Design Recommendations for Using Predefined Security Templates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Windows Server 2003 security templates are for computers that use the default security settings. These templates incrementally modify the default security settings if they are on the computer. They do not install the default security settings before performing the modifications.

Consider the following recommendations before you use the predefined security templates.

Read the security template descriptions before you select which template to use

To successfully deploy the security templates, you need to understand which template is appropriate for your computer.

Use the Setup security.inf template only on the local computer

Do not apply the Setup security.inf template using Group Policy. Apply it only to the local computer by using the Security Configuration and Analysis snap-in or the Secedit.exe command-line tool. The Setup security.inf template is modified during installation and is created specifically for each computer. It might vary from computer to computer. This template contains a large amount of data and can degrade performance if it is applied by using Group Policy. This occurs because Group Policy is refreshed periodically, and a large amount of data is moving through the network each time the policy is refreshed. The advantage of using the Secedit.exe command-line tool to apply Setup security.inf is that the command-line tool permits you to configure subareas of the default settings. For example, by using Secedit.exe, you can apply only the default file system ACLs without also resetting the user rights and registry ACLs.

Apply workstation, server, and domain controller templates appropriately

Apply templates of the form *ws.inf only to workstation or server computers; do not apply *ws.inf to domain controllers. Likewise, apply templates of the form *dc.inf only to domain controller class machines; do not apply *dc.inf to workstations or servers. If you apply a predefined template at the domain root level, it applies to all computers in the domain by default. For example, account policies (password policies, account lockout policies, and Kerberos policies) are always defined at the domain level, but local policies are subject to precedence rules.

Use Group Policy to apply templates to groups of computers

You can import a security template to a Group Policy object to make sure that any computers where the Group Policy object is applied automatically receive the template’s security settings when the Group Policy settings are refreshed.

Use the appropriate tools to apply templates to local computers

Configure individual computers by using the Security Configuration and Analysis snap-in, the Secedit.exe command-line tool, or by importing the template into the local security policy. Configure groups of computers by importing a template into the Group Policy Object Editor.

For more information about importing security templates for domain controllers, servers, or workstations, see "Import a security template to a Group Policy object" in Help and Support Center for Windows Server 2003.