In "What Security Templates Can Do for You," February 2003, http://www.winnetmag.com, InstantDoc ID 37604, I talk about some cool things that you can do with security templates. This month, I want to get more hands-on and take templates for a spin. I want to show you how to create for a workstation or member server a security template that performs three functions. First, the security template will control a group's membership by restricting the local Administrators group to just the local Administrator account and the Domain Admins group from the domain. Second, it will set the NTFS permissions for the directory C:\adminstuff so that it's accessible to only the local Administrators group. Finally, it will disable the Indexing Service.
Setting Up the Tool
Security templates are simply ASCII files, so, in theory, you could use Notepad to create them. But believe me, you don't want to do that. You'll accomplish more by using the Microsoft Management Console (MMC) Security Templates snap-in, which comes with Windows XP and Windows 2000.
First, open an empty MMC console. Click Start, Run, and type
mmc /a
Press Enter to bring up the empty MMC console. In that console, click File (or Console in Win2K), Add/Remove Snap-in to display the Add/Remove Snap-in dialog box. Click Add to access the Add Standalone Snap-in dialog box, select Security Templates, then click Add. Click Close, then OK, and you're ready to start playing.
Navigating the Snap-In
In the Console Root's directory tree, you'll see the Security Templates icon—a computer with a lock attached to it. Expand that icon, and another object will show the path to your system's security templates. The security templates reside in the \%systemroot% directory, inside the \security\templates folder. Expand this pathname object, and you'll see a list of prebuilt security templates. The number of prebuilt templates will vary depending on your OS version and installed service packs.
For example, one of the prebuilt templates on my XP system is called setup security. This template resets registry and NTFS permissions, user rights, and system service states to their out-of-the-box settings. This functionality is tremendously useful if you've messed with settings just to see what they do and you want to be sure you haven't changed something that might make your system unusable. (Of course, if you've made changes to the system that you want to keep, you'll lose them when you apply the setup security template.) Win2K systems contain templates called basicws.inf, basicsv.inf, and basicdc.inf (for workstations, member servers, and domain controllers—DCs, respectively), which perform the same functions as the setup security template.
Another set of templates tighten your system's security to varying degrees. Securedc.inf (for DCs) and securews.inf (for member servers and workstations) provide low-level system security, and hisecdc.inf and hisecws.inf crank up security. However, although "high security" sounds attractive, you should think twice before applying the hisecdc.inf and hisecws.inf templates. Some of the settings might render your XP and Win2K systems unable to communicate with your Windows NT 4.0 and Windows 9x systems. If you do apply one of these templates and regret it, you can apply the basicx.inf or setup security template to roll back your system's security to the out-of-the-box settings. The compatws.inf template, which sets your system's NTFS and registry ACLs to their less secure NT 4.0 settings, is also available. Some earlier applications simply won't run on XP or Win2K boxes unless you apply compatws.inf.
Previous
Register
