Chapter 6 - Windows 2000 Hardening Guide Configuration Templates

For convenience, this document includes a set of Windows 2000 Hardening Guide security configuration templates. The templates may be used to automate the application of recommended security settings defined in this document. However, it is highly recommended that all settings be carefully reviewed prior to applying a security configuration template, since an organization's local security policies may require adjustments to the recommended values or security settings defined in the templates.

The templates supporting this document are listed in the table below and are included as separate files in the download package. The templates are cumulative, in the sense that the baseline template applies to all systems while the individual templates must only be used on the systems they are designed for. The baseline template is not designed to be applied in isolation. It should always be applied in conjunction with one of the other templates, as appropriate. In a domain environment the baseline template contains settings which need to be applied to the domain policy, while the other templates have settings to be applied to various OU's in the domain.

Accompanying this document is a set of security templates that can be used to apply these settings. The following templates are included:

• W2KHG_baseline.inf – Common settings that should be applied to all computers

• W2KHG_MemberWks.inf – Settings that are unique to workstations that are members of a domain

• W2KHG_MemberLaptop.inf – Settings that are unique to laptops that are members of a domain

• W2KHG_MemberServer.inf – Settings that are unique to a server joined to a domain

• W2KHG_DomainController.inf – Settings that are unique to domain controllers

• W2KHG_StandaloneWKS.inf – Settings that are unique to standalone workstations

• W2KHG_StandaloneSrv.inf – Settings that are unique to standalone servers

The templates are included in the downloadable version of the guide. To download the guide and the templates go to https://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4C8F-A9D0-A0201F639A56&DisplayLang=en.

In a domain environment, we recommend using Group Policy to deploy the settings.

On This Page

Template Modifications and Manual Settings
Security Configuration Template Application Tools
Managing and Applying Security Configuration Security Templates

Template Modifications and Manual Settings

The settings below must be manually modified by the implementer of the settings. We have included boilerplate settings. However, you must modify these to reflect the security policy of your organization. You can perform these modifications through the Security Templates snap-in tool, as described in the "Viewing and editing a security configuration template" subsection below. Alternately, you can also modify the INF files themselves directly, although this is not recommended unless you are familiar with their format. Incorrect modification of the INF files may result in serious problems with your system!

• Message title for users attempting to log on. The text in the templates is a placeholder that must be edited to conform to an organization's local requirements. See the "Modify Security Options" subsection for details.

• Message text for users attempting to log on. The text in the templates is a placeholder that must be edited to conform to an organization's local requirements. See the "Modify Security Options" subsection for details.

The following recommended User and group account modifications should be applied:

• TsInternetUser. Unless you use the Terminal Service Internet Connector disable the TsInternetUser account on Windows 2000 Servers and Domain Controllers. A security template cannot disable the account. See the "Default User Accounts" subsection for details.

• Domain Users. Remove the Guest and TSInternetUser accounts from the Domain Users group. The security templates allow setting restricted groups with a defined set of members that are allowed, however, the Domain Users group needs to allow all new users to automatically become members and making it a restricted group only works if you can enumerate all the users that need to go in it. See the "Default Group Accounts" subsection for details.

Additional configuration procedures:

• Enable automatic screen lock protection. The procedures are available in the "Enable Automatic Screen Lock Protection" subsection of this document.

• Update the Emergency Repair Disk. The procedures are available in the "Recommended Actions Prior to Installing Service Pack and Hotfix Updates" subsection of this document.

• Back up the Domain Administrators encryption certificates. The recommended procedures are available in the "Encrypting File System" subsection of this document.

Security Configuration Template Application Tools

Authorized administrators can use the following tools to edit and apply the security configuration templates.

• Security Templates snap-in. The Security Templates snap-in is a stand-alone Microsoft Management Console (MMC) snap-in that allows the creation of a text-based template file that contains security settings for all security areas.

• Security Configuration and Analysis snap-in. The Security Configuration and Analysis snap-in is a stand-alone MMC snap-in that can configure or analyze Windows 2000 operating system security. Its operation is based on the contents of a security template that was created using the Security Templates snap-in. This is the preferred tool for applying a template to a standalone computer or domain member.

At the Domain level, the Domain Security Policy and Domain Controller Security Policy templates must be applied using the Domain Controller's Domain Security Policy and Domain Controller Security Policy GUIs described in the "Windows 2000 Security Policies" subsection of this document.

Managing and Applying Security Configuration Security Templates

This subsection provides procedures for editing and applying the security configuration templates.

Extending the security configuration editor interface

The SCE interface can be extended to display and allow the configuration of security settings that are not displayed by default but that may be relevant to your organization via a new sceregvl.inf template. Complete instructions are available in Microsoft knowledgebase article 214752. A template which includes the settings made in this guide is included in the guide download package. To install it simply run the batch file "installSceregvl.bat" also included in the guide. Note that you only need to install this template on the computer you use to make the settings. It does not need to be installed on all the target computers.

Viewing and editing a security configuration template

The security configuration templates may be edited by opening them in a text editor, such as Notepad.exe, or by opening them in the Security Templates snap-in tool. Notepad.exe is recommended if additional recommended registry settings will be added to the template that are not visible via the Security Templates snap-in tool, such as those defined in the "Additional Security Settings" subsection of this document. Use the following procedures to edit a template using the Security Templates snap-in tool:

1. First copy the desired template into the "\%Systemroot%\Security\Templates" or some other location on your hard disk. Note that if you copy them to a different location you will need to (a) properly secure that location so that users cannot modify the templates, and (b) add it to the Security Templates snap-in in the MMC.

2. Next, click Start, click Run, type mmc.exe, and then click OK.

3. On the Console menu, click Add/Remove Snap-in, and then click Add.

4. Select Security Templates, click Add, click Close, and then click OK.

5. To save the snap-in setting click Save on the Console menu. Type a name for this console, and then click Save.

6. In the Security Templates snap-in, double-click Security Templates.

7. Double-click the default path folder (%Systemroot%\Security\Templates), and then double-click the security configuration template that you want to modify.

8. Double-click the security policy that to be modified (such as Account Policies).

9. Click the security area that is to be customized (such as Password Policy), and then double-click the security attribute to modify (such as Minimum Password Length).

10. Modification procedures are the same as those described in the "Security Configuration" section of this document.

11. Once modifications are completed, right-click the name of the security configuration template that was modified and select Save.

Applying a security template to a local computer

Use the following procedures to apply the security templates locally on a computer running Windows 2000 Server or Professional. If computers that are Domain members are to inherit all the security settings from the Domain, these procedures are not needed on the local computer.

1. Log on to the computer with an account that has administrative rights.

2. Copy the desired template into the "\%Systemroot%\Security\Templates" (or "C:\WINNT\Security\Templates") folder of the system partition.

3. Next, click Start, click Run, type mmc.exe, and then click OK.

4. On the Console menu, click Add/Remove Snap-in, and then click Add.

5. Select Security Configuration and Analysis, click Add, click Close, and then click OK.

6. To save the snap-in setting click Save on the Console menu.

7. In the Security Configuration and Analysis snap-in, right-click Security Configuration and Analysis.

   • If a working database is not already set, click Open Database to set a working database. Type a name for the new database, with a ".sdb" extension, and click Open. Find and select the security configuration template so that it appears in the File name: text box. Check the Clear this database check box and click the Open button.

   • If a working database is already set, click Import Template. Find and select the security configuration template so that it appears in the File name: text box. Check the Clear this database check box and click the Open button.

8. Right-click Security Configuration and Analysis, and then click Configure Computer Now. A window will appear showing the path to the error log file, click OK. Note that the security settings are set immediately. Some settings, though applied, will not become effective until the computer is rebooted.

9. Close the Security Configuration and Analysis tool and reboot the computer.

A faster way to configure a computer once a template has been created is to use the secedit.exe command line tool.

1. Open a command prompt (for example, by selecting Start:Run, and typing cmd.exe and hit enter)

2. To apply the template W2KHG_baseline.inf you can use the following command

secedit /configure /DB W2KHG_baseline.sdb /CFG W2KHG_baseline.inf /overwrite /LOG HGW2K_baseline.log

3. For more complete details on how to use the secedit command line tool, type secedit /? at a command prompt

Deploying a security template to an Active Directory object security policy

The following procedure imports the security templates included with this guide into the OU structure suggested in this chapter. Before implementing the following procedure on a domain controller, the specific policy (.inf) files must be located on a Windows 2000 Server in your environment.

Warning: The security templates in this guide are designed to increase security in your environment. It is quite possible that by installing the templates included with this guide, some functionality in the environment of your organization may be lost. This could include the failure of mission critical applications.

It is therefore essential to thoroughly test these templates before deployed them in a production environment. Back up each DC and server in your environment prior to applying any new security settings. Ensure the system state is included in the backup to enable registry settings or Active Directory objects to be restored.

Before continuing with the procedure to import the security templates, if the servers in your environment are not running at least Windows 2000 SP3 as recommended in this guide, apply the hotfix discussed in Knowledge Base article 295444, "SCE Cannot Alter a Service's SACL Entry in the Registry."

If this hotfix is not applied, the Group Policy templates will not be able to disable any services. A hotfix is a single cumulative package composed of one or more files used to address a defect in a product. Hotfixes address a specific customer situation and may not be distributed outside the customer organization without written legal consent from Microsoft. The terms QFE, patch, and update have also been used as synonyms for hotfix.

To import the policy, follow these steps:

1. In Active Directory Users and Computers, right – click the Domain, and then select Properties.

2. On the Group Policy tab, click New to add a new GPO.

3. Type Domain Security Policy and press Enter.

4. Select Domain Security Policy and click Edit.

5. In the Group Policy window, click Computer Configuration\Windows Settings. Right click Security Settings and select Import Policy.

6. In the Import Policy From dialog box, navigate to the directory where the templates are stored and double – click the template you want to import.

7. Close the Group Policy that has been modified.

8. Close the Domain Properties window.

9. Force replication between your domain controllers so that all DCs have the policy by doing the following:

10. Open a command prompt and use the Secedit.exe command line tool to force the DC to refresh the domain policy with the command:

11. secedit /refreshpolicy machine_policy /enforce.

12. Verify in the Event Log that the policy downloaded successfully and that the server can communicate with the other DCs in the domain.

Secedit.exe is a command line tool that when called from a batch file or automatic task scheduler, can be used to automatically create and apply templates and analyze system security. It can also be run dynamically from a command line.

It is important to note that this policy should be imported into any additional domains in the organization. However, it is not uncommon to find environments where the root domain password policy is much more strict than any of the other domains. Additionally, care should be taken to ensure that any other domains that will use this same policy have the same business requirements. Because the password policy can only be set at the domain level, there may be business or legal requirements that segment some users into a separate domain simply to enforce the use of a stricter password policy on that group.

Import a Domain security configuration template

Use the following procedures to import a security template for Domains:

1. Log on to the Domain Controller with an account that has administrative rights.

2. Copy the desired template into the "\%Systemroot%\Security\Templates" (or "C:\WINNT\Security\Templates") folder of the system partition.

3. Click Start, point to Programs, point to Administrative Tools, and then click Domain Security Policy. This opens the Domain Security Policy console.

4. In the console tree, right-click Security Settings.

5. Click Import Policy.

6. Find and select the security configuration template so that it appears in the File name: text box. Check the Clear this database check box and click the Open button.

7. Close the Domain Security Policy.

8. Follow the procedures below to import a security template for Domain Controllers.

Import a Domain Controller security configuration template

Use the following procedures to import a security template for Domain Controllers:

1. Log on to the Domain Controller with domain account that has domain administrative rights.

2. Copy the desired template into the "\%Systemroot%\Security\Templates" (or "C:\WINNT\Security\Templates") folder of the system partition.

3. Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy. This opens the Domain Controller Security Policy console.

4. In the console tree, right-click Security Settings.

5. Click Import Policy.

6. Find and select the security configuration template so that it appears in the File name: text box. Check the Clear this database check box and click the Open button.

7. Reboot the Domain Controller.