present OU's security settings and have them replaced by the settings in the imported template. Click Open to enact the new policy. You are not given the option to test the template settings against the present OU's security configuration. The settings are enabled after you import the policy via the .inf file.

6. Close all windows back to the Active Directory Users and Computers console.

7. To force Group Policy propagation throughout the domain, enter the following command from the command line: secedit /refreshpolicy machine_policy.

Deploying Security via Scripting

Using the secedit.exe utility, you can deploy security templates across your network using scripts or batch files should you desire, although you would be better off using the GUI options available to you such as Security Configuration and Analysis or Group Policy. The deployment mode of secedit.exe uses the /configure switch and is used to configure the target computer's security settings using a stored security template. When used to deploy security templates, secedit has the following syntax:

secedit /configure [/DB filename ] [/CFG filename ] [/overwrite][/areas      area1 area2...] [/log logpath] [/verbose] [/quiet]

Modification parameters include the following.

The following command informs secedit.exe which database to apply the security analysis results to:

/DB filename 

This command points to the location of the template that will be applied to the database:

/CFG filename 

This switch causes the current template in the database to be overwritten rather than appended:

/overwrite

This command allows you to specify a specific security "area" to be configured. The default is all areas:

/area area1 area2...

The following is the location of the logfile that will be created with details of the security configuration:

/log logpath 

This command provides additional screen and log output:

/verbose

This command suppresses screen and log output:

/quiet

The following areas are available for use with the area modifier with the configure switch of secedit:

• SECURITYPOLICY  Local and domain policy for the system, including account policies, audit policies, and so on.

• GROUP_MGMT  Restricted group security.

• USER_RIGHTS  User logon rights and granting of privileges settings.

• REGKEYS  Registry key security settings.

• FILESTORE  File system security settings.

• SERVICES  System services security settings.

Exercise 1.10 outlines using the secedit command to deploy a security template to the local machine. Using a batch file, you could very easily accomplish this task across multiple computers on your network. For more information on writing and working with scripts in Windows 2000, see the TechNet Script Center at www.microsoft.com/technet/scriptcenter/default.asp.

Exercise 1.10: Implementing Security Templates Using Scripting

1. Open a command prompt window by typing CMD in the Run box and clicking OK.

2. From the command prompt, enter the secedit /configure command with the required modifiers, such as:

   secedit /configure /db c:\sectest\2.sdb /cfg C:\WINNT\     security\templates\securews.inf /log c:\sectest\2apply         .log /verbose 

   Note that the locations and names are specific to your computer. See Figure 1.40.

   
   Figure 1.40: Performing a Deployment Using secedit

3. Checking the results in Security Analysis and Configuration reveals that the settings took (see Figure 1.41), so it works! We cover performing analysis using Security Configuration and Analysis in more detail in the next section.

   
   Figure 1.41: Verifying the Template Deployment was Successful