Appendix F: SMS Security Templates
Using templates to apply security settings provides consistency and greater security. Microsoft provides security templates for Microsoft® Windows Server® 2003 and Microsoft Systems Management Server (SMS) 2003 SP1. For more information about security templates for Windows Server 2003, see the Windows Server 2003 Security Guide (https://go.microsoft.com/fwlink/?LinkId=28827). If you apply one of the member server baseline templates included with the Windows Server 2003 Security Guide, you must also apply the corresponding SMS template so that SMS operations will not be disabled. Create a separate OU under the member server OU and apply the SMS templates to it.
The SMS templates are available in the SMS Toolkit 2. By using the settings in this appendix, you can create your own copy of the following SMS security templates.
**Legacy Client:**Provides the most backward compatible settings, but might weaken security.
Enterprise Client: Provides good security for the average network environment.
High Security: Provides the most secure settings, but might not be backwards compatible.
The template settings for the SMS templates are listed in the following tables.
Table F.1 Deny Access to This Computer from the Network
Member Server Default |
SMS Legacy Client |
SMSEnterprise Client |
SMSHigh Security |
---|---|---|---|
Anonymous logon, Guests |
Anonymous logon |
Anonymous logon |
Anonymous logon |
The Deny access to this computer from the network user right determines which users are prevented from accessing a computer over the network. This user right will deny a number of network protocols, including SMB-based protocols, NetBIOS, CIFS, HTTP, and COM+. This policy setting supersedes the Access this computer from the network user right when a user account is subject to both policies. Configuring this logon right for other groups could limit the abilities of users assigned to specific administrative roles in your environment. Verify that delegated tasks will not be negatively impacted.
Table F.2 COM+ System Application
Service Name |
Member Server Default |
SMS Legacy Client |
SMSEnterprise Client |
SMSHigh Security |
---|---|---|---|---|
COMSysApp |
Manual |
Disabled |
Disabled |
Disabled |
The COM+ System Application system service manages the configuration and tracking of components based on COM+.
Table F.3 Distributed Transaction Coordinator
Service Name |
Member Server Default |
SMS Legacy Client |
SMSEnterprise Client |
SMSHigh Security |
---|---|---|---|---|
MSDTC |
Manual |
Automatic |
Automatic |
Automatic |
The Distributed Transaction Coordinator system service is responsible for coordinating transactions that are distributed across multiple computer systems or resource managers, such as databases, message queues, file systems, or other transaction protected resource managers.
Table F.4 HTTP SSL
Service Name |
Member Server Default |
SMS Legacy Client |
SMSEnterprise Client |
SMSHigh Security |
---|---|---|---|---|
HTTPFilter |
Manual |
Automatic |
Automatic |
Automatic |
The HTTP SSL system service enables Internet Information Services (IIS) to perform SSL functions. HTTP SSL service enables secure electronic transactions.
Table F.5 IIS Admin Service
Service Name |
Member Server Default |
SMS Legacy Client |
SMSEnterprise Client |
SMSHigh Security |
---|---|---|---|---|
IISADMIN |
Manual |
Automatic |
Automatic |
Automatic |
The IIS Admin Service allows administration of IIS components, such as FTP, Applications Pools, Web sites, Web service extensions, and both Network News Transfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) virtual servers. If this service is disabled, you cannot run Web, FTP, NNTP, or SMTP sites.
Table F.6 Task Scheduler
Service Name |
Member Server Default |
SMS Legacy Client |
SMSEnterprise Client |
SMSHigh Security |
---|---|---|---|---|
Schedule |
Manual |
Automatic |
Automatic |
Automatic |
The Task Scheduler system service enables you to configure and schedule automated tasks on your computer. The Task Scheduler service monitors whatever criteria you choose and carries out the task when the criteria have been met.
Table F.7 World Wide Web Publishing Service
Service Name |
Member Server Default |
SMS Legacy Client |
SMSEnterprise Client |
SMSHigh Security |
---|---|---|---|---|
W3SVC |
Manual |
Automatic |
Automatic |
Automatic |
The World Wide Web Publishing Service system service provides Web connectivity and administration through the IIS snap-in.
For information about how to apply security templates, see Help and Support Center.