Many of our Windows Server 2003 and Windows 2000 Server systems are former Windows NT Server systems that were upgraded. We understand that such systems—as opposed to new systems with clean installations of Windows 2003 and Win2K Server—retain insecure permissions on the winnt folder and the registry. If this is true, what's the best way to fix these systems?
It's true. On NT Server, numerous registry keys that can be used to compromise a system or elevate a user's privileges have insecure default permissions. Also, permissions on the \winnt folder, in which Windows itself resides, default to granting full control to Everyone. Windows 2003 and Win2K Server's default permissions address this problem but only for systems installed fresh—not for upgraded computers. Group Policy is the best way to solve this problem, and the good news is that you don't have to manually enter the new, more secure default permissions into a Group Policy Object (GPO). Windows 2003 and Win2K Server come with several prebuilt security templates in \%systemroot%\system32\security\templates, and one of them, setup security.inf, contains the default permissions. All you have to do is make a copy of setup security.inf, then edit it with the Microsoft Management Console (MMC) Security Templates snap-in. Delete all policies in the new template except for the settings defined under File System and Registry. Save the template with a new name, then in the Group Policy Editor (GPE), open the GPO you'll use to change the permissions on your upgraded computers. Navigate to Computer Configuration\Windows Settings\Security Settings, right-click Security Settings, and select Import Policy. In the Import Policy From dialog box, select the template you just created and click Open. Windows will now import the file and registry permissions defined in the template. You can confirm the import was successful by exploring the File System and Registry folders in the GPO. Now, as your upgraded servers apply Group Policy, their permissions will be restricted.