I am sick and tired of small business IT professionals complaining that Microsoft needs to provide them tools for automating security in a workgroup -- and I am sick and tired of hearing consultants respond, "Move to a domain and use Group Policy." Both parties need to do their research. Microsoft consultants hear this: Many small businesses can not and will not spend the money to purchase a Windows server license and more hardware...
so they can create a domain just because you say so. They need solutions for their collection of current computers. Small business owners listen up: Native Microsoft tools already exist to automate security in a workgroup environment.
In a workgroup environment, you may use security templates, Local Group Policy, the Security Configuration and Analysis tool and the secedit command to automate security for a single computer or many computers. This checklist explains how to use the Security Templates and Security Configuration and Analysis snap-ins to automate security configuration and refresh one computer at a time. The next checklist will provide secedit steps to help you automate security for multiple Windows systems. (These tools are available for Windows 2000, Windows XP Professional and Windows Server 2003.)
You may download a printer-friendly version.
|Checklist: Automate security administration for standalone computers|
|Step 1: Load the Security Templates snap-in in a Microsoft Management Console (MMC)|
|To open the MMC, click the Start button, then Run, enter MMC and click OK. Next, from the File menu, select "Add/Remove snap-in", then click Add and select Security Templates|
|from the list. Click Add, then Close and then click OK to open the snap-in in the MMC.|
|Step 2: Study security settings to understand what they can do|
|The Security Templates snap-in provides a number of templates, each with its own security settings. Each template includes security setting configuration details, including|
|password length, disabled services, event log management and set security for files and registry keys. Spend some time reviewing these options. To understand their meanings,|
|download Microsoft's Threats and Countermeasures, which talks about settings in the Windows server/domain arena. Most of the same settings are available for configuring|
|security on a standalone computer.|
|Step 3: Determine which settings should be enabled to fulfill your small business security policy|
|There are many security templates, each with different security settings. Which one is right for you? There is no easy answer. Security should be managed, but the correct choices for|
|one company are not necessarily the correct choices for another. The templates are only meant as samples. You must determine what is best for your organization and create|
|a template that fulfills that policy.|
|Step 4: Create your own custom security template and back it up|
|Once you know the level of security you wish to apply, create your own template and make sure the settings reflect your decisions. To create a template, go to the Security Templates|
|console you created, right click one of the existing templates and select "Save as". Then enter a name for your template and click "Save". It will be saved to the|
|<system root >\security\templates folder by default. Your template should appear in the console. Open the template and change the settings to those desired. Changing settings|
|does not apply the settings. You must complete step 5 and then 6 below in order to do so. To backup your template, save it again after configuring it, copy the file to a CD-ROM or|
|floppy disk and store in a safe place.|
|Step 5: Load the Security Configuration and Analysis snap-in|
|Using the MMC console you created for Security Templates, from the File menu, add the Security Configuration and Analysis snap-in. Use this tool to apply a Security Template.|
|Step 6: Apply your security template to configure security for the computer|
|Right click the Security Configuration and Analysis node and select Open Database. Enter a name for the database and then click OK. Select your security template and then click Open.|
|This step adds your template to the database. The computer's security configuration is not changed by this step.|
|Right click on Security Configuration and Analysis and select "Configure computer now". The settings in the Security Template will be applied to the computer.|
|You can copy your template to another computer and use step 5 and 6 to load and apply the template. Make sure you use a template created on Windows XP to update Windows XP,|
|and one created on Windows 2000 to update Windows 2000, and so on. You can also use Security Configuration and Analysis to determine if security settings have been changed.|
|To do so, use the "analyze" command instead of the "configure" step. To automatically apply security, you'll need to use the secedit command -- the topic of our next checklist.|
Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.
More checklists by Roberta Bragg
- Lock down PCs, workgroups and AD domains
- How to configure the audit policy
- Windows services you should disable today
ABOUT THE AUTHOR: Go back to Checklists Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.