The built-in security templates define generic security roles for systems. As with any template, anticipating the many ways an enterprise might need to configure and control workstations and servers is difficult. When the built-in templates don’t reflect your needs, you can make a copy of an existing template, rename it during the copy operation, and add policies and controls that implement your specific security requirements. To begin copying templates, start Microsoft Management Console (MMC), then load the Security Templates snap-in. Make a copy of the Basicwk template by right-clicking Basicwk, selecting Save As, and giving the copy a new name before you click OK.
Let’s create a custom template called Vpnsv that defines security controls you might want to implement on a VPN server or a system that connects a small office/home office (SOHO) to the Internet. Vpnsv implements controls in these six security categories:
- Account Policies—defines password and account-lockout controls
- Local Policies—enables several categories of security auditing and restricts several operations in the Security Options key
- Event Log—restricts the Guest account from accessing event logs
- Restricted Groups—removes all members of the Power Users group
- System Services—disables many unneeded services (e.g., NetMeeting, Fax Service, Microsoft Indexing Service)
- File System—activates default ACLs on the system root directory
Documenting the location and values for all these settings would take a couple of pages, so I limit my example to how you disable services and remove all members of the Power Users group. After you work through this example, filling in the missing pieces should be easy.
Right-click Basicsv, select Save As, then rename the template Vpnsv. Both the Save and Save As commands store all templates in the default templates directory %windir%\security\templates, but you can specify an alternative location by entering the full path name in the Save dialog box. The Vpnsv template you just created should appear in the left pane of the console.
Expand Vpnsv in the left pane, then navigate to the Restricted Groups key. Right-click Restricted Groups, then select Add Group. Click Browse, select the local Power Users group, then click OK. Power Users should appear in the right pane. Double-click Power Users to display the members and, if the local Users group is listed, remove it.
Now, you need to disable several services that provide intrusion opportunities on a VPN server. In the console’s left pane, expand the System Services key, then double-click the FTP Publishing service to bring up the Template Security Policy Setting dialog box, in which you enable or disable a service or, if appropriate, select a startup mode. When you check the Define this policy setting option, the Security for FTP Publishing Service dialog box appears, which shows the accounts that have access to the FTP Publishing service and the type of access they have. If you’re performing this task on a clean Windows 2000 system, you’ll notice another insecure default setting that gives Everyone Full Control over the FTP service.
Ideally, only members of the local Administrators group should be able to control system services. Click Add, select the local computer in the Look in drop-down list, select the local Administrator account, click OK to return to the previous screen, and select the Full Control check box. When a system is a member of the domain, Domain Admins are automatically members of the local Administrator group. (However, the reverse situation, in which a local Administrator is a member of the Domain Administrator’s group, isn’t always true.) Next, highlight the Everyone group, then click Remove. Click Apply to return to the Template Security Policy Setting dialog box.
Now, you’re ready to disable the service. Select the Disabled option, then click OK to finish configuring the FTP service. Repeat this procedure for all other services that you want to disable. When you’ve made all the necessary changes, right-click the Vpnsv template and select Save to update the template with the changes you just made.
At this point, you might want to use the template guidelines above to add more controls to the Vpnsv template. For example, you might want to disable blank passwords and set values for account lockout in the Account Policies key, or you might want to enable security auditing in the Audit Policy key. Be sure you save the template one last time before you move on.
Now you’re ready to audit a VPN server against the template you just defined. Right-click the Security Templates snap-in, select Open database, then type
as the database name. When the snap-in displays the Import Templates dialog box, select vpnsv.inf, then click Open to load the database. Right-click the MMC Security Configuration and Analysis snap-in, select Analyze Computer Now, and accept the default log file name.
When the analysis is finished, examine the results in each security key below the Security Configuration and Analysis snap-in. If you don’t see any red circles, the system is already in compliance with the Vpnsv template. If discrepancies exist between the Vpnsv template and current system settings, you can apply the Vpnsv template by right-clicking the Security Configuration and Analysis snap-in, then selecting Configure Computer Now. After the template is successfully applied, you can check your work by running a second audit. The second time, every setting should match in both columns of the audit report.