How to apply predefined security templates in Windows Server 2003 (816585)
The information in this article applies to:
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Small Business Server 2003, Standard Edition
- Microsoft Windows Small Business Server 2003, Premium Edition
For a Microsoft Windows 2000 version of this article, see 309689.
SUMMARYThis step-by-step article describes how to apply predefined security
templates. Microsoft Windows Server 2003 includes several predefined security
templates that you can apply to increase the level of security on your network.
You can modify security templates to suit your requirements by using
Security Templates in Microsoft Management Console (MMC). Predefined Security Templates in Windows Server 2003- Default security (Setup security.inf)
The Setup security.inf template is created during
installation, and it is specific for each computer. It varies from computer to
computer, based on whether the installation was a clean installation or an
upgrade. Setup security.inf represents the default security settings that are
applied during the installation of the operating system, including the file
permissions for the root of the system drive. It can be used on servers and
client computers; it cannot be applied to domain controllers. You can apply
portions of this template for disaster recovery purposes.
Do not apply
Setup security.inf by using Group Policy. If you do so, you may experience decreased performance.
Note In Microsoft Windows 2000, two miscellaneous security templates exist, ocfiless (for file servers) and ocfilesw (for workstations). In Windows Server 20003, these files have been superseded by the Setup security.inf file.
- Domain controller default security (DC security.inf):
This template is created when a server is promoted to a
domain controller. It reflects file, registry, and system service default
security settings. If you reapply this template, these settings are set to the default values. However, the template may overwrite permissions on new files, registry keys, and system services
created by other programs. - Compatible (Compatws.inf)
This template changes the default file and
registry permissions that are granted to the members of the Users group in a
manner that is consistent with the requirements of most programs that do
not belong to the Windows Logo Program for Software. The Compatible template
also removes all members of the Power Users group.
For more
information about the Windows Logo Program for Software, visit the following
Microsoft Web site:
NOTE: Do not apply the Compatible template to domain
controllers. - Secure (Secure*.inf)
The Secure templates define enhanced security settings
that are least likely to affect program compatibility. For example, the
Secure templates define stronger password, lockout, and audit settings.
Additionally, the templates limit the use of LAN Manager and NTLM
authentication protocols by configuring clients to send only NTLMv2 responses
and by configuring servers to refuse LAN Manager responses.
There are two
predefined Secure templates in Windows Server 2003: Securews.inf for
workstations and Securedc.inf for domain controllers. For additional
information about using these templates and other security templates, search Help and
Support Center for "predefined security templates". - Highly Secure (hisec*.inf)
The Highly Secure templates specify additional
restrictions that are not defined by the Secure templates, such as encryption
levels and signing required for authentication and data exchange over secure
channels and between Server Message Block (SMB) clients and servers.
- System root security (Rootsec.inf)
This template specifies the root permissions. By default,
Rootsec.inf defines these permissions for the root of the system drive. You can use this template to reapply the root directory permissions if they are
inadvertently changed, or you can modify the template to apply the same root
permissions to other volumes. As specified, the template does not overwrite
explicit permissions that are defined on child objects; it propagates only the
permissions that are inherited by child objects. - No Terminal Server user SID (Notssid.inf)
You can apply this template to remove Windows Terminal Server
security identifiers (SIDs) from the file system and registry locations when Terminal Services is not
being run. After you do so, system security does not necessarily improve.
For more detailed information about all predefined templates in
Windows Server 2003, search Help and Support Center for "predefined security
templates". Important Implementing a security template on a domain controller may change the settings of the Default Domain Controller Policy or Default Domain Policy. The applied template may overwrite permissions on new files, registry keys and system services created by other programs. Restoring these policies might be required after you apply a security template. Before you follow these steps on a domain controller, create a backup of the SYSVOL share. back to the
top Apply a Security Template- Click Start, click Run,
type mmc, and then click OK.
- On the File menu, click Add/Remove
Snap-in.
- Click Add.
- In the Available Stand Alone Snap-ins
list, click Security Configuration and Analysis, click
Add, click Close, and then click
OK.
- In the left pane, click Security Configuration and Analysis and view the
instructions in the right pane.
- Right-click Security Configuration and
Analysis, and then click Open Database.
- In the
File name box, type the name of the database file, and then
click Open.
- Click
the security template that you want to use, and then click
Open to import the entries that are contained in the template
to the database.
- Right-click Security Configuration and
Analysis in the left pane, and then click Configure
Computer Now.
back to the
topREFERENCES For additional information about how to define
security templates, click the following article numbers to view the articles in
the Microsoft Knowledge Base: 816297 HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003
For additional information about how to analyze
system security, click the following article numbers to view the articles in
the Microsoft Knowledge Base: 816580 HOW TO: Analyze System Security in Windows Server 2003
back to the
top
Modification Type: | Major | Last Reviewed: | 4/27/2005 |
---|
Keywords: | kbHOWTOmaster KB816585 kbAudITPRO |
---|
|
|
©2004 Microsoft Corporation. All rights reserved.
|
|