Best practices for Security Templates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices for Security Templates

Use templates properly

  • Do not apply predefined or newly-created security templates to your computer or network without testing to ensure that the right level of application functionality is maintained.

  • Never edit the Setup security.inf template, since it gives you the option to reapply the default security settings. If you ever remove a security template from a Group Policy object, appropriately reapply the Setup security.inf to restore all default settings.

  • Do not apply the Setup security.inf template through Group Policy. The Setup security.inf template should only be applied to the local computer through Secedit or Security Configuration and Analysis. It is preferable to apply it in parts using the Secedit command-line tool.

    For more information, see Automating security configuration tasks.

  • Do not apply the Compatible template to domain controllers. For example, do not import the Compatible template to the Default Domain or Default Domain Controller Group Policy object.

Use caution when modifying predefined templates

  • Instead of modifying a predefined template, customize the predefined template and then save the changes under a different template name. Since these templates were designed for specific needs, having the original template will always give you the option of using it.

    For more information, see Predefined security templates.

Choose the appropriate default level of computer access

  • When deciding on the default level of computer access that end users will have, the determining factor is the installed base of applications that need to be supported. If users only use applications that belong to the Windows Logo Program for Software, then you can make all your end users members of the Users group. If not, you may have to make your end users part of the Power users group so that they have the appropriate privileges to use the application, which is less secure.

    For more information about the Windows Logo Program for Software, see the Windows Logo Program for Software page at the Microsoft Web site.

For more information, see Best practices for Security Configuration and Analysis and Best practices for Security Settings.