Windows 2000 and 2003 Server Security:
How Security Templates Make Your Life Easier

by Saskia Schott
Senior Instructor

A security template is a series of group policy settings for the Security Policy section of Group Policies. With the release of Windows 2000 and Windows Server 2003, Microsoft put a basic set of templates into the %system%\Security\Templates directory. These templates had the suggested settings for workstations and domain controllers at a secure level (securews and securedc) and at a high security level as well (hisecws and hisecdc). One of the other handy templates is the "setup security" template, which can be used to enforce the settings of a fresh install on an upgraded machine.

The templates can be used by going into group policy for the appropriate Active Directory level, whether that is the Domain controller's Organizational Unit (OU), or another OU, and at the Security node in Computer Configuration, right-clicking and choosing "Import policy." You can choose the template to import and the settings are then implemented.

If one of the default templates doesn't meet your needs, you can either copy a template by pointing to the original template and choosing "Save As," or you can right-click on the %system%\security\templates heading and choose "New Template." But before you go to those lengths, realize that Microsoft has created more templates that are available as part of the Windows Security Operation Guide downloads for both Windows 2000 and Windows Server 2003.

Additional Templates

With the Windows 2000 Security Operations Guide, Microsoft provided an additional 10 templates, and with the new 2003 guide, another 15 or 20 templates are available. These templates were designed for specific server configurations: File server, Print server, IIS, ISA, etc. in line with Microsoft's recommendations in these guides that you create a Servers OU, and under that create specific OUs for each type of server. You apply the baselineserver template at the Server's OU, which turns off all unnecessary services and locks down the server in line with Microsoft's new security guidelines. For example, the baseline server template turns off the Alerter service, the Messenger service, and the Spooler service, among others. Then, in the Print Server template, the Spooler service is turned on. Thus your Print Server is locked down with only the essential services running. Note that if you want your servers configured with Alerts, you will need to change the templates yourself before importing them into Group Policy so that the Alerter and Messenger services are running. As with all software you deploy, you will want to examine the templates closely and test them to assure that your Group Policies operate as needed and expected.

Snap-ins

But what if you inherit an OU with a group policy? How can you see what it does or doesn't do? You now have two tools: Group Policy Management Console (GPMC), which is a free download from Microsoft, and the built-in mmc snap-in Security Configuration and Analysis. If you go to Start>Run>mmc, and in the File menu, choose Add/Remove snapin, you will be able to add the Group Policy Object Editor snap-in, the Security Templates snap-in, and the Security Configuration and Analysis snap-in. With these added, you can now compare the settings of a template with the settings for a machine, or with those for an OU.

Analysis

Security Configuration and Analysis allows you to create a work space in a database file (.sdb) where you can compare the security settings in a template or group of templates to those on the local computer. You give the file a name (mycomputer.sdb) and then you choose the template to use for comparison. Note that you can reopen the .sdb file and start over by choosing the "Clear this database before importing," or you can add another template. Once you've chosen one or more templates, you can configure your computer now, or better yet, you can analyze. I always analyze because I want to change the settings on a computer only through application through group policy, either local or domain group policy, and not by using the mmc.

Analyzing allows you to see in a columnar format in the right pane, where policies differ between your computer settings and those in the chosen template(s). The differences are highlighted by red Xs next to each individual policy. While initially you see no differences when you look at the highest level of the menu in the right pane, when you look at each individual policy, you will usually see many differences. Note, however, that every template doesn't contain settings for every policy. Many have no settings for System Services, or for File System. Once you have applied your chosen template(s) to an OU, you can use the Analysis mmc to audit to see if discrepancies exist between the template you deployed and the current settings.

By using the Microsoft templates and deploying them in a well designed Active Directory OU structure, your deployment can be made both more secure and easier to manage.