Previous Page
Next Page

6.3. Local Group Policy

Now let's examine the two different types of GP, starting with local GP and moving to domain-based GP. Although local policies don't have the flexibility of domain-based GPs, as you will see, they still are a valuable tool for creating a deployable set of standards for computers in your organization. Local policies are most useful for creating a security configuration for either clients or servers that is appropriate for your company. With the Security Templates snap-in, you can create role-based templates that configure most security-related settings on your machines. And with the Security Configuration and Analysis Tool snap-in (covered in detail in Chapter 7), you can create a database of roles and policies for your organization's machines.

In this section, I'll look at local security policy and using the security templates features to create a consistent security configuration.

6.3.1. Security Templates

Microsoft wisely decided to ship Windows with a few predefined security settings files, hereafter referred to as "security templates." These files contain what are essentially recipes for configuring a machine's security policy based on its daily role. These templates, designed to be applied to new Windows installations that already have had a basic template applied, must be used on systems formatted with NTFS, at least on the boot partition (the one containing the operating system files). The incremental security templates are as follows:

  • For workstations or servers in which users ought to be prevented from being in the Power Users group, apply the compatws.inf template. This template compensates for the lack of additional privileges afforded to members of the Power Users group by relaxing the rights restrictions on the normal Users group. But be careful: you should only use this template if you're dealing with non-certified software (programs that don't have the Windows logo affixed to them) that won't otherwise run.

  • To further secure workstations or servers, the securews.inf template increases the overall security level of a machine by tightening areas of the OS not under the purvey of rights and restrictions. Areas that are more secured using this template include account policy settings, auditing controls, and registry keys that are prominent in security policy. The appropriate version of this template for Windows domain controllers is securedc.inf.

  • For the ultra-paranoid and for those with the most stringent security requirements, the hisecws.inf (and for domain controllers, the hisecdc.inf file) can be used; however, because all network transmissions must be signed and encrypted by Windows machines, this template is appropriate only in pure Windows 2000 or greater environments.

  • Setup security.inf restores the security settings of a machine to their default, out-of-the-box configuration. Use this if you have made modifications and want to completely reverse them and "wipe the slate clean," as it were.

  • Rootsec.inf specifies the newer, more secure permissions for the root of the system drive, first introduced in Windows XP and carried over into Windows Server 2003. Most significantly, this removes the full control permissions from Everyone on the system drive. You also can use this template to reapply the more stringent root directory security on systems where the baseline security settings have been modified.

  • DC security.inf refers to the default security template for domain controllers, which imposes more stringent requirements on network transmissions and secures more portions of the filesystem and registry. This template is created when a server is promoted to domain controller status.

  • Iesacls.inf provides a tighter security configuration for Internet Explorer, restricting scripting activity in certain untrusted zones and providing a more stringent, but secure, web browsing atmosphere.

These convenient templates are designed to be used with the Security Templates snap-in. Using the snap-in, you can apply the basic and incremental security templates included with the product, or you can modify the templates to create your own easily distributable templates.

To begin using the Security Templates snap-in, follow this procedure:

  1. Run mmc /s from a command line. This loads the MMC in author mode, allowing you to add a snap-in.

  2. From the Console menu, select Add/Remove Snap-in. Then select Add. This raises a dialog box entitled Add Standalone Snap-in.

  3. From the list, select Security Templates, click Add, and then click Close.

  4. Click OK in the next box to confirm the addition of the snap-in.

Now you have the Security Templates snap-in added to a console. From this snap-in, you can expand the Security Templates section in the console tree on the left, and then expand the C:\Windows\security\templates folder to view the predefined security templates discussed earlier.

6.3.2. Creating a Custom Security Template

You might want to make your own customized policy modifications that go above and beyond those made in the templates shipped with Windows. Creating a custom security template affords you an easy way to package, deploy, and apply these modifications with a minimum of administrative headache. Best of all, you can use these templates in conjunction with a utility called the Security Configuration and Analysis Tool to assess the overall "hardness," or state of security, of your machines.

To create your own security template, follow these steps:

  1. In the Security Templates console, expand Security Templates in the tree pane on the left, and right-click C:\Windows\security\templates (this is the default templates folder in the system).

  2. Select New Template from the context menu that appears.

Now you can make any policy modifications you want in any one of the policy areas supported by the tool: account policies, local policies, the event log, restricted groups, system services, the registry, and the filesystem. Your additions, deletions, and other changes are saved directly into the template as they are made.

To take this one step further, you might decide to build on the basic policy settings provided by the basic and incremental templates shipped with Windows. In that case, it's quite simple to open the basic or incremental templates, resave to a different name, and make further modifications to create your own custom template. To do so, follow these steps:

  1. Select an existing template inside the Security Templates console. In this example, I'll use the securews.inf file.

  2. Right-click the existing template, and click Save as … from the context menu.

  3. Give the new template a name.

  4. Click OK. The new template is created with the settings from the old basic template.

6.3.3. Compiling the Security Database

The next step is to compile your templates into a security database using the Security Configuration and Analysis (SCA) tool. From within the MMC, add the SCA tool to the console. Then do the following:

  1. Right-click Security Configuration and Analysis and select Open Database.

  2. From the Open Database dialog, type the name of a new database.

  3. Because no database exists with that name, you'll be prompted for the specific security template from which the database should be built. The choices in this box come from the C:\Windows\Security\Templates folder. Choose the template, and click OK.

Although you won't get any confirmation from the user interface, the template has been added to the database. Now you can right-click the SCA tool in the left pane and choose either Analyze Computer Now or Configure Computer Now. When you select Analyze Computer Now, the SCA tool looks at the new security configuration within the database, compares it with the current state of the computer, and reports on the differences; the report also is saved to a logfile in \My Documents\Security\Logs. Alternatively, when you select Configure Computer Now, the changes will actually be committed to your system. You want to avoid using that option unless you're absolutely sure you want the results in production without seeing them first.

You also can script the application of templates across multiple computers, using a login script, Telnet server, or some other means, by taking advantage of the SECEDIT utility. SECEDIT takes a template file, adds it to the SCA database, and then applies the security settings to the machine on which SECEDIT is being run. To import a template named Hassell-secure.inf, compile it into SCA into a database called securepcs and overwrite any data already in the database, apply it to the current computer, and create a log for all of these actions named apply.log, for example, issue the following command:

    secedit /configure /cfg Hassell-secure.inf /db securepcs /overwrite/log apply.log

If you've already imported the template into SCA manually, and you just need to apply the settings to a computer, issue the following command:

    secedit /configure /db securepcs /overwrite /log apply.log


Previous Page
Next Page