When you're into technology you know how essential good security can be.   Have you considered checking out a surveillance camera for your company? Security video cameras, spy cameras, and surveillance camera systems are all good examples of surveillance cameras that can help improve security.

Working With Windows 2000 Security Templates, Part 1

By: Brien M. Posey, MCSE

 Anyone who’s ever tried to secure a network knows what a big job it can be. When you consider how many settings there are for user accounts, groups, computers, protocols, etc. you can see that configuring a network’s security is no small task. What makes this task even bigger is that the security configuration process usually has to be performed across multiple servers, and sometimes at the workstation level as well. Of course just about the time that you think that your system’s security is set up perfectly, you discover some obvious security hole that was totally overlooked. Naturally, that means that you’ll have to decide how to fix the security flaw, look for more security holes, and then apply the fix wherever appropriate.

 As you can imagine, on a large network, it can be almost impossible to keep up with the security situation. After all, it’s very easy to accidentally overlook a setting when there are so many security related settings to adjust. This is where security templates come in. Security templates are designed to make the process of securing a network much easier, and to reduce the risk of making a mistake that could leave your network vulnerable to attack. In this article, I’ll discuss security templates and how they can be used to enhance Windows 2000’s security.

 What’s A Security Template?

The best way that I can think of to describe a security template is to compare it to a stencil. As you know, a stencil is a cardboard cut out that’s used to create lettering or images. The artist simply traces the stencil with a pen, marker, paint, or what ever, and they are able to reproduce the letter or image perfectly. Unlike a stencil, a security template isn’t made of cardboard, but it works in much the same way. Windows 2000 comes with about a dozen predefined templates. These templates define the security settings that Microsoft recommends using in certain situations. You can use the template to quickly and effortlessly reproduce those settings on your own network. For example, suppose that you wanted to revamp the security on a domain controller. Windows 2000 comes with predefined templates for basic domain controller security, secure domain controller security, and high security for a domain controller. Just pick the template that’s most appropriate for your situation and apply it.

Of course there’s always the chance that the predefined templates won’t fit your particular situation. They may be too strict or too lenient. A good example of this is that I used to be a system’s engineer for the Department of Defense. Even the high security option doesn’t measure up to some military security standards. However, that doesn’t mean that high security environments can’t benefit from security templates. That’s because Windows 2000 allows you to create your own custom templates that are based on your existing security settings. You also have the option of customizing one of the existing templates to meet your needs.

Security Templates Up Close

Now that you know what a security template is and what it does, you may be wondering how it works. A security template is actually nothing more than an .INF file. By default, these template files are located in the \WINNT\SECURITY\TEMPLATES folder. As you can see in Figure A, each of the template files have names that loosely describe their purpose. For example, the file BASICDC.INF is a template for basic security on a domain controller. You can open any one of these templates in Notepad (or any other text editor) to see the settings that they actually contain. Figure B shows a portion of the contents of the BASICDC.INF file.

Figure A

You can get an idea of a template’s function from its name.

Figure B

This is what a security template file looks like.

 As you can see in Figure B, like just about every other INF file that you’ve ever seen, some of the settings are easily recognizable and are therefore easy to adjust, while other settings tend to be more cryptic. Although you can edit a security template through a text editor, I recommend using the Microsoft Management Console instead. To do so, enter the MMC command at the Run prompt. When the empty console screen appears, select the Add/Remove Snap-in command from the Console menu. You’ll now see the Add/Remove Snap-in dialog box. Click the Add button and Windows will display a list of the available console snap ins.  Select the Security Templates snap in from the list and click the Add button followed by the Close button. You’ll now be returned to the Add/Remove Snap-in dialog box. Click OK to return to the main console screen.

 As you can see in Figure C the console is arranged in a hierarchical structure. Just beneath the top of the tree in the figure, the console displays the location of the INF files (C:\WINNT\SECURITY\TEMPLATES). The level beneath the folder displays a listing of all of the files that you saw in Figure A. Below each file are all sorts of policy settings that you can apply or adjust and then apply.

 Figure C

The Microsoft Management Console provides an easy way to interact with template files.

Modifying A Security Template

As you saw in Figure C, not many security parameters were set for the BASICDC.INF template. In some environments, this may be appropriate, but in other environments, the settings may need to be tightened (or loosened) from the setting defined (or not defined as is the case here) in the policy. Fortunately, you can easily change any setting in a security policy.

For example, suppose that you wanted to leave the basic domain security template very relaxed, but wanted to make sure that users had a password that was at least six characters long. As you can see in the figure, right now the template doesn’t enforce any sort of password length policies. You can change this by double clicking on the Minimum Password Length setting. When you do, you’ll see the Template Security Policy Setting dialog box appear. Now, simply select the Define This Policy Setting In The Template check box, and fill in the desired security parameter. For example, in Figure D, you can see that I set the minimum password length to six characters.

Figure D

You can change or define any template setting.

After you’ve made all of your changes, simply exit the console. Upon exit, the console will give you the opportunity to save your changes in the template file.

 Creating A New Security Template

 You aren’t just restricted to modifying an existing security template, you can also create a template completely from scratch. This process involves manually entering the security parameters that you want to use. Before I begin discussing the process of manually creating a template, there are a few things that I should mention.

 First, you should know that security templates are designed to be layered on top of each other. This means that you don’t have to create a single massive template that applies to all situations. Instead, you can create several smaller templates which each have a specific function. As you apply the individual templates, any conflicts will be resolved by the setting in the most recently applied template taking priority. Keep in mind that this doesn’t necessarily mean that you should layer templates. The actual method that you’ll use will depend solely on your individual network’s security implementation.

 Another thing that I should mention is that the process of creating a new template requires you to manually enter the settings that you want to use. However, if you’ve already got a good security structure implemented, there is a way to create a template based on your existing settings. Unfortunately, this is a round about method and it tends to be a bit tedious. It involves using the Security Configuration and Analysis tool. I’ll discuss this process in part 2. For now though, it’s important to become familiar with the basics. After all, you have to know how to walk before you can run.

 Now that I’ve finished ranting, let’s build a new template. To create a new template, you must go back to the Security Templates snap in in the Microsoft Management console. Next, right click on the branch of the tree containing the template location (C:\WINNT\SECURITY\TEMPLATES). Now, select the New Template command from the resulting context menu.

 At this point, you’ll see a dialog box which contains a place to enter a name and description of the template that you’re creating. Enter this information and click OK. When you do, Windows will create an INF file based on the information that you’ve just entered. Of course you’ll also be able to access the new template through the Microsoft Management Console.

 As you look through the template through the console, you’ll see that no policies are defined. You can begin defining policies by using the method that I demonstrated earlier. Simply double click on a policy, select the Define This Policy Setting In The Template check box, and then enter the appropriate value and click OK. If you’re not sure what value to use I’ll show you how to look up the network’s current settings in part 2.

 Applying Templates

 There are actually a couple of different ways to apply security templates. One method involves using the Security Configuration and Analysis Tool. I’ll discuss this method in detail in part 2. The other method is much less drastic. It involves applying the security template or templates by importing them into a group policy object.

 To apply a security template to a group policy object, go into the console that’s appropriate for the security that you are trying to configure. For example, if you want to work with the local group policy, you’d select the Local Security Policy command from the Administrative Tools menu. When the console loads, right click on the words Security Settings in the console’s tree, and select the Import Policy command from the resulting context menu. When you do, you’ll see the Import Policy dialog box. This dialog box displays all of the available template files. Select the template that you want to import and click the Open button.

 Once you’ve imported the security template, you must remember that the change usually doesn’t happen instantly. For the change to take effect, you must wait for the next group policy propagation cycle. If you don’t have time to wait for automatic propagation, you can speed things up by either rebooting the computer or entering the following command:

 SECEDIT /REFRESHPOLICY policy_name

 Conclusion

 As you can see, templates can be extremely valuable when it comes to configuring network security. In this article, I’ve shown you the basics of how to create, modify, and implement security templates. In part 2, I’ll explain a process by which you can compare a template against your network’s actual policies.

  Read Part 2

If you've found this article helpful then please consider making a donation to help with the cost of keeping this site going. To make a donation, please click on the PayPal link below.