As we saw in the previous section, local policies can be exported and copied to other computers. However, trying to maintain a single policy across multiple standalone computers could potentially be a support nightmare. Fortunately, Microsoft has supplied some tools with the Security Configuration Tool Set to assist with this type of scenario. In the next few sections you will cover some of the items Microsoft provides in this set. Security TemplatesMicrosoft has supplied 12 preconfigured security templates with Windows 2000 Server. These sample templates are located in the %systemroot%\security\templates folder. The supplied templates cover a variety of scenarios, from a basic low security workstation to a high security domain controller. The templates can be applied as-is using the Import Policy option from the Local Security Settings MMC, as discussed in the previous section. Or the individual settings of the template can copied, pasted, or merged with other templates. The security templates are supplied for four different security levels:
Windows 2000 systems that were upgraded from Windows NT 4.0 or earlier will have security settings roughly equivalent to the Compatible template. The default security settings are only applied when a clean Windows 2000 installation is installed onto a NTFS partition.
While you can import the security templates using the Local Security Policy MMC, to configure them you need to use the Security Templates snap-in. The snap-in is not available by default; you must create a new MMC, or add it to an existing MMC. To create a new MMC to use with the Security Templates snap-in
From the Security Templates snap-in, you can
Security Configuration and Analysis ToolThe Security Configuration and Analysis Tool is used to compare the security settings of a computer to those of a template. It allows you to view the results and make any necessary changes to resolve the differences. The tool can also import, export or configure security settings in a Group Policy. Like the Security Templates, the Security Configuration and Analysis Tool is a snap-in that must be added to an MMC. To create the MMC
To start using the tool, you must create a database to hold the templates:
Now that the template is imported into the database, you can change the configuration, import attributes, or merge this template with other templates. After the configuration of the template is finished, you can use it to analyze your computer. The tool will compare the settings of the template in the database with those of any computer. It will flag the differences for you to examine, and allow you to make changes as desired. To perform an analysis
The log file shows all the settings encountered and whether or not they match. For a graphical view of the analysis, click each node and observe the icons for each setting. As shown in Figure 8.15, the various icons indicate the following:
Figure 8.15. The Add Security Configuration and Analysis snap-in, showing the results of an analysis.
If you want the settings on the computer that was being analyzed to be automatically configured to match the template in the database, right-click Security Configuration and Analysis and select Configure Computer Now from the pop-up menu.
|