This three-part series of quick lessons will help you understand security templates, what they are used for, why you need them, and how to configure and deploy them. Part one below will give you a basic overview of security templates, part two
discusses why you need them and how to configure them, and part three will offer three different methods for deploying them.
Security templates are one of the most underused and misunderstood aspects of security in a Windows environment. They provide ultimate security controls to both the IT administrator and the Windows auditor, and without them, Windows environments are not as secure as they could be.
Here you will learn about the purpose and composition of security templates, and get a list of default security templates. This will prepare you for the next step: How to leverage security templates in Active Directory to ensure a secure and stable computing environment. You will also learn how these templates are used as an auditing tool, making your job as the auditor much easier.
The following table of contents will help you navigate the information in this tip:
A security template is a plain text file that contains a simple structure that configures security on computers. When I say "plain text," I mean that the text file can be updated with tools such as Microsoft Word and Notepad. This is a benefit over more complex files that require a specialized development tool to see the contents produced.
As for the structure, there are tools to help organize and configure the settings in the file. It is not necessary to have a tool to help you configure the security template, but it is helpful because so many settings can be made in a single security template file.
This plain text, simple file is used to configure security in a variety of different areas on a Windows 2000, Windows XP or Windows Server 2003 computers. Typically, security templates are viewed and updated using the Microsoft Management Console (MMC) security template snap-in. Unless the MMC has been disabled on your computer, you can access this yourself by following these steps:
- 1. Click the Start button.
2. Select the Run menu option.
3. Type MMC into the text box and click the OK button.
4. Select Console from the Toolbar to get the menu options.
5. Select the Add-Remove snap-in menu option.
6. Click the Add button.
7. Select Security Templates from the Snap-ins list, then click the Add button.
8. Click the Close button, then click the OK button.
9. Expand the Security Templates node, then expand the C:WinntSecurityTemplates node to see the list of security templates, as shown in Figure 1.
Figure 1. Security templates snap-in showing the default security templates.
Microsoft gives you an entire suite of security templates that may be used as is, or you can customize to fit your security needs. These templates exist on all computers and are listed below.
- Compatws.inf: This is used by older applications that need to have weaker security to access the registry and the file system. This security template should seldom be used, since it weakens security, rather than increase it. If there is an application that requires the settings within this security template, the use of the template should be minimal.
- DC security.inf: This is used to configure security of the registry and file system of a computer that was upgraded from Windows NT to Windows 2000/2003.
- Hisecdc.inf: This is used to increase the security and communications with the domain controllers. This will increase the security around the account policies and audit policies. This will also configure higher restrictions for authentication protocols in the security options section.
- Hisecws.inf: This is used to increase security and communications for the client computers and member servers. This will increase the security around the account policies and audit policies. This will also configure higher restrictions for authentication protocols in the security options section. Finally, both the file system and registry options are configured to tighten security on many aspects of the operating system.
- Notssid.inf: This is used to weaken security to allow older applications to run on Windows terminal services.
- Ocfiless.inf: This is for optional components that are installed after the main operating system is installed. This will support services such as terminal services and certificate services.
- Securedc.inf: This is used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template. This will increase the security around the account policies and audit policies. This also configures higher restrictions in the security options section.
- Securews.inf: This is used to increase security and communications for the client computers and member servers. This will increase the security around the account policies and audit policies. This will also configure higher restrictions for authentication protocols in the security options section.
- Setup security.inf: This is used to reapply the default security settings of a freshly installed computer. The majority of the settings in the security template are configured.
Every security template has the same structure. This allows for consistency of settings across all computers, even if the specific configuration differs for the setting. The security templates cover a broad range of security settings, which can be seen in Figure 2.
Figure 2. Security templates cover a broad range of security settings to control security on Windows computers.
Each section of the security template controls a different aspect of the computer and security of that computer. The following describes what each section of the security template provides for security.
The account policy configures how passwords and other authentication is controlled related to the password. There are three main areas in the account policy section.
- Password policy: This configures the password itself, with regard to validity period, password length and complexity of the password.
- Account lockout policy: This configures how the password will react when the user fails to input the correct password multiple times.
- Kerberos policy: This controls the Kerberos ticketing for the domain communication. This is only available for GPOs that are linked to the domain level.
User rights control what a user or group of users can do on a computer. When user rights are configured using security templates and then deployed to a computer, the settings in the security template will configure each computer individually.
This area controls the event log size and retention method. If event log settings are not controlled using security templates or GPOs, they must be controlled on each computer individually.
Restricted groups control the membership of local groups, as well as which groups the local groups have membership in. This is an excellent method for controlling who has administrative access to the local computer.
The system services area of the security template controls two main control points of each service.
- Startup mode: There are three startup modes -- automatic, manual and disabled. When the computer starts, the service will be configured in one of these three configurations.
- Permissions: Through security templates, you can configure who can control the service. The most important permission is the control of who can stop, start and pause the service.
You can control both the ACL and SACL for folders and files on the target computer. This allows ultimate control over which users and groups can access these resources. You can also control how the permissions are propagated down through the file structure.
Like the file permissions, the registry permissions section can control both the ACL and SACL for registry entries. The security template only allows permissions to be set down to the registry key level, which is sufficient enough to control security on registry entries.
Now you have been introduced to security templates. You can see the wide spread affect they have on security for a computer. With time dedicated to the overall design of security on every computer on the network, security templates can be used to control security on every computer in the Active Directory domain. Security templates can also be customized, to include almost any security setting on the computer. With this much power and control, everyone should be using them to control security for all of the computers in the Active Directory.
Click for part two to learn how to configure security templates for baselining.
For More Information:
- Check out Derek's tip on auditing the local SAM
- Read more about why you should use those security templates in Windows Server 2003
- Learn about default and predefined security templates in Windows 2000
About the Author:
Derek Melber is a SearchWindowsSecurity.com guest contributor and one of the leading solution developers, project leaders and technical instructors in the United States, with an innate understanding of how to decipher, organize and communicate complex issues. Derek is a co-founder of BrainCore.Net LLC, which focuses on exam development and certifications, and is the leading outsource company for Microsoft. Derek has worked with Microsoft Learning on over 20 projects focusing on the MCSA and MCSE tracks. He has also taken his years of experience to develop the only Web site dedicated to Windows auditing and security: www.auditingwindows.com, which showcases the auditing windows security book series, online courses and customized training that Derek provides. Finally, Derek has just finished writing books on Windows security, including the "Administrator shortcut guide to Active Directory security. He has a masters degree from the University of Kansas, Microsoft Certified Systems Engineer Certification, CISM, A+ Certification, and 10 years of solution development, training, public speaking, sales and management experience.
This was first published in December 2004