Windows 2000 Security - Security Templates

(Page 3 of 6 )

Microsoft wisely decided to ship Windows 2000 with a few predefined security settings files, hereafter referred to as “security templates.” These files contain what are essentially recipes for configuring a machine’s security policy based on its daily role. There are six predefined security templates:

• For computers running Windows 2000 Professional, basicwk.inf and securewk.inf

• For computers running Windows 2000 Server, basicsv.inf and securesv.inf

• For computers running Windows 2000 Server and functioning as a domain controller, basicdc.inf and securedc.inf

Inside these templates are specifications for almost all aspects of local security policy—the only area of local policy not included is user rights and groups. You’ll need to configure any desired user rights and groups modifications yourself. Additionally, Microsoft chose to include incremental security templates that go above and beyond the specifications made in the basic templates. These templates, designed to be applied to new Windows 2000 installations that have already had a basic template applied, must be used on systems formatted with NTFS, at least on the boot partition (the one containing the operating system files). The incremental security templates are as follows:

• For workstations or servers in which users ought to be prevented from being in the Power Users group, apply the compatws.inf template. This template compensates for the lack of additional privileges afforded to members of the Power Users group by relaxing the rights restrictions on the normal Users group.
  
• To further secure workstations or servers, the securews.inf template increases the overall security level of a machine by tightening areas of the OS not under the purview of rights and restrictions. Areas that are more secured using this template include account policy settings, auditing controls, and Registry keys that are prominent in security policy. The appropriate version of this template for Windows 2000 domain controllers is securedc.inf.

• For the ultraparanoid and those with the most stringent security requirements, the hisecws.inf file (and for domain controllers, the hisecdc.inf file) can be used; however, because all network transmissions must be signed and encrypted by Windows 2000 machines, this template is appropriate only in pure Windows 2000 or greater environments.

These convenient templates are designed to be used with the Security Templates snap-in to the Microsoft Management Console (MMC). Using the snap-in, you can apply the basic and incremental security templates included with the product, or you can make custom modifications to the templates and create your own easily distributable template.

To begin using the Security Templates snap-in, follow this procedure:

1. Enter and run mmc /s from a command line. This loads the Microsoft Management Console in author mode, allowing you to add a snap-in.

2. From the Console menu, select Add/Remove Snap-in. Then select Add. This opens a dialog box titled Add Standalone Snap-in.

3. From the list, select Security Templates, click Add, and then click Close.

4. Click OK in the next dialog box to confirm the addition of the snap-in.

You now have the Security Templates snap-in added to a console. From this snap-in, you can expand the Security Templates section in the console tree on the left, and then expand the C:\WINNT\security\templates folder to view the predefined security templates that were previously discussed.

Creating a Custom Security Template

You may wish to make your own customized policy modifications that go above and beyond those made in the templates shipped with Windows 2000. Creating a custom security template affords you an easy way to package, deploy, and apply these modifications with minimal administrative headaches. Best of all, you can use these templates in conjunction with a utility called the Security Configuration and Analysis tool to assess the overall “hardness,” or state of security, of your machines.

To create your own security template, do the following:

1. In the Security Templates console, expand Security Templates in the tree view on the left, and right-click C:\WINNT\security
   \templates (this is the default templates folder in the system).

2. Select New Template from the context menu that appears.

You may now make any policy modifications you wish in any one of the policy areas supported by the tool: account policies, local policies, the event log, restricted groups, system services, the Registry, and the file system. Your additions, deletions, and other changes are saved directly into the template as they’re made.

To take this one step further, you may decide to build on the basic policy settings provided by the basic and incremental templates shipped with Windows 2000. In that case, it’s quite simple to open the basic or incremental templates, resave to a different name, and make further modifications to it in order to create your own custom template, as shown in the following procedure:

1. Select an existing template inside the Security Templates console. In this example, I’ll use the securews.inf file.

2. Right-click the existing template, and choose Save As from the context menu.

3. Give the new template a name, as shown in Figure 3-1.
   
   
   
   Figure 3-1. Creating a new security template.
   
4. Click OK. The new template is created with the settings from the old basic template.

This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today. Buy this book now.

Next: Recommended Security Policy Settings >>
 

More Windows Security Articles
More By Apress Publishing

Comments On: Windows 2000 Security

>>> Be the FIRST to comment on this article!