I finally got my nerve together and recorded an Admin-to-Admin segment for the In The Trenches podcast
Article here: http://kevindevin.com/?p=156
Listen to the episode here: http://libsyn.com/media/inthetrenches/ITT-20050811.mp3
Here are the notes for my segment:
Using Security Templates
Uses
- Enforcing security policy onto a Workstation or Server
- Setting software restriction policy (name, hash, path)
- Setting secured groups
- Enforcing NTFS permissions
- Enforcing Registry Permissions
- Enforcing the status of Services
Pre-defined Security Templates:
C:\windows\security\templates
- Compatws.inf – This is required by older applications that need to have weaker security to access the Registry and the file system.
- DC security.inf – This is used to configure security of the Registry and File system of a computer that was upgraded from Windows NT to Windows 2000/2003.
- Hisecdc.inf – This is used to increase the security and communications with the domain controllers.
- Hisecws.inf – This is used to increase security and communications for the client computers and member servers.
- Notssid.inf – This is used to weaken security to allow older applications to run on Windows Terminal Services.
- Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.
- Securedc.inf – This is used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template.
- Securews.inf – This is used to increase security and communications for the client computers and member servers.
- Setup security.inf – This is used to reapply the default security settings of a freshly installed computer.
More security templates can be downloaded with the Windows Serverv2003 Security Guide: http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
Add your own registry settings:
All security settings are in fact just registry settings. Add your own by editing the Sceregvl.inf file.
See the link to the MS article in show notes.
Group Policy:
Import into GPO's Remember when modeling security settings, that Domain controller have their own local security settings set, like SMB signing.
MMC Snap ins:
Always make copies of the predefined templates to a different location
- Security Configuration and Analysis
The Security "Database" , importing security Templates, and analyzing against the local system
Other usefull snapins for working on security templates with Group Policy:
- Group Policy Management Console
- Resultant Set of Policy
- Local Policy
Service Pack 1 Security Configuration Wizard
Why did we need it?
Before we had Seperate management interfaces for:
- Security settings and all the things the Templates covered
- IIS Security
- Windows Firewall Settings
- Registry settings (required you to make your own ADM files and security template)
- IP Security policy (GPO-centric)
SCW combined all these things, and adds advantages:
- Everything combined into a single XML file ( easy to read and edit )
- Can export to GPO or apply directly locally and remotely.
- Import Security Templates
- Can scan current system comfig and create baseline
Overlap in functionality:
- CWS doesnt support NTFS and registry security
- Templates dont cover IIS, IP Sec? or Firewall.
Neither SCW nor Security Templates cover the other features of Group or Local policy: Administrative Templates
You will need them BOTH to create a secure enviroment... use GPO's as the end-result. Inport Security Templates into CWS files during creation, CWS settings take presedence. If used seperately, then you have to keep an eye on GPO presedence.
Links:
How to apply predefined security templates in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;816585
HOW TO: Analyze System Security in Windows Server 2003 http://support.microsoft.com/kb/816580/EN-US/
HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003 http://support.microsoft.com/kb/816297/EN-US/
How to Add Custom Registry Settings to Security Configuration Editor http://support.microsoft.com/default.aspx?scid=214752
Group Policy Home http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx
Security Configuration Wizard for Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx