| Windows Server 2003, just like Windows 2000 and Windows XP, comes with a complete set of preconfigured security templates that you can use to quickly apply standardized security settings to a single computer, an organizational unit (OU), or a domain, if desired. Whereas enforcing the principle of least privilege is mainly a matter of policy, making use of and customizing security templates is a hands-on activity. These preconfigured templates can be thought of as great starting points from which to make your own customized security templates; they can also be thought of as ready-made solutions. Neither strategy is more correct than the other. In simple terms, a security template is little more than a specially formatted flat-text file that can be read by the Security Configuration Manager tools. These preconfigured templates have the extension .inf and are located in the %systemroot%\security\templates folder on a Windows Server 2003 computer. You can use the Security Configuration and Analysis snap-in, the secedit.exe tool, or the Local Security Policy console to apply these templates to a local computer. You can apply templates to an OU or domain by importing them into the Security Settings section of the applicable Group Policy by using the Group Policy Editor. In addition, you can use these preconfigured templates to create a baseline for an unknown system that you can compare against a known set of configuration settings by using the Security Configuration and Analysis snap-in or the secedit.exe tool. The following sections examine the preconfigured security templates provided with Windows Server 2003 and how they are used, customized, and implemented. The Windows Server 2003 Security Templates Objective: Implement secure network administration procedures. Table 5.1 details the preconfigured security templates that are available in Windows Server 2003. Table 5.1. The Preconfigured Security Templates in Windows Server 2003Template (Filename) | Description |
|---|
Default (Setup security.inf) | This template is created during the installation of Windows on the computer. This template varies from one computer to the next, depending on whether the installation was performed as a clean installation or an upgrade. Setup security.inf represents the default security settings that a computer started out with and thus can be used to reset portions of security as required. This template can be applied to both workstations and member servers, but not to domain controllers (DCs), and it should never be applied via Group Policy due to the large amount of data it contains. Doing so could result in performance degradations. | Default DC (DC security.inf) | This template is automatically created when a member server is promoted to a DC. It represents the file, registry, and system service default security settings for that DC and can be used later to reset those areas to their default configurations. | Compatible (compatws.inf) | The Compatible workstation/member server template provides a means to allow members of the Users group to run applications that do not conform to the Windows Logo Program for Windows 2000 and above. Applications that were written for Windows NT 4.0 do not use the same security model that Windows 2000 and above applications use. Applications that do conform to the Windows Logo Program can be, in the majority of cases, successfully run by members of the Users group without any further modifications required. For applications that do not conform, there are two basic choices: You can make the users members of the Power Users group or relax the default permissions of the Users group. The Compatible template solves this problem by changing the default file and registry permissions that are granted to the Users group to allow them to run most applications that are not part of the Windows Logo Program. As a side effect of applying this template, all users are removed from the Power Users group because the basic assumption is that the template is being applied in an effort to prevent the need for that group. This template should not be applied to DCs, so you need to be sure not to import it into the Default Domain Policy or the Default Domain Controller Policy. | Secure (securews.inf and securedc.inf) | The Secure templates are the first ones to actually begin the process of locking down the computer to which they are applied. There are two different Secure templates: securews.inf, which is for workstations and member servers, and securedc.inf, which is for DCs only. The Secure templates prevent the usage of the LAN Manager (LM) authentication protocol. Windows 9x clients need to have Active Directory Client Extensions installed to enable NT LAN Manager version 2 (NTLMv2). Only when NTLMv2 is enabled on these legacy clients can they communicate with Windows 2000 and above clients and servers using these templates. These templates also impose additional restrictions on anonymous users. Such restrictions include preventing them from enumerating account and share information. The secure templates also enable Server Message Block (SMB) signing on the server side. By default, SMB signing is enabled on client computers. If you apply this template, SMB packet signing will always be negotiated between clients and servers. | Highly Secure (hisecws.inf and hisecdc.inf) | The Highly Secure templates impose further restrictions on the computers to which they are applied to. Whereas the Secure templates require at least NTLM authentication, the Highly Secure templates require NTLMv2 authentication. The Secure templates enable SMB packet signing, and the Highly Secure templates also require SMB packet signing. In addition to the various extra security restrictions that are imposed by the Highly Secure templates, these templates also make several changes to group membership and the login process. All members of the Power Users group are removed from this group. In addition, only members of the Domain Admins group and the local administrative account will be allowed to be members of the local Administrators group. When the Highly Secure templates are used, it is assumed that only Windows Logo Program-compliant applications are in use. Therefore, there is no provision in place for users to use noncompliant applications because the Compatible template is not needed and the Power Users group has no members. Members of the Users group are able to use applications that are compliant with the Windows Logo Program compliant. In addition, members of the Administrators group can use any application they want. | System Root (rootsec.inf) | This template defines the root permissions for the root of the system volume. If these permissions are changed, they can be reapplied by using this template. In addition, you can modify this template to apply the same permissions to other volumes. Explicitly configured permissions are not overwritten on child objects when you use this template. | No Terminal Server Use SID (notssid.inf) | This template is used on servers that are not running Terminal Services to remove all unnecessary Terminal Services security identifiers (SIDs) from the file system and registry. This, however, does not increase the security of the server. | Internet Explorer SACL (iesacls.inf) | This template is used to enable auditing on registry keys that are used by Internet Explorer. By default, the keys in question are set to allow the built-in Everyone group Full Control. By enabling this auditing, changes can be tracked should users (or the applications they use within Internet Explorer) attempt to modify the settings of any of these keys. |
Note: Working with Templates If you should find yourself working with one of the preconfigured security templates and wanting to make changes, stop! Before making any changes to any of the preconfigured templates, be sure to save a copy of the template using a different name and then make your changes to the copy. By following this process, you'll always be sure to have your pristine preconfigured templates intact and available for later usage.
Caution: Templates Are Incremental All the preconfigured security templates are incremental, meaning that they have been designed to be applied to computers that are using the default security settings. These templates do not implement the default security settings before they apply their security settings.
Security Configuration Manager Tools Objective: Implement secure network administration procedures. Now that you've seen the security templates that are available for use, let's take a brief look at the tools that are available for the design, testing, and application of these (and other) security templates. The Security Configuration Manager is not one console or tool per se; it is actually a collection of tools and utilities that you can use to implement security solutions across a network. The following are the components of the Security Configuration Manager: The Security Configuration and Analysis snap-in The Security Templates snap-in Group Policy security extensions The secedit.exe command
Note: Security Configuration Wizard We discuss Microsoft's latest security tool, the Security Configuration Wizard (SCW), later in this chapter in the section "The Security Configuration Wizard." The SCW goes beyond the basic security implementation we're examining here that relies only on security templates. When you use the SCW to configure and implement security, you can take an overall approach to mitigating security vulnerabilities on your Windows Server 2003 SP1 and Windows Server 2003 R2 servers.
Each of these tools is examined in the following sections. In these sections, we explain how they relate to implementing security solutions using the preconfigured security templates that are supplied in Windows Server 2003. At this point, you need to construct a customized MMC console, as outlined in Step by Step 5.1. Step By Step 5.1. Creating a Customized Security Console 1. | Open an empty MMC shell by selecting Start, Run and entering mmc in the Open field. Click OK. An empty MMC shell appears, as shown in Figure 5.1.
Figure 5.1. Starting with an empty MMC shell, you can build any number of customized configuration and management consoles. 
| 2. | Select File, Add/Remove Snap-in to open the Add/Remove Snap-in dialog box. Click Add to open the Add Standalone Snap-in dialog box, as shown in Figure 5.2.
Figure 5.2. You can add a number of snap-ins from here. 
| 3. | Scroll down the Snap-in list and select the Security Configuration and Analysis and Security Templates snap-ins by double-clicking each of them.
| | | 4. | Click Close and then click OK to return to the MMC console (see Figure 5.3).
Figure 5.3. The customized console is not as empty as it was. 
| 5. | Save the console by selecting File, Save. A standard Save dialog box appears. Specify the filename and location to save the console to. By default, the console will be saved into the Administrative Tools folder of the currently logged in user.
|
Armed with a custom security console, let's move forward and examine how the tools are put to work. The Security Configuration and Analysis Snap-in The Security Configuration and Analysis snap-in is an important tool in an administrator's security template toolbox. By using the Security Configuration and Analysis snap-in, you can create, configure, test, and implement security template settings for a local computer. Therein lies its one real weakness: It can be used to work only with the settings of a local computer. You can, however, find ways to get around this limitation by using the other tools that are at your disposal, including secedit.exe and the security extensions to Group Policy, both of which are discussed later in this chapter. The Security Configuration and Analysis snap-in can be used in two basic modesconfiguration and analysisalthough not necessarily in that order. When you're using the Security Configuration and Analysis snap-in to analyze the current system security configuration, no changes are ever made to the computer being analyzed. The administrator simply selects a security template to compare the computer against (either a preconfigured template or a custom-created template). The settings from the template are loaded into a database and then compared to the settings currently implemented on the computer. It is possible to import multiple templates into this database, thus merging their settings into one conglomerate database. In addition, you can specify that existing database settings are to be cleared before another template is imported into the database. When the desired security templates have been loaded into the database, any number of analysis actions can be performed, both by the Security Configuration and Analysis snap-in and by the secedit.exe command, as discussed later in this chapter. After the database has been populated and an analysis scan has been initiated, the Security Configuration and Analysis snap-in examines each and every configurable Group Policy option and then reports back to you the results of the analysis scan. Each setting is marked with an icon that denotes one of several possible outcomes, such as "the settings are the same," "the settings are different," or "the settings do not apply." Table 5.2 outlines the possible icons that you might see and what they indicate. Table 5.2. The Preconfigured Security Template Icons in Windows Server 2003Icon | Description |
|---|
Red X | The item is defined in the analysis database and on the computer but does not match the currently configured setting. | Green check mark | The item is defined in the analysis database and on the computer and matches the currently configured setting. | Question mark | The item is not defined in the analysis database and was not examined on the computer. | Exclamation point | The item is defined in the analysis database but not on the computer. | No special icon | The item is not defined in the analysis database or the computer. |
The best way to understand the Security Configuration and Analysis snap-in is to work with it. Step by Step 5.2 presents the process of comparing the security configuration of a Windows Server 2003 member server to that of the securews.inf template. Note: Not All Computers Are Created Equal Not every computer has the same security settings initially. Your results when performing this process may vary depending on the initial state of the computer being used for the analysis.
Step By Step 5.2. Using the Security Configuration and Analysis Snap-in to Analyze Settings 1. | From the customized security console you created in Step by Step 5.1, select the Security Configuration and Analysis node. Notice that the Security Configuration and Analysis snap-in actually provides you with some instructions as to how to proceed.
| | | 2. | Right-click the Security Configuration and Analysis node and select Open Database from the context menu. The Open Database window appears, as shown in Figure 5.4.
Figure 5.4. You can either load an existing database or create a new one. 
| 3. | Because you do not have an existing database, create a new one by entering the name security1 into the File Name field and clicking Open to open it.
| 4. | On the Import Template dialog box, shown in Figure 5.5, select the security template you are loading into the database. In this exercise, you should use the securews.inf template. If this is an existing database that you want to clear out, be sure to select the Clear This Database Before Importing option. Click Open after you make your selections. The Security Configuration and Analysis snap-in appears again.
Figure 5.5. You need to select a template to load into the database. 
| 5. | To perform the analysis operation, right-click the Security Configuration and Analysis node and select Analyze Computer Now to start the analysis. The Perform Analysis dialog box appears.
| | | 6. | Provide a pathname and a filename for an error log. In most cases, the default pathname and filename, as shown in Figure 5.6, are suitable, but you can change this as required. Click OK to start the analysis process.
Figure 5.6. The error log is used to keep track of any errors encountered during the analysis process. 
| 7. | You will briefly see the Analyzing System Security dialog box. When the analysis is complete, you are returned to the Security Configuration and Analysis snap-in, except that now it has been populated and looks similar to what you might expect to see in the Group Policy Editor, as shown in Figure 5.7.
Figure 5.7. The analysis output resembles the information shown in the Group Policy Editor. 
| 8. | Open the Account Policies, Password Policy node, as shown in Figure 5.8, and you can see that some items are not in agreement between the database settings and the computer settings.
Figure 5.8. You can quickly determine the status of the computer against the settings of the security template. 
|
As seen in Figure 5.7, you can analyze and configure several areas by using the Security Configuration and Analysis snap-in: Account Policies This node contains items that control user accounts. In Windows NT 4.0, these items are managed from the User Manager for Domains. There are two subnodes of this node: the Password Policy node and the Account Lockout Policy node. The Password Policy node deals with account password-related items, such as minimum length and maximum age. The Account Lockout Policy node contains options for configuring account lockout durations and lockout reset options. Local Policies This node contains policies that are applied to the local machine. There are three subnodes of this node: Audit Policy, User Rights Assignment, and Security Options. The Audit Policy node is pretty self-explanatory; it offers options for configuring and implementing various auditing options. The User Rights Assignment node contains miscellaneous options that deal with user rights, such as the ability to log in to a computer across the network. The Security Options node contains many other optionssuch as the option to set a login banner or to allow the system to be shut down without being logged in firstthat previously could be edited only in the Windows NT 4.0 registry or by using System Policies. Event Log This node contains options that allow you to configure the behavior and security of the event log. In this node, for example, you can include maximum log sizes and disallow guest access to the event logs. Restricted Groups This node allows you to permanently configure which users are allowed to be members of specific groups. For example, company policy may provide the ability to perform server backups to a specific group of administrators. If another user who is not otherwise authorized with these privileges is added to this group and not removed after he or she has performed the intended function, you have created a security problem because the user has more rights than normally authorized. By using the Restricted Groups node, you can reset group membership to the intended membership. System Services This node allows you to configure the behavior and security assignments associated with all system services running on the computer. Options include defining that a service is to start automatically or be disabled. In addition, you can configure the user accounts that are to have access to each service. Registry This node allows you to configure access restrictions that specify who is allowed to configure or change individual registry keys or entire hives. This option does not give you the means to create or modify registry keys, however; you must still do that by using the Registry Editor. File System This node allows you to set folder and file NTFS permissions. This is especially handy if you need to reset the permissions on a large number of folders or files.
After a security settings analysis is completed and you have examined the results, you can begin the process of determining what changes need to be made. You can configure your changes directly into the database by using the Security Configuration and Analysis snap-in, or you can create or edit a security template by using the Security Templates snap-in, as discussed in the next section. When you use the Security Configuration and Analysis snap-in to make changes, your changes reside only in the database until you do one of two things: export the database to a security template file or apply the database settings to the computer. When you work with the Security Templates snap-in, you actually make changes to the template directly and need to save it when you're finished. The end result is the same no matter which way you go about it. The second part of the Security Configuration and Analysis snap-in is the configuration, which is the application of settings contained in the database to the local computer. Before you apply the settings to the computer, you should have first completed the analysis as detailed in Step by Step 5.2. After this is done and you are happy with the configuration (or have edited the configuration to suit your needs), you can apply the settings by right-clicking the Security Configuration and Analysis node and selecting Configure Computer Now from the context menu. You are again asked for the pathname and filename of the error log. After you provide this information, the settings in the database are applied to the computer. Running the analysis again confirms this by showing that all items are now in agreement. Exam Alert: For the Local Computer Only Remember that the Security Configuration and Analysis snap-in can be used to apply the settings to the local computer only. You need to export the database to a security template if you want to apply the settings to another computer or to a larger scope of computers, such as a domain or an OU.
As mentioned, if you need to get the database settings out and into the form of a security template, you need to right-click the Security Configuration and Analysis node and select Export Template from the context menu. The Export Template To window appears, as shown in Figure 5.9, prompting you to enter the path and filename of the security template. You should be sure to use a unique namein other words, do not save over one of the preconfigured security templates because you might need it again in the future. Figure 5.9. You need to be sure to specify a unique name for an exported template to avoid overwriting a preconfigured security template. 
The Security Templates Snap-in The Security Templates snap-in, shown in Figure 5.10, might at first seem to have no real purpose. However, this is not the case at all. You can use this snap-in to modify existing templates or create new ones from scratch without the danger or possibility of accidentally applying the template to the computer or Group Policy object (GPO). Figure 5.10. The Security Templates snap-in allows you to work with existing and new templates. 
To customize an existing template, you should first save a new copy of it and then you can begin making changes to it to suit your requirements. When you are done, be sure to save it again and you'll be ready to start using your new, customized, security template. To start out with a completely empty templatein which no settings are preconfiguredright-click the template location node (where the template file system path is displayed on the left side of the console) and select New Template from the context menu. Group Policy Security Extensions Applying a security template to a local computer by using the Security Configuration and Analysis snap-in is not the only way to apply a security template. Imagine the amount of time and effort involved in applying a security template locally at each computer using the Security Configuration and Analysis snap-in. As difficult and time consuming as it would be, imagine doing it to several different types of computers, such as DCs, member servers, and client workstations. You would have the added hassle of trying to remember which template goes on what computer. Note: Editing Group Policy Objects In this chapter, we show you how Group Policy Objects are accessed and edited using the default configuration of Windows Server 2003. For all practical purposes, it's recommended that you download and install the Group Policy Management Console (GPMC) for enhanced Group Policy control and visibility. You can find out more information about the GPMC at the following location: http://www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx.
Fortunately, you can easily and quickly import security templates into GPOs by using the Group Policy Editor. Step by Step 5.3 outlines this process. Step By Step 5.3. Importing a Security Template into a GPO 1. | Open the Active Directory Users and Computers console by selecting Start, Programs, Administrative Tools, Active Directory Users and Computers.
| 2. | Locate the domain or OU to which you want to apply the security template. In this example, we will be applying the securews.inf template to the CORP OU.
| 3. | Right-click the CORP OU and select Properties from the context menu. The Sales Properties dialog box appears. Switch to the Group Policy tab, as shown in Figure 5.11.
Figure 5.11. You need to create a new GPO if no GPOs exist. 
| 4. | To create a new GPO, click the New button. Supply a name for the new GPO and press Enter.
| 5. | Click the Edit button to open the Group Policy Editor for the selected GPO.
| | | 6. | Expand the nodes as follows: Computer Configuration, Windows Settings, Security Settings. You screen should now resemble Figure 5.12.
Figure 5.12. You'll be able to import a security template from the Security Settings node. 
| | | 7. | Right-click the Security Settings node and select Import Policy from the context menu. The Import Policy From dialog box shown in Figure 5.13 appears, providing a list of the preconfigured security templates. You can navigate to another location if required to use a custom-created security template.
Figure 5.13. You need to select the security template that you want to import into the GPO. 
| | | 8. | Select the desired policy and click the Open button. The settings configured in the template are now applied to the GPO and will be applied during the next Group Policy refresh cycle.
|
Note that you can also perform this evolution at the domain level to apply security settings to all computers within the domain. As a general rule, you should apply the most generic settings at the domain level. Then, at the OU level, you should apply specific settings that pertain to the computers in that OU. Figure 5.14 provides an example of how this might work for an organization that consists of several OUs. Figure 5.14. You can apply security templates (policies) at several nested levels in Group Policy. 
secedit.exe We have spent a good amount of time in this chapter examining the ways you can work with security templates by using the Windows GUI. What about configuring security from the command line? As you might have guessed, there is a command-line alternative to the Security Configuration and Analysis snap-in, and it comes in the form of the secedit.exe command. You can use secedit.exe to perform the same functions as the Security Configuration and Analysis snap-in, plus a couple additional functions not found in the snap-in. The secedit.exe command has various top-level options available for use, as detailed in Table 5.3. Table 5.3. The secedit.exe OptionsOption | Description |
|---|
/analyze | Allows you to analyze the security settings of a computer by comparing them against the baseline settings in a database. | /configure | Allows you to configure the security settings of the local computer by applying the settings contained in a database. | /export | Allows you to export the settings configured in a database to a security template .inf file. | /import | Allows you import the settings configured in a security template .inf file into a database. If you will be applying multiple security templates to a database, you should use this option before performing the analysis or configuration. | /validate | Validates the syntax of a security template to ensure that it is correct before you import the template into a database for analysis or configuration. | /GenerateRollback | Allows you to create a rollback template that can be used to reset the security configuration to the values it had before the security template was applied. |
Of the available options, you will most often make use of /analyze and /configure. Examples and explanations of their usage are provided here. To analyze the current security configuration of the local computer, you would issue the secedit.exe command with the following syntax: secedit /analyze /db FileName /cfg FileName /overwrite /log FileName /quiet
Exam Alert: Viewing the Results of a Security Analysis You need to view the results of a security analysis in the Security Configuration and Analysis snap-in by opening the database created during the analysis. At first it might seem like running the analysis from the command line and then viewing the results in the GUI is counter-productive. In reality, the opposite is the case. Say you run secedit.exe from a script on multiple computers. You can then view the databases, one for each computer, in the GUI at your leisure to determine what changes need to be made to the security settings on the computers. You can use the %computername% variable when creating the database and log files to create one set of results for each computer being scanned.
The secedit /analyze parameters are explained in detail in Table 5.4. Table 5.4. The secedit /analyze ParametersParameter | Description |
|---|
/db FileName | Specifies the pathname and filename of the database to be used to perform the analysis. | /cfg FileName | Specifies the pathname and filename of the security template that is to be imported into the database before the analysis is performed. | /overwrite | Specifies that the database is to be emptied before the security template is imported. | /log FileName | Specifies the pathname and filename of the file that is used to log the status of the analysis process. By default, a log named scesrv.log is created in the %windir%\security\logs directory. | /quiet | Specifies that the analysis process should take place without further onscreen comments. |
For example, suppose that you wanted to analyze the settings on a computer and compare the settings to those contained in the securews.inf template. You could issue the following command to perform this function: secedit /analyze /db d:\sectest\test1.sdb /cfg d:\WINDOWS\security\templates\securews.inf /log d:\sectest\test1.log
If all goes well, you should see something like what is shown in Figure 5.15. Figure 5.15. You can quickly perform an analysis from the command line by using the secedit.exe command. 
To configure the current security configuration of the local computer, you would issue the secedit.exe command with the following syntax: secedit /configure /db FileName /cfg FileName /overwrite /areas Area1 Area2 ... /log FileName /quiet
The secedit /configure parameters are explained in detail in Table 5.5. Table 5.5. The secedit /configure ParametersParameter | Description |
|---|
/db FileName | Specifies the pathname and filename of the database to be used to perform the configuration. | /cfg FileName | Specifies the pathname and filename of the security template that is to be imported into the database before the configuration is performed. | /overwrite | Specifies that the database is to be emptied before the security template is imported. | /areas | Specifies the security areas that are to be applied to the system. By default, when this parameter is not specified, all security areas are applied to the computer. These are the available options: SECURITYPOLICY This area includes account policies, audit policies, settings for the event logs, and other security options. GROUP_MGMT This area is the Restricted Group settings. USER_RIGHTS This area is the User Rights Assignment settings. REGKEYS This area is the Registry permissions settings. FILESTORE This area is the File System permissions settings. SERVICES This area is the System Service settings.
| /log FileName | Specifies the pathname and filename of the file that is used to log the status of the analysis process. By default, a log named scesrv.log is created in the %windir%\security\logs directory. | /quiet | Specifies that the configuration process should take place without further onscreen comments. |
For example, suppose that you wanted to configure the settings on a computer with the settings in the securews.inf template. If you wanted the database and log files to be located in the d:\sectest\ directory and your Windows installation was located on volume D, you could issue the following command to perform this function: secedit /configure /db d:\sectest\test1.sdb /cfg D:\WINDOWS\security\templates\securews.inf /log d:\sectest\test1.log
|
