HOW TO: Use and Apply the IIS Secure Internet Web Server and Secure Intranet Web Server Security Configuration Templates in Windows 2000 (317376)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q317376

IN THIS TASK

SUMMARY

This step-by-step article describes how to use and apply the Microsoft Internet Information Services (IIS) Secure Internet Web Server and Secure Intranet Web Server security templates.

The Secure Internet Web Server and Secure Intranet Web Server templates are predefined security configuration templates that you can use to configure security on an IIS-based Web server. These templates are available in the Microsoft Windows 2000 Server Resource Kit. Each template is saved as a text-based .inf file, to which you can make any necessary changes.

back to the top

How to Use and Apply the IIS Security Configuration Templates

To use the Secure Internet Web Server template (SecureInternetWebServer.inf) or the Secure Intranet Web Server template (SecureIntranetWebServer.inf), follow these steps.

Step 1: View or Modify the Template by Using the Security Templates Snap-in

To view or make changes to the security configuration templates, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type sectemplates.msc, and then click OK.

    The Security Templates snap-in starts.
  3. In the console tree, expand Security Templates, and then expand %systemroot%\Security\Templates.

    The security templates that are currently installed on the computer, including SECUREINTERNETWEBSERVER and SECUREINTRANETWEBSERVER, are displayed.
  4. Expand the security template that you want to use. The following security policies are listed:

    Account Policies
    Local Policies
    Event Log
    Restricted Groups
    System Services
    Registry
    File System

  5. Expand the policy that you want to view or modify -- for example, Account Policies.
  6. Click the security area that you want to view or modify (for example, Password Policy), and then in the right pane, double-click the security attribute that you want.
  7. In the Template Security Policy Setting dialog box that appears, click Define this policy setting in this template (if it is not already selected), make the changes (if any) that you want, and then click OK.
  8. Repeat steps 5 through step 8 to view or modify the security policy settings that you want.
  9. Save the changes that you made (if any) to the template. To save the template with a new name, right-click the template in the console tree, and then click Save As. In the Save As dialog box, type a new name for the template, and then click Save.
  10. Quit the Security Templates snap-in.
back to the top

Step 2: Import the Template to the Security Configuration and Analysis Snap-in

To import the template to the Security Configuration and Analysis snap-in, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type mmc, and then click OK.
  3. On the Console menu, click Add/Remove Snap-in, and then click Add.
  4. In the Available Standalone Snap-ins list, click Security Configuration and Analysis, click Add, and then click Close.
  5. Click OK.
  6. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.
  7. In the Open database dialog box that appears, type a name for the new database in the File name box, and then click Open.
  8. In the Import Template dialog box that appears, click the IIS template that you want to import, and then click Open.

    The security template is imported to the security database.
back to the top

Step 3: Analyze the Computer's Security Settings

To compare the current security settings of the computer with the settings in the security database, follow these steps.

NOTE: No changes are made to the computer at this time. The results of this procedure show where there are discrepancies between the security settings in the template and the actual system settings.
  1. In the console tree, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
  2. In the Perform Analysis dialog box that appears, either accept the default path and log file name, or type the path and file name that you want, and then click OK.
  3. When the analysis is complete, expand the following components in the console tree:

    Account Policies
    Local Policies
    Event Log
    Restricted Groups
    System Services

  4. For each component that you expand in step 3, view its security attribute entries in the right pane under the Policy column, and then note the following:
    • An entry with a green check mark indicates that the current computer settings are the same as security settings in the database.
    • An entry with a red "x" indicates that the current computer settings are different from the security settings in the database.
    • If a green check mark or a red "x" is not displayed, a setting for this security attribute is not defined in the template, and was not analyzed.

      If you want to add a setting to the database, right-click a security attribute that is not included in the database, and then click Security. Click to select the Define this policy in the database check box, make the changes that you want to the policy setting, and then click OK.
    NOTE: The Database Setting column displays the security settings that are contained in the template, and the Computer Setting column displays the computer's current settings.

  5. Save the changes that you made (if any) to a database. Right-click Security Configuration and Analysis in the console tree, and then click Save.
back to the top

Step 4: Configure the Computer's Security Settings

To configure the computer to use the security settings in the database, follow these steps:
  1. In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now.
  2. In the Configure System dialog box that appears, either accept the default path and log file name, or type the path and file name that you want, and then click OK.

    The security database configuration is applied to the computer.
back to the top

REFERENCES

For additional information about how to configure security in Windows 2000, click the article numbers below to view the articles in the Microsoft Knowledge Base:

216735 Methods Used to Apply Security Settings Throughout an Enterprise

313203 HOW TO: Analyze System Security in Windows 2000

309689 HOW TO: Apply Predefined Security Templates in Windows 2000

313434 HOW TO: Define Security Templates in the Security Templates Snap-in in Windows 2000

234926 Windows 2000 Security Templates Are Incremental

For more information about the Windows 2000 Resource Kit, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/techinfo/reskit/default.mspx

back to the top
Modification Type:MajorLast Reviewed:9/27/2006
Keywords:kbhowto kbHOWTOmaster KB317376
©2004 Microsoft Corporation. All rights reserved.