Problem solve Get help with specific problems with your technologies, process and projects.

Checklist: Automate security administration for standalone PCs

Roberta Bragg says she's tired of SMB complaints that Microsoft offers no tools to automate security for workgroups -- when the tools they need are right in front of them.

  I am sick and tired of small business IT professionals complaining that Microsoft needs to provide them tools for automating security in a workgroup -- and I am sick and tired of hearing consultants respond, "Move to a domain and use Group Policy." Both parties need to do their research. Microsoft consultants hear this: Many small businesses can not and will not spend the money to purchase a Windows server license and more hardware so they can create a domain just because you say so. They need solutions for their collection of current computers. Small business owners listen up: Native Microsoft tools already exist to automate security in a workgroup environment.

In a workgroup environment, you may use security templates, Local Group Policy, the Security Configuration and Analysis tool and the secedit command to automate security for a single computer or many computers. This checklist explains how to use the Security Templates and Security Configuration and Analysis snap-ins to automate security configuration and refresh one computer at a time. The next checklist will provide secedit steps to help you automate security for multiple Windows systems. (These tools are available for Windows 2000, Windows XP Professional and Windows Server 2003.)

You may download a printer-friendly version.

                 Checklist: Automate security administration for standalone computers                  
              Step 1: Load the Security Templates snap-in in a Microsoft Management Console (MMC)                  
              To open the MMC, click the Start button, then Run, enter MMC and click OK. Next, from the File menu, select "Add/Remove snap-in", then click Add and select Security Templates                  
              from the list. Click Add, then Close and then click OK to open the snap-in in the MMC.                  
              Step 2: Study security settings to understand what they can do                  
              The Security Templates snap-in provides a number of templates, each with its own security settings. Each template includes security setting configuration details, including                  
              password length, disabled services, event log management and set security for files and registry keys. Spend some time reviewing these options. To understand their meanings,                  
              download Microsoft's Threats and Countermeasures, which talks about settings in the Windows server/domain arena. Most of the same settings are available for configuring                  
              security on a standalone computer.                  
              Step 3: Determine which settings should be enabled to fulfill your small business security policy                  
              There are many security templates, each with different security settings. Which one is right for you? There is no easy answer. Security should be managed, but the correct choices for                  
              one company are not necessarily the correct choices for another. The templates are only meant as samples. You must determine what is best for your organization and create                  
              a template that fulfills that policy.                  
              Step 4: Create your own custom security template and back it up                  
              Once you know the level of security you wish to apply, create your own template and make sure the settings reflect your decisions. To create a template, go to the Security Templates                  
              console you created, right click one of the existing templates and select "Save as". Then enter a name for your template and click "Save". It will be saved to the                  
              <system root >\security\templates folder by default. Your template should appear in the console. Open the template and change the settings to those desired. Changing settings                  
              does not apply the settings. You must complete step 5 and then 6 below in order to do so. To backup your template, save it again after configuring it, copy the file to a CD-ROM or                  
              floppy disk and store in a safe place.                  
              Step 5: Load the Security Configuration and Analysis snap-in                  
              Using the MMC console you created for Security Templates, from the File menu, add the Security Configuration and Analysis snap-in. Use this tool to apply a Security Template.                  
              Step 6: Apply your security template to configure security for the computer                  
              Right click the Security Configuration and Analysis node and select Open Database. Enter a name for the database and then click OK. Select your security template and then click Open.                  
              This step adds your template to the database. The computer's security configuration is not changed by this step.                  
              Right click on Security Configuration and Analysis and select "Configure computer now". The settings in the Security Template will be applied to the computer.                  
              You can copy your template to another computer and use step 5 and 6 to load and apply the template. Make sure you use a template created on Windows XP to update Windows XP,                  
              and one created on Windows 2000 to update Windows 2000, and so on. You can also use Security Configuration and Analysis to determine if security settings have been changed.                  
              To do so, use the "analyze" command instead of the "configure" step. To automatically apply security, you'll need to use the secedit command -- the topic of our next checklist.                  

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.


More checklists by Roberta Bragg


Dig Deeper on Microsoft Hyper-V management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.