Security
Security templates provide standard security settings to use as a model for your security policies. They help you troubleshoot problems with computers whose security settings are not in compliance with policy or are unknown. Security templates are inactive until imported into a Group Policy object or the Security Configuration and Analysis snap-in to MMC.
Prerequisites for Implementing Security Templates
Security templates are a standard feature of Windows 2000. There are no prerequisites for using them. However, to ensure appropriate service levels, test security templates before applying them to your users computers.
How to Implement Security Templates
You can edit security templates in the Security Templates snap-in to MMC.
You can use the Security Configuration and Analysis MMC snap-in to import and export templates and to compare a template to the security settings of the local computer. You can use this MMC snap-in to configure the computer to match the template.
Before you can apply templates, you must open a Security Configuration and Analysis database for your computer.
To Open a Security Database
Open the Security Configuration and Analysis snap-in to MMC.
Right-click the Security Configuration and Analysis snap-in, and then click Open database .
Highlight a pre-existing database, and then click Open .
– Or –
Create a new database by typing a database name and clicking Open .Highlight a template to import into the database, and then click Open .
After you have opened a security database and selected a security template, you can apply the security template.
To import a security template into a Group Policy object
Open the Security Configuration and Analysis snap-in to MMC.
Right-click the Security Configuration and Analysis snap-in and select Configure Computer Now .
Highlight a security template file (*.inf), and then click Open .
Click Browse to specify a location for the Security Configuration error log file, and then click OK .
For more information about using security templates and predefined templates, see Windows 2000 Server Help.
Considerations About Security Templates
The default permissions for Windows 2000 provide a significant increase in security over previous versions of Windows NT 4.0. This default, clean-install security, is defined by the access permissions granted to three groups: Users, Power Users, and Administrators. These groups have been carefully designed for specific purposes, and should not require modifications in any but the most unusual cases.
By default, Users have an appropriate access-control policy for nonadministrative system use; Power Users are backward compatible with Windows NT 4.0 Users; and Administrators are granted full control of the system. Therefore, securing a Windows 2000–based system is largely a matter of defining the group to which the user belongs.
If your site runs only applications that are compatible with the Windows 2000 application specification, then it is possible to make all users be members of the Users group and thus achieve maximum access control security without sacrificing application functionality. If your site runs applications that are not compliant with the Windows 2000 application specification, it is likely that users will need to be Power Users in order to have the privileges necessary to run the noncompliant applications. Before considering the use of additional security templates, it is imperative that you define the level of access (User, Power User, or Administrator) that users need in order to successfully run the applications that must be supported.
Security Template Types
After you have defined user access levels using built-in groups such as User, Power User, and Administrator, the security templates can be used as follows:
Basic The Basic security templates apply the Windows 2000 default access control settings previously described. The Basic templates can be applied to a Windows NT computer that has been upgraded to Windows 2000. This will bring the upgraded computer in line with the new Windows 2000 default security settings that are applied only to clean-installed computers. The Basic templates can also be used to revert back to the defaults after making any undesirable changes.
Optional Component File Security The Optional Component templates apply default security to optional component files that might be installed during or after Windows 2000 Setup. The Optional Component templates should be used in conjunction with the Basic Templates to restore default security to Windows 2000 system files that are installed as optional components.
Compatible Some customers might not want their users to be Power Users in order to run applications that are not compliant with the Windows 2000 application specification. They might not want this because Power Users have additional capabilities (such as the ability to create shares) that go beyond the more liberal access control settings necessary to run legacy applications. For customers who do not want their end users to be Power Users, the Compatible template opens up the default access control policy for the Users group in a manner that is consistent with the requirements of most legacy applications. A computer that is configured with the Compatible template must not be considered a secure installation.
Secure The Secure template focuses on making operating system and network behavior more secure by changes such as removing all members of the Power Users group and requiring more secure passwords. The secure template does not focus on securing application behavior. This template does not modify permissions, so users with the proper permissions can still use legacy applications, even though all members are removed from the Power Users group by defining the Power Users group as a restricted group.
High Secure The High Secure template increases the security defined by several of the parameters in the secure template. For example, while the Secure template might enable SMB Packet Signing, the High Secure template would require SMB packet signing. While the Secure template might warn on the installation of unsigned drivers, the High Secure template blocks the installation of unsigned drivers. In short, the High Secure template configures many operational parameters to their extreme values without regard for performance, operational ease of use, or connectivity with clients using third-party or earlier versions of NTLM. The High Secure template also changes the default access permissions for Power Users to match those assigned to Users. This allows administrators to grant Users privileges reserved for Power Users, such as the ability to create shares, without having to give those users unnecessary access to the registry or file system. The High Secure template is primarily designed for use in an all–Windows 2000 network because the settings require Windows 2000 technology. Using High Secure templates in an environment with Windows 98 or Windows NT can cause problems.