The Microsoft Management Console (MMC) Security Templates snap-in comes with 12 built-in security templates. These built-in templates define five security roles: basic, secure, highly secure, compatible, and optional component file security.

Basic templates. Basic templates implement Microsoft’s recommended policies for a fresh installation (i.e., not an upgrade) of Windows 2000 on a workstation (Basicwk), server (Basicsv), and domain controller (DC—Basicdc). The basic templates don’t modify user rights settings because many applications assign user rights that the software needs to function properly. If a template modifies these rights, the legacy application might no longer run.

You should never modify the basic templates. Their primary purpose is to reset a system to a known state when you’re configuring and testing modified or custom security templates. If you modify the basic templates, you have no easy method for undoing the changes and restoring a system to its newly installed state. (If you do modify a basic template, you can replace the modified .inf file with an unmodified copy from the \security\templates directory on another machine.)

Secure templates. Secure templates implement policies for all security areas except the registry and the file system. Securews and Securedc define a password history, a minimum password length, an account lockout threshold, and an account lockout duration. They enable basic security auditing, don’t let Anonymous users enumerate SAM accounts, prevent users from installing print drivers, and let you install unsigned drivers after the OS issues a warning message. These templates remove all members of the Power Users group but don’t modify ACLs on the file system or the registry. You can automatically remove Power Users rights from interactive users by applying this built-in template to Win2K Professional systems in a domain or organizational unit (OU).

Highly secure templates. The Hisecws and Hisecdc templates add stringent controls on how Win2K systems communicate with each other. For example, these templates disable legacy authentication protocols that a Windows NT or Windows 9x client might use. When you configure Win2K with a highly secure template, the system won’t be able to communicate with legacy systems. Thus, I recommend that you carefully examine the template settings before you assign them or use them as boilerplates for defining a custom template. Be aware that these templates set many security-related parameters to their most secure settings without regard to performance, ease of use, or legacy system interoperability.

Compatible templates. The Compatws template lowers the security levels on specific files, folders, and registry keys that legacy applications commonly access and removes all members of the Power Users group. The purpose of this template is to let most legacy applications run successfully under a User context rather than making all local Users members of the Power Users group.

Optional component file security. The Ocfiless and Ocfilesw templates define more stringent NTFS permissions and inheritance rules for directories and files in the system root and for shared components in the Program Files directory.

To bring a workstation into compliance with the Securews template, apply the Basicwk template, then the Securews template. To bring the same system into compliance with a highly secure template, apply the Basicwk template, the Securews template, then the Hisecws template. Each template implements a set of nonoverlapping policies and controls, and you must implement all of them to achieve the desired result.