Customize security templates to roll out security policies

One of the greatest challenges you face is ensuring that each machine on your network conforms to a standard security policy. Since Windows NT 4.0 Service Pack 4 (SP4) came out, Microsoft has provided security templates and tools that you can use to accomplish this task. With Windows 2000, these templates and the tools to support them have matured and grown in functionality. Surprisingly, however, some administrators haven't heard of them, and many more administrators don't realize these tools' full potential.

This month, I show you how to use Win2K Microsoft Management Console (MMC) snap-ins to create, customize, and save security templates. I also show you how to use snap-ins to roll out and maintain template-based security policies.

Security Templates
A security template file is a text file that contains settings for various aspects of security, such as account and local policies, the event log, groups, system services, registry settings, and file-system permissions. By default, Windows stores these files with an .inf extension in the \%systemroot%\security\templates folder.

Microsoft supplies several security template files with the OS. The Microsoft Windows 2000 Server Resource Kit includes two further templates (you can find these templates in the resource kit installation directory), and you can download a custom security template to help you harden Win2K-based Web servers from the Microsoft Internet Information Services (IIS) 5.0 security checklist (http://www.microsoft.com/technet/prodtechnol/iis/tips/iis5chk.asp). Additional template files are created during the installation process and during promotion of a server to a domain controller (DC). Table 1, page 2, lists some notable templates. To open a template file and view its contents, double-click it or right-click the filename and select Open. However, be careful not to select the Install option, or you'll apply the settings in the template to your local system, which can be disastrous (especially on a DC).

Microsoft provides three basic security templates for workstation, server, and DC systems. These templates contain the baseline security configurations that should have been implemented when you performed a default fresh installation. If you upgraded an earlier Windows system to Win2K, the security settings won't match those in the basic templates. You must apply the appropriate template to your system by right-clicking the template and selecting Install or by using the MMC Security Configuration and Analysis snap-in, which I describe later.

The basic templates primarily define default registry and file-system permissions. If you're using FAT instead of NTFS partitions, you can't secure your system to the level that a basic template defines. If the basic templates don't provide sufficient security for your environment, consider using the secure and highly secure templates for workstation and DC systems. A secure template provides incrementally stricter security settings than a basic template, defining password policies, auditable events, and security options. A highly secure template provides incrementally stricter settings than a secure template; it expands the list of auditable events and tightens the security options. You must use the basic, secure, and highly secure templates in that order when auditing or configuring system security. (The Microsoft article "Windows 2000 Security Templates Are Incremental" at http://support.microsoft.com/support/kb/articles/q234/9/26.asp discusses this restriction in more detail.) As I show you later, you can create one template that incorporates these layered templates. However, you'll probably need to tailor these templates for your local requirements, and you should never apply a template without first looking to see what it contains and considering the implications for your systems and networks.

The MMC Security Templates Snap-in
The preferred method for viewing and modifying security templates is through the MMC Security Templates snap-in. By default, this snap-in doesn't appear under Start, Programs, Administrative Tools: You need to open MMC and add the snap-in to the console. To add the Security Templates snap-in, follow these steps:

  1. Click Start, Run. Type mmc, then click OK to open an empty console.
  2. Click the Console menu, then choose Add/Remove Snap-in.
  3. Click Add to display a dialog box that contains the list of available snap-ins, as Figure 1 shows.
  4. Scroll down the list to Security Templates, then click Add. Click Close.
  5. Click OK in the Add/Remove Snap-in dialog box.

When you expand the Security Templates snap-in in MMC, you see a list of the available security templates in the default folder. You can point the Security Templates snap-in to another folder by right-clicking the snap-in, then selecting New Template Search Path. Expanding the templates lets you examine the settings in each template.

I recommend that you never modify the templates that Microsoft supplies. Instead, use them as a basis for customized templates. You can create a template for customization by saving an existing template under a new name. I recommend that you incorporate identifying information about your environment, such as the domain name or system role, into the filename (e.g., productiondmziis.inf). You can create an empty template by right-clicking the Templates folder under the Security Templates snap-in and selecting New Template. A template that you create in this way has no settings defined in it. To modify the settings in your template to reflect your particular security requirements, drill down through the template until you see a setting you want to change, then double-click that setting. A dialog box such as the one in Figure 2 appears that lets you modify the setting.

The Security Configuration and Analysis Snap-in
The Security Configuration and Analysis snap-in lets you audit and configure system security. Like the Security Templates snap-in, you must add the Security Configuration and Analysis snap-in to MMC before you can use it.

At the heart of the Security Configuration and Analysis snap-in is a database engine that creates and uses a database with an .sdb extension. When you're analyzing security, the database stores the current computer settings. When you're configuring security, the database determines which template you need to apply to the computer by examining the current configuration against the template. Because the information in the database is unique to each machine, use a separate database for each computer. To open an existing database or create a new one, right-click the Security Configuration and Analysis snap-in, then select Open Database. Select a database from the drop-down list, or type the name of a new database in the Open Database dialog box, then click Open. If you create a new database, the Import Template dialog box appears; from this dialog box, you can select the security template you want to use before you click Open. (For information about a bug in the basicdc.inf security template, see the sidebar "Avoiding Errors in the Basicdc.inf Security Template." )

Analyzing Security Through the Snap-in
When you've created the database and imported a template (or opened an existing database), you can either analyze the security settings of your system or apply the security settings to the system. I recommend that you analyze the security of your system first so that you can make sure that you won't apply settings from a template that relaxes existing security settings. To analyze the system, right-click the Security Configuration and Analysis snap-in, then select Analyze Computer Now. The system prompts you for a location in which to store the log file created during the analysis. As the Security Configuration and Analysis snap-in analyzes the local system, it uses the progress indicator that Figure 3, page 4, shows to inform you of its progress.

When the analysis is complete, you can examine the results by expanding the Security Configuration and Analysis snap-in and clicking the settings you're interested in. MMC's right pane contains the details; most settings have three columns, as Figure 4 shows:

  • Setting name (e.g., Policy)
  • Database Setting
  • Computer Setting

When the computer setting is the same as or stricter than the database setting, the setting name has a green check mark beside it. When the computer setting is less strict than the database setting, the name has a red X beside it, and you need to investigate further. Right-clicking the Security Configuration and Analysis snap-in and selecting View Log File causes the log file created during the analysis to appear in MMC's right pane.

Configuring Security Through the Snap-in
Configuring computer security through the Security Configuration and Analysis snap-in is much like analyzing security. You must create a new database and import a security template or open an existing database. Start the configuration process by right-clicking the Security Configuration and Analysis snap-in and selecting Configure Computer Now. As during security analysis, a dialog box with a progress indicator appears; however, be aware that applying settings can take longer than analyzing them.

You can import multiple templates into a database by right-clicking the Security Configuration and Analysis snap-in and selecting Import Template. (Perform this step once for each template.) The imported settings are cumulative. After you've loaded the templates (e.g., the basic, secure, and highly secure workstation templates), you can edit them in the database just as you can modify a template. The changes in the database aren't applied until you choose to configure the computer.

The benefit of being able to modify the database is that when you're happy with the configuration, you can export a template file that contains all the settings by right-clicking the Security Configuration and Analysis snap-in and selecting Export Template. You can then apply the exported template to other machines in your organization.

Rolling Out and Maintaining Security Policies
When you've created templates for the machines in your organization, you can roll them out as part of a Group Policy. To access Group Policy Editor (GPE), open the MMC Active Directory Sites and Services snap-in or the MMC Active Directory Users and Computers snap-in (both of which you access from Start, Programs, Administrative Tools). Right-click an organizational unit (OU), domain, or site, select Properties, then click the Group Policy tab. (For more information about controlling and applying Group Policies, see "Related Reading.") You can also add the Group Policy snap-in to an empty or preexisting MMC. (See my directions earlier in this article for adding an MMC snap-in.)

With GPE open, you can import your templates by drilling down through the Default Domain Policy until you reach Security Settings. Then, right-click that container and select Import Policy. In the dialog box that appears, you can select the security template file that you want to use in the Group Policy. Using standard Group Policy functionality, you can create multiple security policies for different OUs, domains, and sites in your organization. If you import a template and apply it in error, you can undo the application by removing the template from the policy and applying the correct template. Unlike NT Policies, Group Policies are applied each time Win2K boots up and whenever a user logs on; settings that you have changed or deleted are effectively undone.

For More Information
Security templates provide you with a powerful means of configuring and analyzing security policies throughout your entire organization. For more information about the Microsoft security templates, go to the Distributed System Guide in the resource kit, or check out Microsoft's Web site and Knowledge Base for updated articles.