Windows 2000 Security Templates Are Incremental (234926)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q234926

SUMMARY

Windows 2000 includes a set of text-based security template files that you can use to apply uniform security settings on computers within an enterprise.

You can apply these templates to group policy objects using the Group Policy Editor snap-in in Microsoft Management Console (MMC), or you can apply them directly to a specific computer using the Security Configuration and Analysis MMC snap-in.

The templates modify security settings incrementally and do not include the default security settings. The assumption is that the templates are to be applied to Windows 2000-based computers that have been installed cleanly, (that is, not upgraded from Microsoft Windows NT 4.0 or an earlier version of Windows). Computers that are upgraded from Windows NT do not use the default Windows 2000 security settings, but instead use whatever security settings were in place prior to the upgrade.

MORE INFORMATION

The security templates are:
  • Basic: Basicwk.inf (Windows 2000 Professional), Basicsv.inf (Windows 2000 Server), and Basicdc.inf (domain controller)

    The Basic templates specify default security settings for all security areas, with the exception of user rights and group membership.
  • Secure: Securews.inf (Windows 2000 Professional)and Securedc.inf (domain controller)

    The Secure templates provide increased security for areas of the operating system that are not covered by permissions, including: increased security settings for the account policy, increased settings for auditing, and increased security settings for some well-known security-relevant registry keys. Access Control Lists (ACLs) are not modified by this template, because the assumption is that default Windows 2000 security settings are in effect.
  • Highly Secure: Hisecws.inf (Windows 2000 Professional) and Hisecdc.inf (domain controller)

    The Highly Secure templates are provided for Windows 2000-based computers that operate in native Windows 2000 environments only. Requires that all network communications be digitally signed and encrypted at a level that can only be provided by Windows 2000. Computers configured with this template cannot communicate with downlevel Windows clients.
  • Compatible: Compatws.inf (Windows 2000 Professional)

    The Compatible template opens up the default permissions for the Local Users group so that legacy programs are more likely to run. This configuration is not considered a secure environment.
Modification Type:MajorLast Reviewed:11/3/2003
Keywords:kbinfo KB234926
©2003 Microsoft Corporation. All rights reserved.