Geeks With Blogs
Robert's Sysadmin Blog Unraveling the datacenter one fibre at a time
I finally got my nerve together and recorded an Admin-to-Admin segment for the In The Trenches podcast

Article here: http://kevindevin.com/?p=156
Listen to the episode here: http://libsyn.com/media/inthetrenches/ITT-20050811.mp3

Here are the notes for my segment:

 

Using Security Templates

Uses

  • Enforcing security policy onto a Workstation or Server
  • Setting software restriction policy (name, hash, path)
  • Setting secured groups
  • Enforcing NTFS permissions
  • Enforcing Registry Permissions
  • Enforcing the status of Services

Pre-defined Security Templates:

C:\windows\security\templates

  • Compatws.inf – This is required by older applications that need to have weaker security to access the Registry and the file system.

  • DC security.inf – This is used to configure security of the Registry and File system of a computer that was upgraded from Windows NT to Windows 2000/2003.

  • Hisecdc.inf – This is used to increase the security and communications with the domain controllers.

  • Hisecws.inf – This is used to increase security and communications for the client computers and member servers.

  • Notssid.inf – This is used to weaken security to allow older applications to run on Windows Terminal Services.

  • Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.

  • Securedc.inf – This is used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template.

  • Securews.inf – This is used to increase security and communications for the client computers and member servers.

  • Setup security.inf – This is used to reapply the default security settings of a freshly installed computer.

More security templates can be downloaded with the Windows Serverv2003 Security Guide: http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx

Add your own registry settings:

All security settings are in fact just registry settings. Add your own by editing the Sceregvl.inf file.

See the link to the MS article in show notes.

Group Policy:

Import into GPO's Remember when modeling security settings, that Domain controller have their own local security settings set, like SMB signing.

MMC Snap ins:

  • Security Templates

Always make copies of the predefined templates to a different location

  • Security Configuration and Analysis

The Security "Database" , importing security Templates, and analyzing against the local system

Other usefull snapins for working on security templates with Group Policy:

  • Group Policy Management Console
  • Resultant Set of Policy
  • Local Policy

Service Pack 1 Security Configuration Wizard

Why did we need it?

Before we had Seperate management interfaces for:

  • Security settings and all the things the Templates covered
  • IIS Security
  • Windows Firewall Settings
  • Registry settings (required you to make your own ADM files and security template)
  • IP Security policy (GPO-centric)

SCW combined all these things, and adds advantages:

  • Everything combined into a single XML file ( easy to read and edit )
  • Can export to GPO or apply directly locally and remotely.
  • Import Security Templates
  • Can scan current system comfig and create baseline

Overlap in functionality:

  • CWS doesnt support NTFS and registry security
  • Templates dont cover IIS, IP Sec? or Firewall.

Neither SCW nor Security Templates cover the other features of Group or Local policy: Administrative Templates

You will need them BOTH to create a secure enviroment... use GPO's as the end-result. Inport Security Templates into CWS files during creation, CWS settings take presedence. If used seperately, then you have to keep an eye on GPO presedence.

Links:

How to apply predefined security templates in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;816585

HOW TO: Analyze System Security in Windows Server 2003 http://support.microsoft.com/kb/816580/EN-US/

HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003 http://support.microsoft.com/kb/816297/EN-US/

How to Add Custom Registry Settings to Security Configuration Editor http://support.microsoft.com/default.aspx?scid=214752

Group Policy Home http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

Security Configuration Wizard for Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx

Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx

Posted on Friday, August 12, 2005 9:22 AM Tech , In The Trenches | Back to top


Comments on this post: ITT: Using Security Templates and the SCW in Windows Server 2003

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Robert Kloosterhuis | Powered by: GeeksWithBlogs.net | Join free