Lesson 4: Administering Security Templates
Security templates are text files that contain numerous policy settings pertaining to computer security, such as password policy, account policy, and other settings within the Security Settings namespace of a GPO. Because security templates are text files, they can be exported from one GPO and imported into any number of others, allowing administrators to distribute security settings among individual computers or independent domains.
Security templates are the recommended way to make changes to Group Policy so that the changes can be easily documented and distributed throughout the enterprise. Be certain that you understand how to use security templates.
Understand the structure and purpose of security templates
Create security templates
Modify predefined security templates
Deploy security templates using a variety of tools
Understanding the Purpose of Security Templates
A security template is simply the settings contained in the Computer\Security Settings portion of a GPO that have been exported to a text file so that they can be imported into other GPOs. Microsoft uses security templates to establish baseline security settings for computers during installation and to distribute security standards that are more secure than the default installation. You can think of a security template as a computer GPO that has been packaged for distribution. Figure 3.9 contains an example of a security template.
Figure 3-9. A security template
Security templates are used to create a standardized security baseline that can be imported into various GPOs and local GPOs (LGPOs) throughout your organization. Security templates allow you to export the security settings from a GPO and distribute those settings as a text file (for example, through e-mail) to administrators throughout your organization.
Security templates are used primarily to modify local GPOs on workstations and servers to increase their basic security posture, whether or not they are subject to a non-local GPO. Modifying a computer's local security settings ensures that the computer remains protected from compromise whenever it is used outside a domain environment.
Security templates are also used to distribute security settings in multi-domain environments where a single GPO cannot be applied uniformly across an entire Active Directory tree or forest. By creating and managing security templates, you can manage a uniform set of security configuration standards for various classes of computers across any number of domains.
Using a security template, you can configure settings for
Account policies (password, account lockout, and Kerberos policy)
Local policies (audit policy, user rights assignment, and security options)
Event log settings
Restricted groups membership
File system permissions
Registry permissions
System services startup type
Why Use Predefined Security Templates?
Windows 2000 ships with a number of predefined security templates that can be incorporated into a GPO to immediately improve security for specific situations. By default, these templates are stored in %systemroot%\Security\Templates.
The predefined security templates are as follows:
Default workstation (Basicwk.inf), server (Basicsv.inf), and domain controller (Basicdc.inf) templates are the security settings applied to a standard computer after installation. You can use these templates to reverse other security settings that may have been applied to workstations, servers, or domain controllers respectively.
The Compatible workstation (Compatws.inf) lowers the default security settings of the computer so that members of the Users group can successfully run applications that are not certified for Windows 2000. Normally, only Power Users can run these applications.
Secure workstation or server (Securews.inf) and domain controller (Securedc.inf) templates implement Microsoft's standard security recommendations for workstations. These recommendations improve security without sacrificing backward compatibility with earlier Windows operating systems.
Highly secure workstation or server (Hisecws.inf) and domain controller (Hisecdc.inf) templates establish security settings that secure network communication between computers by removing backward compatibility features. Computers with these security settings can communicate only with Windows 2000 and later computers.
The Dedicated domain controller (Dedica.inf) template establishes security settings for domain controllers that remove compatibility settings allowing earlier server applications to be run locally on the domain controller.
The predefined security templates are incremental in nature and assume that basic Windows 2000 settings from a default installation of Windows are in place. For computers that have been upgraded from Windows NT 4, you will have to apply the basic security template to the computer to bring it up to the default Windows 2000 security configuration. Figure 3.10 contains an example of a predefined security template with default security settings.
Figure 3-10. A predefined security template
Managing Security Templates
You can use five major tools to manage security templates:
The Group Policies management console can be used to import and export security template files. When you import security settings into a GPO, those settings apply automatically to all computers within that GPO's scope.
The Local Security Settings management console can be used to import and export security template files. When you import security settings into a local GPO, you permanently modify the computer's local security policy.
The Security Templates snap-in can be used to manage entire directories of security templates quickly and easily. The Security Templates snap-in interprets the contents of a security template text file in the same familiar way that the Group Policy Editor interprets Group Policy settings, so you can browse the settings hierarchy and modify your security templates without the risk of making errors, and without having to understand the syntax of security template files.
The Configuration and Analysis snap-in can be used to analyze how closely a machine's effective security posture matches a specific security template and to apply security template settings to a specific machine. The Configuration and Analysis management console can create a database of a computer's security settings and compare that database against numerous security templates
The SecEdit.exe command-line utility provides powerful scripting functions to accomplish tasks that cannot be accomplished using management console snap-ins.
The simplest way to manage security templates is to create a management console containing the Security Templates snap-in and add it to your Administrative Tools folder.
Best Practices
Best practices for managing security templates include the following:
Never edit the Setup Security.inf template. If you do, you won't be able to reapply default security settings if it becomes necessary.
Don't apply the Setup Security.inf template through Group Policy. The Setup Security.inf template is unique for each computer, and it is very large. Apply it only to the local computer through the Security Configuration And Analysis snap-in.
Do not apply the Compatible template to domain controllers.
Do not modify predefined templates. Rather, copy them to a new file and edit the new file.
Test security templates before applying them to production group policies.
Deploying Security Templates
The most effective way to deploy the settings in a security template is to import into a GPO the settings that apply to the range of computers to which you want to apply the security settings.
Importing security template settings into a GPO is the easiest and most effective way to deploy security settings throughout your company.
To deploy security template settings across multiple domains and GPOs, you must individually import the security settings into each GPO. There is no mechanism for automatically deploying security template settings across a number of domains.
Other methods of deploying security templates include manually importing settings into a computer's Local Security Settings management console or using the Security Configuration And Analysis management console to configure security settings.
Finally, you can deploy security templates using the powerful SecEdit.exe command, which is a command-line version of the Security Configuration And Analysis snap-in. Because it is a command-line tool, it can be used in startup/shutdown and logon/logoff scripts. This makes it a powerful tool for deploying changes to local security settings throughout a domain automatically, a task that cannot be accomplished any other way.
Practice: Managing Security Templates
In this practice, you use various methods to deploy the security settings contained in a security template.
Exercise 1: Creating a Security Template Management Console
The first step in managing security templates is to create a convenient security templates management console. In this exercise, you create a management console for security templates and then compare the computer's configuration to the predefined security setting in the security template.
To create a security templates management console
Click Start, and click Run.
In the Run dialog box, type mmc in the Open box and press Enter. The Microsoft Management Console appears.
On the Console menu, click Add/Remove Snap-In. The Add/Remove Snap-in dialog box opens.
Click Add to open the Add Standalone Snap-in dialog box.
In the list, double-click both Security Configuration And Analysis and Security Templates.
Click Close to close the Add Standalone snap-in dialog box.
Click OK to close the Add/Remove snap-ins dialog box.
Maximize the Console Root window within the console window, and then maximize the Console window. Resize the window, and expand the Security Templates and its child node in the console tree to show the various preconfigured security templates.
When you have adjusted the console to your preferences, on the Console menu, choose Save As.
Type Security Templates in the File Name box, and click Save.
You now have a security templates management tool located in the Administrative Tools folder of the Start menu.
To compare a computer's security settings
In the Security Templates management console, right-click Security Configuration And Analysis, and click Open Database.
In the Open Database dialog box, type DC01 as the name of the database, and click Open. The Import Template dialog box appears containing a list of security templates from which to choose.
Select the Hisecdc.inf security template as the template to compare the database to, and click Open.
A list of instructions for analyzing security will appear in the management console. The Security Configuration And Analysis snap-in allows you to compare the effective security settings of a computer against a specific security template.
Right-click Security Configuration And Analysis and click Analyze Computer Now. The Perform Analysis dialog box appears asking for a file name and path for the error log.
Click OK to accept the error log path.
During the analysis, a progress indicator will appear. After the analysis, the console tree structure below the Security Configuration And Analysis node will contain the configuration differences, as shown in Figure 3.11.
Figure 3-11. The Security Configuration And Analysis database for a domain controller
Expand Security Configuration And Analysis, Account Policies, and then select Password Policy.
Notice the red X icons, which indicate a difference between the computer's configuration and the security template, and the green check mark icons, which indicate that the computer's settings are the same as the security policy.
Double-click Enforce Password History.
The Analyzed Security Policy Setting dialog box appears, as shown in Figure 3.12. Notice that the computer is set to retain 18 passwords, while the security template specifies 24.
Figure 3-12. The Analyzed Security Policy Setting dialog box
Click OK.
Browse through the remainder of the settings that are marked with red icons to view the discrepancies between this computer's settings and the security template.
Close the Security Templates management console.
Exercise 2: Creating a Security Template
You can create new security templates whenever you have unique security needs that are not met by predefined security templates. The procedures in this exercise will help you create and manage a new security template.
To create a new security template file
In Microsoft Windows Explorer, browse to C:\Winnt\Security\Templates and create a folder named User Defined Templates.
Open the Security Templates management console that you created in Exercise 1 of this practice.
Right-click Security Templates in the console tree, and click New Template Search Path. The Browse For Folder dialog box opens.
Browse to the User Defined Templates folder you created in step 1, and click OK.
A new template folder appears in the Security Templates namespace, as shown in Figure 3.13.
Figure 3-13. Adding a new search path to the Security Templates namespace
In the console tree, right-click the new User Defined Templates folder, and click New Template. The new template dialog box appears.
Type Passpol as the Template Name.
In the Description box, type Company-wide password policy to be applied to all local and domain GPOs.
Click OK.
A new policy template has been created and it appears below the search path you added in step 4.
To modify settings in a newly created security template
Expand the new Passpol security template, expand the Account Policies folder, and then click Password Policy, as shown in Figure 3.14.
Figure 3-14. The Password Policy settings of a new security template
Double-click Enforce Password History.
In the Template Security Policy Setting dialog box, select Define This Policy Setting.
Type 24 in the Passwords Remembered box, and click OK to close the dialog box.
Double-click Maximum Password Age.
In the Template Security Policy Setting dialog box, select Define This Policy Setting.
Type 366 into the Days box, and click OK to close the dialog box.
In the Suggested Value Changes dialog box, click OK to dismiss the Minimum Password Age notice.
Double-click the Minimum Password Length policy.
In the Template Security Policy Setting dialog box, select Define This Policy Setting.
Type 12 in the Characters box, and click OK to close the dialog box.
Double-click the Passwords Must Meet Complexity Requirements setting.
In the Template Security Policy Setting dialog box, select Define This Policy Setting, and click OK to close the dialog box.
Double-click the Store Password Using Reversible Encryption setting
In the Template Security Policy Setting dialog box, select Define This Policy Setting.
Select Disabled, and click OK to close the dialog box.
Close the management console.
Click Yes to save the security template file.
To display security template settings
In Windows Explorer, browse to C:\WINNT\Security\Templates\User Defined Templates.
Right-click Passpol.inf, and choose Properties. The Passpol.inf Properties dialog box appears.
Notice that the size of the file is well under 1 KB.
Click OK to close the Properties dialog box.
Double-click Passpol.inf.
Notepad.exe opens showing the text of Passpol.inf, as shown in Figure 3.15. The settings you just created are stored in a text file that you can read.
Figure 3-15. Viewing security templates as text in Microsoft Notepad
Exercise 4: Modifying a Predefined Security Template
In this exercise, you modify a predefined security template to customize it for your specific environment.
To customize a security template
Open the Security Templates management console you created in Exercise 1 of this practice.
Expand the C:\WINNT\Security\Templates folder.
Right-click the Hisecdc security template, and click Save As. The Save As dialog box appears.
Browse to User Defined Templates, and save the policy as Mod Hisecdc.inf.
In the console tree, expand Mod Hisecdc, Account Policies, and select Password Policy.
Double-click Maximum Password Age.
In the Template Security Policy Setting dialog box, change the value in the Days box to 366 and then click OK.
Double-click Minimum Password Length.
In the Template Security Policy Setting dialog box, change the value in the Characters box to 12 and then click OK.
Right-click Mod Hisecdc, and choose Save.
Close the Security Templates management console.
Exercise 5: Local Security Settings Management Console
In this exercise, you import security settings using the Local Security Settings snap-in.
To import security settings
Click Start, point to Programs, point to Administrative Tools, and click Local Security Policy. The Local Security Settings management console appears.
In the console tree, right-click Security Settings, and choose Import Policy. The Import Policy From dialog box opens.
Browse to the User Defined Templates folder, and double-click Passpol.inf.
Browse to Account Policies\Password Policy to verify that the local security settings now match those specified by the security template, as shown in Figure 3.16.
Figure 3-16. The Local Security Settings management console
Close the Local Security Settings management console.
Exercise 6: Using the Security Configuration and Analysis Management Console
In this exercise, you apply configuration settings to a computer.
To apply configuration settings
Open the Security Templates management console you created in Exercise 1 of this practice.
Right-click Security And Configuration Analysis, and click Open Database. The Open Database dialog box appears.
Double-click the dc01.sdb security database.
Right-click Security And Configuration Analysis, and click Import Template. The Import Template file selection dialog box appears.
Browse to User Defined Templates, and double-click Passpol.inf.
Right-click Security And Configuration Analysis, and click Configure Computer Now.
In the Configure System dialog box, click OK to accept the default path.
A progress indicator will appear briefly.
In the management console, expand Security Configuration And Analysis, Account Policy, Password Policy, and select Maximum Password Age.
Notice that the effective setting does not match the policy that was just applied.
Why have the settings on this domain controller not taken effect?
Close the Security Templates management console.
Exercise 7: Deploying a Security Template Using Group Policy Objects
In this exercise, you import security settings into a GPO.
To deploy security settings through a GPO
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers. The Active Directory Users And Computers management console appears.
Right-click domain.fabrikam.com, and click Properties. The domain.fabrikam.com Properties dialog box appears.
Click the Group Policy tab.
Double-click Domain Security Policy. The Group Policies management console appears with the Domain Security Policy GPO opened.
Expand Domain Security Policy, Computer Configuration, Windows Settings, and then Security Settings.
Right-click Security Settings, and click Import Policy. The Import Policy From dialog box appears.
Browse to the User Defined Templates folder, and double-click Passpol.
Expand Security Settings, Account Policies, and then click Password Policy.
Notice that the Enforce Password History now conforms to the settings in the template. This password policy now applies to all computers within the domain
Close the Group Policies management console.
Click OK to close the domain.fabrikam.com Properties dialog box.
Close the Active Directory Users And Computers dialog box.
Exercise 8: Using SecEdit.exe
In this exercise, you use the SecEdit.exe tool to change the local GPO settings for computers within a domain. Modifying the local policy settings on computers ensures that your security settings remain effective even when the computers are not attached to a domain.
To implement this functionality, you will create a share containing the security template and then use a startup script to apply that security template to each computer within the domain when it is booted.
To create a share point for user-defined security templates
In Windows Explorer, browse to C:\WINNT\Security\Templates.
Right-click User Defined Templates, and click Sharing. The User Defined Templates Properties dialog appears showing the Sharing tab.
Select the Share This Folder option, and type UserSec as the share name.
Click the Permissions button. The Permissions for UserSec dialog box appears.
Ensure that the Everyone group has Allow Read permissions.
Click OK close the Permissions dialog box.
Click the Security tab in the User Defined Templates Properties dialog box.
Click Add to open the Select Users, Computers, Or Groups dialog box.
Double-click the Everyone group, and then click OK to close the Select Users, Computers, Or Groups dialog box.
Ensure that the Read & Execute, List Folder Contents, and Read permissions are selected in the Allow column.
Click OK to close the User Defined Templates Properties dialog box.
Why does this exercise specify reducing security and using the Everyone group, rather than using a more secure group such as Domain Users?
To create a startup script to apply security templates
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers. The Active Directory Users And Computers management console appears.
Right-click domain.fabrikam.com, and click Properties. The domain.fabrikam.com Properties dialog box appears.
Click the Group Policy tab.
Double-click Domain Security Policy. The Group Policies management console appears with the Domain Security Policy GPO opened.
Expand Domain Security Group Policy, then Computer Configuration, Windows Settings, and Scripts.
Double-click Startup. The Startup Properties dialog box appears, as shown in Figure 3.17.
Figure 3-17. The Startup Properties dialog box
Click Add to open the Add A Script dialog box.
Click Browse. A file browser dialog box appears.
Right-click in the file list, select New, and then click Text Document.
Type setsecurity.bat to change the name of the file, and press Enter. A message box appears asking you if you want to change the file type.
Click Yes to confirm that you want to change the file type.
Right-click Setsecurity.bat, and choose Edit.
Notepad appears with Setsecurity.bat open.
Type the following text into the batch file:
secedit /analyze /DB c:\sectemp.sdb /CFG \\dc01\UserSec\passpol.inf
secedit /configure /DB c:\sectemp.sdb /CFG \\dc01\UserSec\passpol.inf /overwrite
del c:\sectemp.sdb
Save and close the text document.
Click Open in the Browse window to select the newly created Setsecurity.bat startup script.
Click OK to close the Add A Script dialog box.
Click OK to close the Startup Properties dialog box.
Close the Group Policies management console.
Click OK to close the domain.fabrikam.com Properties dialog box.
Close the Active Directory Users And Computers management console.
To verify the security template application
Reboot a workstation that is a member of the domain.fabrikam.com domain.
Log on using an account local to the workstation instead of logging on to the domain.
Open Control Panel.
Double-click Administrative tools.
Double-click Local Policy Settings. The Local Security Settings management console appears.
Expand Account Policies, and then click Password Policies.
Note that the settings from the security template have been applied to the local machine.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
What is the easiest way to deploy security templates?
What is the primary purpose of the Security Configuration And Analysis snap-in?
When would it be appropriate to use the SecEdit.exe tool?
In what format are security templates stored?
Lesson Summary
Security templates are text files containing security settings that apply to the Computer Configuration\Security Settings portion of a GPO.
Security templates can be imported into and exported from GPOs to facilitate deploying a standard set of security settings throughout an enterprise.
Security templates are managed using the Security Templates snap-in, which allows administrators to make changes to security template settings in a uniform and consistent manner.
The Security Configuration And Analysis snap-in allows administrators to compare a computer's effective security settings to a security template, enabling them to quickly find problems with security settings deployment.
The SecEdit.exe tool is a command-line version of the Security Configuration And Analysis snap-in that allows administrators to script various actions related to security templates, including analyzing security settings and applying security templates.