Each time you apply a security template, it changes only the OS settings that the template defines. If you need to apply several templates to secure a system, you can approach the problem in two ways. You can apply each template sequentially (i.e., incrementally) to a system to obtain a composite of all settings in all templates. When you’re satisfied that all the templates work, you can shorten the implementation process by combining several templates into one composite database and applying the composite template once.

For example, the standard security template for an end-user workstation might implement Windows 2000 setup ACLs on the system root, allow a user five logon failures before the OS disables the account, require a password history of 3, permit only the logged-on user to access floppy disk and CD-ROM drives, and possibly disable the Internet Connection Sharing (ICS) service. When you configure end-user workstations with the generic workstation template, every system looks and acts the same, which is a great timesaver for troubleshooting and maintenance. You need only one template to implement all these settings.

Now, suppose you need to deploy several public workstations. By definition, a public machine is much less secure than an end-user machine, so you define another template that implements a second layer of more secure settings. The incremental template for a public workstation might disable all unnecessary services, disable the Everyone group’s access to the root of all disk partitions, and disable nonadministrative access to event logs. To configure a public workstation, you first apply the generic end-user template, then apply the custom template that disables services and Everyone access.

Incremental templates let you test, troubleshoot, and debug each template individually. When you’re dealing with access to key OS components, directories, registry keys and values, and OS log files, it’s easy to implement a control that prevents the system from functioning properly. If the template that you apply has problems, you can revert the system to its previous state by applying the previous template.

When you’re happy with the results, you can import the templates into the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in, create a composite database of the policies in the two templates, then export the combined settings and policies to one template file. With the composite template, you can configure the security settings for a public workstation in one operation instead of applying two templates sequentially.