I finally got my nerve together and recorded an Admin-to-Admin segment for the In The Trenches podcast
Article here: http://kevindevin.com/?p=156
Listen to the episode here: http://libsyn.com/media/inthetrenches/ITT-20050811.mp3
Here are the notes for my segment:
Using Security Templates
- Enforcing security policy onto a Workstation or Server
- Setting software restriction policy (name, hash, path)
- Setting secured groups
- Enforcing NTFS permissions
- Enforcing Registry Permissions
- Enforcing the status of Services
Pre-defined Security Templates:
- Compatws.inf – This is required by older applications that need to have weaker security to access the Registry and the file system.
- DC security.inf – This is used to configure security of the Registry and File system of a computer that was upgraded from Windows NT to Windows 2000/2003.
- Hisecdc.inf – This is used to increase the security and communications with the domain controllers.
- Hisecws.inf – This is used to increase security and communications for the client computers and member servers.
- Notssid.inf – This is used to weaken security to allow older applications to run on Windows Terminal Services.
- Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.
- Securedc.inf – This is used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template.
- Securews.inf – This is used to increase security and communications for the client computers and member servers.
- Setup security.inf – This is used to reapply the default security settings of a freshly installed computer.
More security templates can be downloaded with the Windows Serverv2003 Security Guide: http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
Add your own registry settings:
All security settings are in fact just registry settings. Add your own by editing the Sceregvl.inf file.
See the link to the MS article in show notes.
Import into GPO's Remember when modeling security settings, that Domain controller have their own local security settings set, like SMB signing.
MMC Snap ins:
Always make copies of the predefined templates to a different location
- Security Configuration and Analysis
The Security "Database" , importing security Templates, and analyzing against the local system
Other usefull snapins for working on security templates with Group Policy:
- Group Policy Management Console
- Resultant Set of Policy
- Local Policy
Service Pack 1 Security Configuration Wizard
Why did we need it?
Before we had Seperate management interfaces for:
- Security settings and all the things the Templates covered
- IIS Security
- Windows Firewall Settings
- Registry settings (required you to make your own ADM files and security template)
- IP Security policy (GPO-centric)
SCW combined all these things, and adds advantages:
- Everything combined into a single XML file ( easy to read and edit )
- Can export to GPO or apply directly locally and remotely.
- Import Security Templates
- Can scan current system comfig and create baseline
Overlap in functionality:
- CWS doesnt support NTFS and registry security
- Templates dont cover IIS, IP Sec? or Firewall.
Neither SCW nor Security Templates cover the other features of Group or Local policy: Administrative Templates
You will need them BOTH to create a secure enviroment... use GPO's as the end-result. Inport Security Templates into CWS files during creation, CWS settings take presedence. If used seperately, then you have to keep an eye on GPO presedence.
How to apply predefined security templates in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;816585
HOW TO: Analyze System Security in Windows Server 2003 http://support.microsoft.com/kb/816580/EN-US/
HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003 http://support.microsoft.com/kb/816297/EN-US/
How to Add Custom Registry Settings to Security Configuration Editor http://support.microsoft.com/default.aspx?scid=214752
Group Policy Home http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx
Security Configuration Wizard for Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx