Security TemplatesTools

Security Templates

This snap-in can be used to view, create, or modify a security policy for a computer or network. You can import predefined templates and modify them or create your own templates and then apply them to a standalone computer or import them into Group Policy to apply them to computers in a domain. The console tree typically looks like this:

 Security Templates     Template Search Path         Template         Template... 

Right-clicking on each node makes different actions available, depending on the node.

Security Templates

Select this to define a new template search path.

Template Search Path ( C:\Windows\Security\Templates by default)

Select this to create a new template or delete an existing one. You can use Save As to save a copy of an existing template under a different name and then modify it. This can take less time than defining a new template from scratch. If you do create a new template, be sure to save it.

Template

Select a template to display and modify the template's security settings using the details pane.

Security Configuration and Analysis

This snap-in can be used to analyze and configure security settings on the local computer. For example, you can:

• Import security templates created using the Security Templates snap-in into a computer-specific datastore (database), merging or overwriting successive templates to create a composite template that you can save or export.

• Compare the current (effective) security settings on the local computer with settings stored in the database, displaying the differences for easy recognition. (A green check mark next to a setting means the current setting and the template setting agree; a red X means there is a difference; no mark means both the current setting and template setting are Not Defined.)

• Apply a security template to the Local Security Policy on the computer so that it takes effect immediately. If after performing analysis you choose to accept the current settings, the corresponding value in the database is modified to match.

To use this tool, select Security Configuration and Analysis to create a new database or open an existing one. To create a new database, you must first import a security template. You can then import additional templates into the database, either merging them with previously imported template settings or overwriting the existing settings. You can also directly modify security settings in the database once you have completed the analysis procedure described next.

You then analyze your computer to compare the settings in the database with the system's current local security settings. After analysis, select Security Configuration and Analysis again to display a logged description of the results of the analysis. Then, if desired, expand the different containers to display the differences between the database settings and the system's current security settings (differences marked with a red X, as explained earlier). For more information on these different security settings, see Group Policy earlier in this chapter.

Finally, you can do one of the following:

• Immediately apply the security template settings you imported into the database to the computer's local security policy by right-clicking on Security Configuration and Analysis and selecting Configure Computer Now. Choose this approach if you have only a few computers to configure. Changes will be applied when you reboot your computer. If your computers are part of a domain in which Group Policy is configured, however, be aware that the security settings you configure locally on your computers may be overwritten when Group Policy is applied.

• Export your database settings to a security template, which you can then import into a Group Policy Object (GPO). Choose this approach if you have a domain configuration with multiple computers to configure.