Test-drive a template in XP and Win2K
In "What Security Templates Can Do for You," February 2003, http://www.winnetmag.com, InstantDoc ID 37604, I talk about some cool things that you can do with security templates. This month, I want to get more hands-on and take templates for a spin. I want to show you how to create for a workstation or member server a security template that performs three functions. First, the security template will control a group's membership by restricting the local Administrators group to just the local Administrator account and the Domain Admins group from the domain. Second, it will set the NTFS permissions for the directory C:\adminstuff so that it's accessible to only the local Administrators group. Finally, it will disable the Indexing Service.
Setting Up the Tool
Security templates are simply ASCII files, so, in theory, you could use Notepad to create them. But believe me, you don't want to do that. You'll accomplish more by using the Microsoft Management Console (MMC) Security Templates snap-in, which comes with Windows XP and Windows 2000.
First, open an empty MMC console. Click Start, Run, and type
Press Enter to bring up the empty MMC console. In that console, click File (or Console in Win2K), Add/Remove Snap-in to display the Add/Remove Snap-in dialog box. Click Add to access the Add Standalone Snap-in dialog box, select Security Templates, then click Add. Click Close, then OK, and you're ready to start playing.
Navigating the Snap-In
In the Console Root's directory tree, you'll see the Security Templates icon—a computer with a lock attached to it. Expand that icon, and another object will show the path to your system's security templates. The security templates reside in the \%systemroot% directory, inside the \security\templates folder. Expand this pathname object, and you'll see a list of prebuilt security templates. The number of prebuilt templates will vary depending on your OS version and installed service packs.
For example, one of the prebuilt templates on my XP system is called setup security. This template resets registry and NTFS permissions, user rights, and system service states to their out-of-the-box settings. This functionality is tremendously useful if you've messed with settings just to see what they do and you want to be sure you haven't changed something that might make your system unusable. (Of course, if you've made changes to the system that you want to keep, you'll lose them when you apply the setup security template.) Win2K systems contain templates called basicws.inf, basicsv.inf, and basicdc.inf (for workstations, member servers, and domain controllers—DCs, respectively), which perform the same functions as the setup security template.
Another set of templates tighten your system's security to varying degrees. Securedc.inf (for DCs) and securews.inf (for member servers and workstations) provide low-level system security, and hisecdc.inf and hisecws.inf crank up security. However, although "high security" sounds attractive, you should think twice before applying the hisecdc.inf and hisecws.inf templates. Some of the settings might render your XP and Win2K systems unable to communicate with your Windows NT 4.0 and Windows 9x systems. If you do apply one of these templates and regret it, you can apply the basicx.inf or setup security template to roll back your system's security to the out-of-the-box settings. The compatws.inf template, which sets your system's NTFS and registry ACLs to their less secure NT 4.0 settings, is also available. Some earlier applications simply won't run on XP or Win2K boxes unless you apply compatws.inf.
Click any folder under Security Templates, and in the right pane, you'll see folders that correspond to everything you can control with security templates:
- Account Policies—for controlling password, lockout, and Kerberos policies
- Local Policies—for controlling audit settings, user rights, and security settings
- Event Log—for controlling event-log settings and the NT Event Viewer
- Restricted Groups—for controlling what does and doesn't go into various local groups
- System Services—for turning on and off services and controlling who has the rights to modify system services
- Registry—for controlling permissions to change or view a specific registry key and enabling change auditing for keys
- File System—for controlling NTFS permissions on folders and files
Creating a Template
Enough sightseeing; let's build a template from scratch. Right-click the template path (my path is C:\windows\security\templates, but yours might be different), then choose New Template and enter a name. Let's call this template Simple. The new template will appear as a folder in the left pane, below the prebuilt templates. Now, just for kicks, let's restrict the Administrators group, set the ACLs on C:\adminstuff, and shut down the Indexing Service. We can do all this through the folders under Simple.
First, let's clean out the Administrators group and add only the local Administrator and the domain's Domain Admins group to the Administrators group. Expand Simple and click the Restricted Groups folder. If you're working on an XP box, you'll see There are no items to show in this view in the right pane; if you're working on a Win2K box, nothing will appear in the right pane. Right-click Restricted Groups and choose Add Group. In the Add Group dialog box, click Browse and choose your workstation or member server's local Administrators group. Be sure to choose the Administrators group from your local computer rather than from your domain; if you're logged on to your workstation with a domain account, the Browse dialog box will assume that you want to add items from the domain—not from your workstation's or member server's local SAM. (Or, you can skip the browsing process and simply type Administrators in the Add Group dialog box.) After you return to the Add Group dialog box, click OK. If you're working on an XP system, you'll immediately see a new dialog box called Administrators Properties. (If you're working on a Win2K system, you need to right-click Administrators in the right pane and choose Security to access this dialog box, which Win2K labels Configure Membership for Administrators.)
In this dialog box, you'll see an upper section labeled Members of this group and a lower section labeled This group is a member of. In the upper section, click Add to access the Add Member dialog box. If you're running Win2K, click Browse, and select the Domain Admins group from your domain. If you're using XP, clicking Browse takes you to the Select Users or Groups dialog box, but Domain Admins doesn't appear in the list. In XP, you need to first click Object Types, select Groups, and click OK to return to the Select Users or Groups dialog box. Then, choose Domain Admins, click OK to return to Add User, and click OK to return to the Administrators Properties dialog box. Follow the same steps to add the local Administrator account, then click OK.
Now, let's set up the security template so that any system with a folder named C:\adminstuff will make that folder accessible only to the local administrators. Back in the left pane of Console Root, right-click File System and choose Add File. In the dialog box that appears, you can either browse to a particular directory or simply type the directory name. Typing the directory name will work even if the computer on which you're creating the template doesn't have a folder by that name. Type
You'll see the standard NTFS permissions dialog box. Delete the existing permissions, and add Full Control permissions for the local Administrators group. Notice that you can also perform advanced NTFS adjustments, such as setting auditing ACLs and granting ownership. The program asks whether you want these permissions to apply only to this folder or to all child folders. Set this option as you want, then click OK.
Ever since CodeRed and Nimda, the Indexing Service gives me the willies, so I like to disable it on systems that don't need it. In the Console Root's left pane, click the System Services folder. In the right pane, right-click Indexing Service and choose Properties (if you're working from an XP system) or Security (from a Win2K system). Select Define this policy setting in the template, which brings up the Security for Indexing Service dialog box. You don't need that dialog box, so click Cancel to return to Indexing Service Properties (in XP) or Template Security Policy Setting (in Win2K). In that dialog box, choose Disabled, then click OK.
To save the template, right-click it in the Console Root's left pane and click Save. You now have a file named simple.inf in your \winnt\security\templates or \windows\security\templates folder. Use the Secedit command to activate the template (be sure to type the command on one line):
/overwrite /log <logfilename>
where templatefilename is the name of the ASCII security template (C:\windows\security\templates\simple.inf, in our case) and databasefilename is the name of a security database file.
A security template is like a bit of computer source code: human-readable but not immediately useful to the computer. Just as source code must be compiled into an executable, so must a security template be reduced to a binary form called a security database. Secedit can both compile the template and apply the binary database, but you must supply a path and filename for the database—let's call ours C:\security\simple.db.
Finally, Secedit wants to report on the process, so it needs the name of a file to which to write an ASCII log—C:\security\simple.log works fine. The /overwrite option tells Secedit to overwrite any existing file with the same name. The fully assembled command is
C:\windows\security\templates simple.inf /db C:\security\simple.db
/overwrite /log C:\security\simple.log
That's a lot of command lining, but its effects make it worthwhile. Try out a few templates, and I think you'll be hooked on these powerful tools.