Windows 2000 security templates were designed to cover five common requirements for security:
- Basic (basic*.inf). The basic configuration applies the Windows 2000 default security settings to all security areas except those pertaining to user rights. This is most useful in overwriting the higher security levels present in the other templates.
- Compatible (compat*.inf). The default Windows 2000 security configuration gives members of the local Users group strict security settings, while members of the local Power Users group have security settings that are compatible with Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to run in the standard Windows environment for Users, while still allowing applications that are not certified for Windows 2000 to run successfully under the less secure Power Users configuration.
- Secure (secure*.inf). The secure templates implement recommended security settings for all security areas except files, folders and registry keys. These are not modified because file system and registry permissions are configured securely by default.
- Highly secure (hisec*.inf). The highly secure templates define security settings for Windows 2000 network communications. The security areas are set to require maximum protection for network traffic and protocols used between computer running Windows 2000. As a result, such computers configured with a highly secure template can only communicate with other Windows 2000 computers. They will not be able to communicate with computers running Windows 95/98 or Windows NT.
- Dedicated domain controller (dedica*.inf). Local user security on domain controllers running Windows 2000 is not ideally secure by default. This enables an administrator to run existing server-based applications on domain controllers (not recommended) in a backwards-compatible fashion. If you do not run server based-applications on domain controllers (recommended), the default file system and registry permissions for the local users group can be defined in the same ideal fashion as that defined by default for Windows 2000 workstations and standalone servers. By implementing a dedicated security template these ideal security settings for local users on Windows 2000 domain controllers are applied.
This was first published in February 2003