Chapter 4 - Windows 2000 Common Criteria Security Configuration Templates

  • Article

For convenience, this document includes a set of Windows 2000 Common Criteria security configuration templates. The templates may be used to automate the application of required and recommended Common Criteria security settings defined in this document. However, it is highly recommended that all settings be carefully reviewed prior to applying a security configuration template, since an organization's local security policies may require adjustments to the recommended values or security settings defined in the templates.

The templates supporting this document are listed in the table below and are included in Appendix F of this document. The baseline security configuration templates are used to apply all of the Common Criteria required security settings. The high-security templates are used to apply all of the Common Criteria required security settings, and provide stronger security by also applying the recommended security settings.

Template Name

Operating System Type/Configuration

Template Description

CC_Baseline_W2K_Server.inf

Windows 2000 Server

Required Common Criteria Evaluated Configuration security settings for Windows 2000 Server configured as standalone or member server.

CC_Baseline_W2K_Professional.inf

Windows 2000 Professional

Required Common Criteria Evaluated Configuration security settings for Windows 2000 Professional configured as standalone or Domain member.

CC_Baseline_W2K_Domain.inf

Windows 2000 Domain Controller

Required Common Criteria Evaluated Configuration security settings for Windows 2000 Domain members.

CC_Baseline_W2K_DC.inf

Windows 2000 Domain Controller

Required Common Criteria Evaluated Configuration security settings for Windows 2000 Domain Controllers. Used with a Domain template, or a Server template if a Domain policy is not used.

CC_HiSec_W2K_Server.inf

Windows 2000 Server

Required and recommended Common Criteria Evaluated Configuration security settings for Windows 2000 Server configured as standalone or member server.

CC_HiSec_W2K_Professional.inf

Windows 2000 Professional

Required and recommended Common Criteria Evaluated Configuration security settings for Windows 2000 Professional configured as standalone or Domain member.

CC_HiSec_W2K_Domain.inf

Windows 2000 Domain Controller

Required and recommended Common Criteria Evaluated Configuration security settings for Windows 2000 Domain members.

CC_HiSec_W2K_DC.inf

Windows 2000 Domain Controller

Required and recommended Common Criteria Evaluated Configuration security settings for Windows 2000 Domain Controllers. Used with a Domain template, or a Server template if a Domain policy is not used.

Template Modifications and Manual Settings

The settings below are either not included, in the Windows 2000 Common Criteria security configuration templates, or are commented out. These settings must either be manually set through a Security Policy interface or may be uncommented in the templates and edited as appropriate. The Security Templates snap-in tool may also be used as describe in the "Viewing and editing a security configuration template" subsection below.

Under the Security Options policies, the following recommended settings should be reviewed and edited as applicable:

  • Audit the access of global system objects is commented out in the templates. It generates a large amount of audit events and should be implemented when strict audit management practices are in place. See the "Modify Security Options" subsection for details.

  • Audit the use of Backup and Restore privilege is commented out in the templates. It generates a large amount of audit events and should be implemented when strict audit management practices are in place. See the "Modify Security Options" subsection for details.

  • Rename Administrator account is commented out in the templates. The policy implementer must select a unique name. See the "Modify Security Options" subsection for details.

  • Rename Guest account is commented out in the templates. The policy implementer must select a unique name. See the "Modify Security Options" subsection for details.

  • Shut down the system immediately if unable to log security audits is commented out in the templates. This setting can create a management burden if applied across all computers in a Domain and should only be applied on critical system when strict audit management practices are in place. See the "Modify Security Options" subsection for details.

  • Message title for users attempting to log on. The text in the templates is a placeholder that must be edited to conform to an organizations local requirements. See the "Modify Security Options" subsection for details.

  • Message text for users attempting to log on. The text in the templates is a placeholder that must be edited to conform to an organizations local requirements. See the "Modify Security Options" subsection for details.

The following required Registry setting must be applied:

  • Prevent interference of the session lock from application generated input, see the "Service Pack 4 Registry" entries subsection for details. The security templates cannot create the path necessary to apply this setting. It must therefore be applied manually by using the Regedt32.exe Registry editor. Procedures for using Regedt32.exe are available in the Windows 2000 Evaluated Configuration Administrator's Guide.

The following required User and group account modifications must be applied:

  • TsInternetUser. Disable the TsInternetUser account on Windows 2000 Servers and Domain Controllers. A security template cannot disable the account. See the "Default User Accounts" subsection for details.

  • Domain Users. Remove the Guest account from the Domain Users group. The security templates allow setting restricted groups with a defined set of members that are allowed, however, the Domain Users group needs to allow all new users to automatically become members. See the "Default Group Accounts" subsection for details.

Additional configuration procedures:

  • Enable automatic screen lock protection. The procedures are available in the "Enable Automatic Screen Lock Protection" subsection of this document.

  • Update the Emergency Repair Disk. The procedures are available in the "Recommended Actions Prior to Installing Service Pack and Hotfix Updates" subsection of this document.

  • Back up the Administrator"s encryption certificates. The recommended procedures are available in the "Encrypting File System" subsection of this document.

Security Configuration Template Application Tools

Authorized administrators can use the following tools to edit and apply the Common Criteria security configuration templates.

  • Security Templates snap-in. The Security Templates snap-in is a stand-alone Microsoft Management Console (MMC) snap-in that allows the creation of a text-based template file that contains security settings for all security areas.

  • Security Configuration and Analysis snap-in. The Security Configuration and Analysis snap-in is a stand-alone MMC snap-in that can configure or analyze Windows 2000 operating system security. Its operation is based on the contents of a security template that was created using the Security Templates snap-in. This is the preferred tool for applying a template to a standalone computer or domain member.

At the Domain level, the Domain Security Policy and Domain Controller Security Policy templates must be applied using the Domain Controller's Local Security Policy, Domain Security Policy and Domain Controller Security Policy GUIs described in the "Windows 2000 Security Policies" subsection of this document.

Managing and Applying Security Configuration Security Templates

This subsection provides procedures for editing and applying the Common Criteria security configuration templates. The templates are available in Appendix F of this document.

Viewing and editing a security configuration template

The Common Criteria security configuration templates may be edited by opening them in a text editor, such as Notepad.exe, or by opening them in the Security Templates snap-in tool. Notepad.exe is recommended if modification are to be made to recommended registry settings that are not visible via the Security Templates snap-in tool, such as those defined in the "Additional Security Settings Policies" subsection of this document. Use the following procedures to edit a template using the Security Templates snap-in tool:

  1. First copy the desired template into the "\%Systemroot%\Security\Templates" (or "C:\WINNT\Security\Templates") folder of the system partition.

  2. Next, click Start, click Run, type mmc, and then click OK.

  3. On the Console menu, click Add/Remove Snap-in, and then click Add.

  4. Select Security Templates, click Add, click Close, and then click OK.

  5. To save the snap-in setting click Save on the Console menu. Type a name for this console, and then click Save.

  6. In the Security Templates snap-in, double-click Security Templates.

  7. Double-click the default path folder (%Systemroot%\Security\Templates), and then double-click the Common Criteria security configuration template that is to be modified to display the security policies (such as Account Policies).

  8. Double-click the security policy that to be modified.

  9. Click the security area that is to be customized (such as Password Policy), and then double-click the security attribute to modify (such as Minimum Password Length).

  10. Modification procedures are the same as those described in the "Secure Configuration Policies" section of this document.

  11. Once modifications are completed, right-click the name of the Common Criteria security configuration template that was modified and select Save.

Applying a Common Criteria security template to a local computer

Use the following procedures to apply the Common Criteria templates locally on a computer running Windows 2000 Server or Professional. If computers that are Domain members are to inherit all the security settings from the Domain, these procedures are not needed on the local computer.

  1. Log on to the computer with administrative rights.

  2. Copy the desired template into the "\%Systemroot%\Security\Templates" (or "C:\WINNT\Security\Templates") folder of the system partition.

  3. Next, click Start, click Run, type mmc, and then click OK.

  4. On the Console menu, click Add/Remove Snap-in, and then click Add.

  5. Select Security Configuration and Analysis, click Add, click Close, and then click OK.

  6. To save the snap-in setting click Save on the Console menu.

  7. In the Security Configuration and Analysis snap-in, right-click Security Configuration and Analysis.

    • If a working database is not already set, click Open Database to set a working database. Type a name for the new database, with a ".sdb" extension, and click Open. Find and select the Common Criteria security configuration template so that it appears in the File name: text box. Check the Clear this database check box and click the Open button.

    • If a working database is already set, click Import Template. Find and select the Common Criteria security configuration template so that it appears in the File name: text box. Check the Clear this database check box and click the Open button.

  8. Right-click Security Configuration and Analysis, and then click Configure Computer Now. A window will appear showing the path to the error log file, click OK. Note that the security settings are set immediately. Some settings, though applied, will not become effective until the computer is rebooted.

  9. Close the Security Configuration and Analysis tool and reboot the computer.

Importing a Common Criteria security template to a Domain level Security Policy

If a Domain policy is not to be used (for example, if clients are to have all settings applied locally), then a Common Criteria Server template should be applied locally on the Domain Controller followed by the Common Criteria Domain Controller template. Otherwise, the procedure on a Domain controller is:

  1. Import the Domain security configuration template to the Domain Security Policy console.

  2. Import the Domain Controller security configuration template to the Domain Controller Security Policy console.

  3. Reboot the Domain Controller.

Import a Common Criteria Domain security configuration template

Use the following procedures to import a Common Criteria template for Domains:

  1. Log on to the Domain Controller with administrative rights.

  2. Copy the desired template into the "\%Systemroot%\Security\Templates" (or "C:\WINNT\Security\Templates") folder of the system partition.

  3. Click Start, point to Programs, point to Administrative Tools, and then click Domain Security Policy. This opens the Domain Security Policy console.

  4. In the console tree, right-click Security Settings.

  5. Click Import Policy.

  6. Find and select the Common Criteria security configuration template so that it appears in the File name: text box. Check the Clear this database check box and click the Open button.

  7. Close the Domain Security Policy.

  8. Follow the procedures below to import a Common Criteria template for Domain Controllers.

Import a Common Criteria Domain Controller security configuration template

Use the following procedures to import a Common Criteria template for Domain Controllers:

  1. Log on to the Domain Controller with administrative rights.

  2. Copy the desired template into the "\%Systemroot%\Security\Templates" (or "C:\WINNT\Security\Templates") folder of the system partition.

  3. Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy. This opens the Domain Controller Security Policy console.

  4. In the console tree, right-click Security Settings.

  5. Click Import Policy.

  6. Find and select the Common Criteria security configuration template so that it appears in the File name: text box. Check the Clear this database check box and click the Open button.

  7. Reboot the Domain Controller.