When you expand the Security Templates snap-in in MMC, you see a list of the available security templates in the default folder. You can point the Security Templates snap-in to another folder by right-clicking the snap-in, then selecting New Template Search Path. Expanding the templates lets you examine the settings in each template.
I recommend that you never modify the templates that Microsoft supplies. Instead, use them as a basis for customized templates. You can create a template for customization by saving an existing template under a new name. I recommend that you incorporate identifying information about your environment, such as the domain name or system role, into the filename (e.g., productiondmziis.inf). You can create an empty template by right-clicking the Templates folder under the Security Templates snap-in and selecting New Template. A template that you create in this way has no settings defined in it. To modify the settings in your template to reflect your particular security requirements, drill down through the template until you see a setting you want to change, then double-click that setting. A dialog box such as the one in Figure 2 appears that lets you modify the setting.
The Security Configuration and Analysis Snap-in
The Security Configuration and Analysis snap-in lets you audit and configure system security. Like the Security Templates snap-in, you must add the Security Configuration and Analysis snap-in to MMC before you can use it.
At the heart of the Security Configuration and Analysis snap-in is a database engine that creates and uses a database with an .sdb extension. When you're analyzing security, the database stores the current computer settings. When you're configuring security, the database determines which template you need to apply to the computer by examining the current configuration against the template. Because the information in the database is unique to each machine, use a separate database for each computer. To open an existing database or create a new one, right-click the Security Configuration and Analysis snap-in, then select Open Database. Select a database from the drop-down list, or type the name of a new database in the Open Database dialog box, then click Open. If you create a new database, the Import Template dialog box appears; from this dialog box, you can select the security template you want to use before you click Open. (For information about a bug in the basicdc.inf security template, see the sidebar "Avoiding Errors in the Basicdc.inf Security Template." )
Analyzing Security Through the Snap-in
When you've created the database and imported a template (or opened an existing database), you can either analyze the security settings of your system or apply the security settings to the system. I recommend that you analyze the security of your system first so that you can make sure that you won't apply settings from a template that relaxes existing security settings. To analyze the system, right-click the Security Configuration and Analysis snap-in, then select Analyze Computer Now. The system prompts you for a location in which to store the log file created during the analysis. As the Security Configuration and Analysis snap-in analyzes the local system, it uses the progress indicator that Figure 3, page 4, shows to inform you of its progress.
When the analysis is complete, you can examine the results by expanding the Security Configuration and Analysis snap-in and clicking the settings you're interested in. MMC's right pane contains the details; most settings have three columns, as Figure 4 shows:
- Setting name (e.g., Policy)
- Database Setting
- Computer Setting
When the computer setting is the same as or stricter than the database setting, the setting name has a green check mark beside it. When the computer setting is less strict than the database setting, the name has a red X beside it, and you need to investigate further. Right-clicking the Security Configuration and Analysis snap-in and selecting View Log File causes the log file created during the analysis to appear in MMC's right pane.
Configuring Security Through the Snap-in
Configuring computer security through the Security Configuration and Analysis snap-in is much like analyzing security. You must create a new database and import a security template or open an existing database. Start the configuration process by right-clicking the Security Configuration and Analysis snap-in and selecting Configure Computer Now. As during security analysis, a dialog box with a progress indicator appears; however, be aware that applying settings can take longer than analyzing them.
You can import multiple templates into a database by right-clicking the Security Configuration and Analysis snap-in and selecting Import Template. (Perform this step once for each template.) The imported settings are cumulative. After you've loaded the templates (e.g., the basic, secure, and highly secure workstation templates), you can edit them in the database just as you can modify a template. The changes in the database aren't applied until you choose to configure the computer.
The benefit of being able to modify the database is that when you're happy with the configuration, you can export a template file that contains all the settings by right-clicking the Security Configuration and Analysis snap-in and selecting Export Template. You can then apply the exported template to other machines in your organization.
Rolling Out and Maintaining Security Policies
When you've created templates for the machines in your organization, you can roll them out as part of a Group Policy. To access Group Policy Editor (GPE), open the MMC Active Directory Sites and Services snap-in or the MMC Active Directory Users and Computers snap-in (both of which you access from Start, Programs, Administrative Tools). Right-click an organizational unit (OU), domain, or site, select Properties, then click the Group Policy tab. (For more information about controlling and applying Group Policies, see "Related Reading.") You can also add the Group Policy snap-in to an empty or preexisting MMC. (See my directions earlier in this article for adding an MMC snap-in.)
With GPE open, you can import your templates by drilling down through the Default Domain Policy until you reach Security Settings. Then, right-click that container and select Import Policy. In the dialog box that appears, you can select the security template file that you want to use in the Group Policy. Using standard Group Policy functionality, you can create multiple security policies for different OUs, domains, and sites in your organization. If you import a template and apply it in error, you can undo the application by removing the template from the policy and applying the correct template. Unlike NT Policies, Group Policies are applied each time Win2K boots up and whenever a user logs on; settings that you have changed or deleted are effectively undone.
For More Information
Security templates provide you with a powerful means of configuring and analyzing security policies throughout your entire organization. For more information about the Microsoft security templates, go to the Distributed System Guide in the resource kit, or check out Microsoft's Web site and Knowledge Base for updated articles.