Ask Us About... Security, October 15, 2001

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By Steve Riley

Using Security Templates to Secure Your WIndows 2000 Computer

Think, for a moment, about all the things you need to do to configure security on a computer. First, you need to consider what it is the computer is doing—without a good understanding of the computer's role, it's hard to know even where to start. Then decide on the specific security settings that make sense for that computer's role and reflect your organization's security policy (you do have one, right?). Broadly, such settings fall into these categories:

  • Account policies—passwords, lockout, Kerberos

  • Local/domain policies—auditing, user rights, various security options

  • Event log settings

  • Memberships of restricted groups (groups that can bypass certain security settings)

  • Permissions on system services

  • Permissions and auditing on registry keys

  • File system permissions

It's a lot to think about, but if you're configuring only one or two computers, it's probably not all that daunting. But what if you need to configure ten computers? Or 100? Or 1,000? How will you do this in a way that's consistent, predictable, repeatable, and not prone to error (or boredom)? Or, regardless of how many computers you have, how do you learn about what security changes are important, and compare the proposed settings to the current configuration? Windows 2000 includes a template-based security configuration and analysis tool that gives you just what you need.

On This Page

Getting Started
Analyzing and Configuring a Computer
Using Group Policy to Distribute Configurations
Step-by-step: How to Quickly Apply Computer Security Settings

Getting Started

You'll learn about security templates and analysis with a little hands-on work. First, create an MMC console specific for the job. Start MMC.Exe and load these snap-ins:

  • Security Templates

  • Security Configuration and Analysis

Now save this console with the name "Security Configuration" in your Administrative Tools folder so that it appears when you choose Start | Administrative Tools.

Much of the work you'll learn here is also possible using SECEDIT.EXE, a command-line tool included with Windows 2000. You'll learn how to use this tool, too. The steps here describe SECEDIT's equivalent of the things you'll do in the GUI; see the online help for complete information on SECEDIT.

Examining the Available Templates

The Security Templates snap-in lists all the templates installed on your computer. By default, these are the .inf files present in %WINDIR%\Security\Templates, shown in the tree when you expand the snap-in. Click the path to display the templates and their descriptions in the MMC's right-hand pane. Included with Windows 2000 are templates for:

  • Workstations—downlevel-compatible, basic, secure, highly secure

  • Servers—basic, secure, highly secure

  • Domain controllers—basic, secure, highly secure

  • Optional file component security for workstations and servers

  • Out-of-the-box security settings

  • Internet and intranet web servers (if you've installed the Windows 2000 Resource Kit)

Expand the path to see the template files; expand an individual template to see its settings. (Note how the settings conveniently match the categories at the beginning of this article.) You can peruse the settings for each template to learn what happens when you apply it; you can also double-click to edit any setting you might want to change. If you do make changes, right-click the template, rewrite its description, and save it to a new file. This allows you to reuse the original template if you decide you need to do so.

Note the template called "Setup Security"—this very important template allows you to revert to Windows 2000's out-of-the-box security settings. You'll find this handy when you lock down a server so tight that nothing will run!

Templates are incrementally progressive—for example, there is a basic, a secure, and a highly secure template for servers. They build upon each other and include the lower-level settings: the highly secure server template includes the settings in the secure and basic templates, so you should apply only this one rather than all three if you want this level of security. Appendix B of the Microsoft Press book, Microsoft Windows 2000 Security Technical Reference (https://www.microsoft.com/mspress/books/3873.asp), lists the settings for the default templates.

Analyzing and Configuring a Computer

Using one or more templates, you can analyze a computer's security settings, comparing its current configuration to the settings stored in the template(s). There are a couple reasons you might want to do this:

  • The computer's current configuration might be weaker than what it should be; analysis will show exactly where

  • Analyzing a computer shows what changes will be made before you apply the template(s)

You can save the results to a database which you can then apply directly to the local computer, thus altering its settings to match the template(s). You can also export the database to a new template that you can apply to multiple computers with Group Policy. You can change any of the database settings before you export it to the template.

Creating a Database and Analyzing the Computer

Analysis is database-driven. You need to load at least one template into a database before you can perform any analysis and configuration.

  1. Right-click Security Configuration and Analysis.

  2. Choose Open Database, and give the database a name.

  3. The next dialog prompts you to select a template. Choose a template appropriate for the server you're analyzing.

  4. If you want to include more than one template in the analysis, right-click Security Configuration and Analysis again, choose Import Template, and select the one you want. Note that you can clear out all the existing templates if you select Clear this database before importing—useful if you picked a wrong template along the way. Of course, you could always just create a new database, too. If you use multiple templates and any of their settings conflict, the last-added template wins.

  5. Now you're ready for the analysis. Right-click Security Configuration and Analysis once more and choose Analyze Computer Now.

  6. You'll be prompted where to save the error log file. The default is fine.

Finally the analysis happens! The six categories appear in the left-hand pane; browse through them to compare the database settings to the computer's current settings. A red X indicates a discrepancy; a green check indicates conformance.

Using SECEDIT.EXE. You can perform analysis at the command prompt using:

SECEDIT /ANALYZE /DB database-filename /CFG template-filename

Specify a path and filename to the database file you want to create (required) and the .INF security template file you want to import into the database (optional). SECEDIT creates a log file in the default location. Add the /VERBOSE command switch if you want lots of detail; add the /QUIET switch if you want no on-screen information and no log generation.

If database-filename doesn't exist, SECEDIT creates a new database using the settings in template-filename and performs the analysis. If database-filename exists, then SECEDIT merges the template settings into the database before performing the analysis. If you omit template-filename, SECEDIT performs the analysis using the settings already stored in the database.

Altering the Baseline Settings

You might decide that one particular setting should be different. You can either change the template used to perform the analysis or you can change the setting in the database itself. If you decide to change the template, understand that any future analysis using this template or any group policies that rely on this template will reflect the change you made. If you change the database, then any local computer you apply the database to will reflect the change you made. Since it's best to leave the default templates in their standard configurations, you'll probably want to change the database instead. Double-click the setting and make the change you need.

Another reason for changing the database (instead of the underlying templates) is that the template(s) you selected for the analysis might not have an entry for every possible setting. If a setting has neither a red X nor a green check, that setting wasn't specified in any of the baseline templates you chose. Double-click it, select Define this policy in the database, and configure the setting.

Applying the Configuration

So you've chosen a template or two, analyzed the computer, and changed a couple settings. To apply the configuration:

  1. Right-click Security Configuration and Analysis

  2. Choose Configure Computer Now.

As before, you'll be prompted where to save the error log file. The default is fine. Watch the progress dialog as the tool applies each of the security settings to the computer. Depending on the number of settings in the database, this might take a few minutes.

Now, export your finely-crafted policy to a template file.

  1. Right-click Security Configuration and Analysis

  2. Choose Export Template

  3. Save the template to an appropriately-named file.

Note: One reason for exporting the policy to a template will become clear in a couple paragraphs; a second reason is in the next section.

You can always undo the changes. One way is to open a new database and import the "Setup Security" template. Configure the computer (you can skip the analysis step) to return all the security settings to the Windows 2000 defaults. This works, of course, only if returning to the defaults is useful to you. What if you already applied one configuration a while back, then just applied a new one that doesn't work?

You have two options:

  • If you kept the database file from your previous configuration, you can simply open the file and configure the computer with that. Your previous settings will be restored.

  • Alternately, recall the bit about saving the policy to a new template. If you remembered to do this when you applied that previous configuration, then when you apply a second configuration that doesn't work, just create a new database using the previous configuration's template and immediately apply the configuration, restoring the previous settings.

Using SECEDIT.EXE. Apply the configuration stored in the database with this command:

SECEDIT /CONFIGURE /DB database-filename

This is the database file you created before. If you store the database on a network-accessible share, you can quickly apply the same settings to several computers this way.

You can skip analysis and go directly to configuration in one command:

SECEDIT /CONFIGURE /DB database-filename /CFG template-filename

If database-filename doesn't exist, SECEDIT creates a new database using the settings in template-filename and applies the configuration. If database-filename exists, then SECEDIT merges the settings into the database before applying the (newly-merged) configuration. If you omit template-filename, SECEDIT applies the configuration using the settings already stored in the database. You can optionally supply the /OVERWRITE switch, which will empty the database first (another alternative would be to use a different database filename).

As with /ANALYZE, you can optionally include the /VERBOSE or /QUIET command switches.

Applying policies using the command line allows you to be a little more granular than when using the GUI. You can supply the /AREAS switch to indicate which sections of the database should be applied. See the online help for more information.

If you want to save your current configuration to a new .INF security template file, use this command:

SECEDIT /EXPORT /DB database-filename /CFG template-filename

database-filename is the database you want to export to a template. It's optional; if you omit it, SECEDIT uses the system's current configuration. template-filename is the template to save the settings in; it's required. The /AREAS, /VERBOSE, and /QUIET switches are all supported here.

If you want to validate a template you've received from someone else, use this command:

SECEDIT /VALIDATE template-filename

Using Group Policy to Distribute Configurations

Say you've crafted the ideal policy for a web server and now you want to apply that policy to all web servers in your organization. Using group policy, you can do exactly that. Remember that you can apply a group policy at the site, domain, or organizational unit level. If you create organizational units for the various roles of your computers, then applying a template to an entire group of computers becomes a very easy task.

Assume that all your web servers are in a web server organizational unit. If you don't already have a group policy object linked to the organizational unit, create a new one. Then edit the object:

  1. In the Group Policy window, select expand Computer Settings | Windows Settings.

  2. Right-click Security Settings and choose Import Policy.

  3. Select the template file you saved earlier when you developed your ideal web server policy.

Voila! Now every computer in the organizational unit will receive the security settings specified in the template.

Step-by-step: How to Quickly Apply Computer Security Settings

Analyzing and configuring security involves a number of steps and options. Follow this sequence to make it easier.

  1. Create the custom "Security Configuration" MMC.

  2. Open a new database and import one or more templates.

  3. Analyze the computer.

  4. Make changes to the database as appropriate for your needs and your security policy (remember, when you create a new database, it's generated from the default templates).

  5. Export the database to a new template.

  6. Apply the configuration to the computer.

  7. Test relevant applications and services.

  8. Repeat steps 4 through 7 until everything works.

  9. Import the now-correct template into the security settings of a group policy object linked to the container for the type of computer you've been working on.

  10. Start again at step 1 for your next class of computers (based on role, remember).

Once you understand the security templates and the analysis and configuration tool, you'll think of many ways you can use it to automate and streamline your organization's security practices. Spend some time now thinking about the various roles and classes of computers you have, group them into organizational units, and use group policy to apply custom templates. There's no better way to ensure consistency and eliminate error.

Please send any feedback or questions regarding the content of this column to Microsoft TechNet