The Windows NT family—Windows XP, Windows 2000, NT 4.0, and NT 3.x—has a reputation for being unsecure. In my opinion, however, these platforms (as well as Novell NetWare and the UNIX variants) are all secure because they're equipped with thousands of "locks"—OS pieces that offer some degree of security by letting you specify that only person X can perform action Y to object Z. The difference between NT and NetWare, however, is that although both OSs offer such locks, an out-of-the-box NetWare installation secures the locks, then tells administrators to choose what they want to unlock. In contrast, an out-of-the-box NT installation leaves most of its locks unlocked, then lets administrators select the locks they want. (This information doesn't apply to Windows Server 2003, the design of which follows the NetWare strategy. Win2K has more locked-by-default options than NT 4.0, and XP is tighter out of the box than Win2K Professional.)
The locks present a dilemma for Windows Server 2003, XP, and Win2K administrators: What if properly securing workstations and servers is theoretically possible but is too time-consuming in practice? XP is an excellent OS, but if you have to visit every desktop and adjust a few dozen permissions and rights to make sure the desktop is secure, rolling out XP or any other NT variant becomes an expensive and time-consuming proposition. What you need is a way to script the process of setting up security that automatically adjusts the entire gamut of security-related settings to fit your particular organization.
Fortunately, such a method exists. Security templates are ASCII text files that let you specify settings for local rights and security settings, local group membership, services, file and directory permissions, and registry key permissions. After you create a security template, you can use just one command to apply it, and all its settings take effect. An hour's worth of tinkering with the registry, the Microsoft Management Console (MMC) Computer Management snap-in, and other tools becomes a moment's work.
Security templates aren't new in Windows Server 2003 or XP; they first appeared in NT 4.0 Service Pack 4 (SP4). But every administrator needs to know what they can do. Templates don't let you modify anything that you couldn't modify otherwise, but they provide a scripted, reproducible way to make modifications and easily audit systems to ensure that they meet the template's requirements. You can use the GUI to make these changes manually, but that process is time-consuming. Templates let you easily perform the following five security-related tasks.
Administer Groups
Templates can adjust local group memberships. If your users' desktop PCs run NT variations, you've probably struggled with the question of how much power to give users over their desktops. Some companies let everyone become local administrators, some offer Power User status to users, and others give users only simple User status.
If you restrict users' powers on their desktops, I guarantee that at some point you'll relax those restrictions, at least temporarily. For example, suppose you set up workstations that restrict the local Administrators group to only the local Administrator account and the Domain Admins group. But what if a support person "temporarily" elevates a user account to the Administrators group with the innocent intention of undoing the action later, then forgets to restore the accurate permissions? If you apply a security template that says "only Administrator and Domain Admins can be in the local Administrators group," reapplying the template will kick out anyone who isn't supposed to be in the group.
Templates automate the process of setting security information, just as if you sat down and used the GUI to do so. But the template isn't a guardian angel that constantly monitors a system to ensure that your desired template settings are always enforced. The only way to ensure that your settings remain in force is to manually reapply the template on a regular basis or create a Group Policy that applies the template. (Group Policies reapply themselves roughly every 90 minutes.) You can do anything with Group Policies that you can do with security templates, and the ability to automatically reapply Group Policies makes them an attractive option. But if you plan to use Group Policies, you need an Active Directory (AD) domain. Templates, however, work with or without an AD domain.
Adjust NTFS Permissions
You can use security templates to adjust NTFS permissions. Suppose you want to give the C:\stuff directory System/Full Control and Administrators/Full Control NTFS permissions and deny access to everyone else. A template can apply those permissions and restrictions. Also, because you can apply templates to many machines (provided you use Group Policies), you can enforce the set of NTFS permissions on the entire domain. If you're like most NT administrators, you've looked at NT's default file and directory permissions (Everyone/Full Control) in horror and decided to tighten up the ACLs. But you can easily make a mistake and tighten the ACLs to the point at which no one can use a computer, so you'll probably have to experiment to find just the right balance. After you strike that balance, you can express it in a template that you can then apply to any or all systems.
Previous
Register
