This three-part series of quick lessons will help you understand security templates, what they are used for, why you need them, and how to configure and deploy them. Part one gave you a quick lesson
on security templates, part two below discusses why you need them and how to configure them, and part three will offer three different methods to deploy them.
Two key tasks need to be accomplished when securing your Windows environment. First you must determine exactly how security should be configured on each type of computer, where each type could be given almost any categorization you require. Second, you need to implement the security you established in the first step. Ideally, you will want a tool to deploy security that is quick, easy and persistent.
As I mentioned in my previous lesson, Security templates 101, security templates are loaded with amazing options for setting security on a computer. Now I'll discuss how to configure those templates and use them for security baselining. In the next tip, I'll focus on options to deploy the security templates in your environment.
What is a security baseline?
The baseline is the suite of security settings determined for the computers in your organization -- allowing each computer to perform its duties, but nothing else. Baselines consist of security configurations for all areas of the computer, and they are designed for different types of computers, including clients, domain controllers, file servers, Web servers, etc.
Security templates cover many of these areas, but they are not 100% capable of configuring all your security baseline settings. Still they can make security configuration much easier and consistent.
How do I configure security templates for baselining?
When designing your security templates for security baselines, you first want to determine which computers will require different baselines. For example, it is almost guaranteed that Windows XP Professional computers will have different security baselines than Windows Server 2003 domain controllers. Likewise, your human resource client computers will most likely have different security baselines than your IT staff client computers, even if they are both running Windows XP Professional. Taking these considerations into account, you will end up with a list of different security template baselines to create.
Once you have decided which security template baselines you need, you are ready to create them -- and the best tool for that is the security templates snap-in. Unless the MMC has been disabled on your computer, you can access this yourself by following the steps in my previous tip.
Some security templates have been created for you. You can start with one of those or create your own. Unless you know what is included in the default security templates, it might be a good idea to just create your own.
To create your own security templates, just right click on the C:\WINNT\Security\Templates node and select New Template. This will create a new security template with a name and description that you specify. Ideally you want to give it a name that defines its function, so it may be easily recognized. The new security template will be stripped from any configurations. After you create the template, you need configure the different settings in each section of the template to match your security baseline.
You can streamline the security template creation process by setting up a matrix of all of the security template baselines. Then create a security template that consists of common settings across all security templates. Once created, you can right click on it in the security templates snap-in and copy it. Once copied, you can just configure the small differences that make up the other templates.
For More Information:
- Get help setting audit policies in the registry
- Find out why you should be selective when analyzing auditing requirements
- Check out Derek's tip on auditing the local SAM
About the Author:
Derek Melber is a SearchWindowsSecurity.com guest contributor and one of the leading solution developers, project leaders and technical instructors in the United States, with an innate understanding of how to decipher, organize and communicate complex issues. Derek is a co-founder of BrainCore.Net LLC, which focuses on exam development and certifications, and is the leading outsource company for Microsoft. Derek has worked with Microsoft Learning on over 20 projects focusing on the MCSA and MCSE tracks. He has also taken his years of experience to develop the only Web site dedicated to Windows auditing and security: www.auditingwindows.com, which showcases the auditing windows security book series, online courses and customized training that Derek provides. Finally, Derek has just finished writing books on Windows security, including the "Administrator shortcut guide to Active Directory security. He has a masters degree from the University of Kansas, Microsoft Certified Systems Engineer Certification, CISM, A+ Certification, and 10 years of solution development, training, public speaking, sales and management experience.
This was first published in December 2004