Subscribe to Windows IT Pro
July 30, 2001 12:00 AM

Using MMC Snap-ins to Secure Win2K Systems

John Howie
Windows IT Pro
InstantDoc ID #21668
Rating: (1)
Customize security templates to roll out security policies

One of the greatest challenges you face is ensuring that each machine on your network conforms to a standard security policy. Since Windows NT 4.0 Service Pack 4 (SP4) came out, Microsoft has provided security templates and tools that you can use to accomplish this task. With Windows 2000, these templates and the tools to support them have matured and grown in functionality. Surprisingly, however, some administrators haven't heard of them, and many more administrators don't realize these tools' full potential.

This month, I show you how to use Win2K Microsoft Management Console (MMC) snap-ins to create, customize, and save security templates. I also show you how to use snap-ins to roll out and maintain template-based security policies.

Security Templates
A security template file is a text file that contains settings for various aspects of security, such as account and local policies, the event log, groups, system services, registry settings, and file-system permissions. By default, Windows stores these files with an .inf extension in the \%systemroot%\security\templates folder.

Microsoft supplies several security template files with the OS. The Microsoft Windows 2000 Server Resource Kit includes two further templates (you can find these templates in the resource kit installation directory), and you can download a custom security template to help you harden Win2K-based Web servers from the Microsoft Internet Information Services (IIS) 5.0 security checklist (http://www.microsoft.com/technet/prodtechnol/iis/tips/iis5chk.asp). Additional template files are created during the installation process and during promotion of a server to a domain controller (DC). Table 1, page 2, lists some notable templates. To open a template file and view its contents, double-click it or right-click the filename and select Open. However, be careful not to select the Install option, or you'll apply the settings in the template to your local system, which can be disastrous (especially on a DC).

Microsoft provides three basic security templates for workstation, server, and DC systems. These templates contain the baseline security configurations that should have been implemented when you performed a default fresh installation. If you upgraded an earlier Windows system to Win2K, the security settings won't match those in the basic templates. You must apply the appropriate template to your system by right-clicking the template and selecting Install or by using the MMC Security Configuration and Analysis snap-in, which I describe later.

The basic templates primarily define default registry and file-system permissions. If you're using FAT instead of NTFS partitions, you can't secure your system to the level that a basic template defines. If the basic templates don't provide sufficient security for your environment, consider using the secure and highly secure templates for workstation and DC systems. A secure template provides incrementally stricter security settings than a basic template, defining password policies, auditable events, and security options. A highly secure template provides incrementally stricter settings than a secure template; it expands the list of auditable events and tightens the security options. You must use the basic, secure, and highly secure templates in that order when auditing or configuring system security. (The Microsoft article "Windows 2000 Security Templates Are Incremental" at http://support.microsoft.com/support/kb/articles/q234/9/26.asp discusses this restriction in more detail.) As I show you later, you can create one template that incorporates these layered templates. However, you'll probably need to tailor these templates for your local requirements, and you should never apply a template without first looking to see what it contains and considering the implications for your systems and networks.

The MMC Security Templates Snap-in
The preferred method for viewing and modifying security templates is through the MMC Security Templates snap-in. By default, this snap-in doesn't appear under Start, Programs, Administrative Tools: You need to open MMC and add the snap-in to the console. To add the Security Templates snap-in, follow these steps:

  1. Click Start, Run. Type mmc, then click OK to open an empty console.
  2. Click the Console menu, then choose Add/Remove Snap-in.
  3. Click Add to display a dialog box that contains the list of available snap-ins, as Figure 1 shows.
  4. Scroll down the list to Security Templates, then click Add. Click Close.
  5. Click OK in the Add/Remove Snap-in dialog box.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Anonymous User
    7 years ago
    Feb 25, 2005

    I'm adding a security template on 2K but keep getting an error message stating: "An attempt was made to load a program with an incorrect format input failed" I've been using both the default .inf files on the box and one that has been made especially. Any idea where to go from here?

  • Anonymous User
    7 years ago
    Jan 30, 2005

    We are in the process of deploying new machines with XP SP-2 and for the time being have put the domain users group in the local power user group so that Office 97 will work. This article is very timely for me because I wanted a way to go back and lock down computers without having to fiscally touch each one.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.