Title: 70291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Security
170-291 MCSE Guide to Managing a Microsoft
Windows Server 2003 Network, Enhanced Chapter
13Security Templates
2Objectives
- Identify the components of the Security
Configuration Manager tools - Describe the different predefined security
templates available on Windows Server 2003 - Apply security templates to a local computer and
GPO - Create security templates and modify their
settings - Analyze security settings on a computer using
Secedit.exe and the Security Configuration and
Analysis snap-in
3The Security Configuration Manager Tools
- Tools included for the purpose of allowing you to
create and maintain security configurations
across the network - Consist of the following core components
- Security templates
- Security settings in GPO objects
- Security Configuration and Analysis snap-in
- Secedit command-line tool
- Security template is used to define, edit, and
save baseline security settings
4The Security Configuration Manager Tools
(continued)
5The Security Configuration Manager Tools
(continued)
6The Security Configuration Manager Tools
(continued)
- GPO refers to Group Policy Object
- May import settings from security template to a
GPO - GPO commonly referred to as Security Policy
Template - When a security policy has been designed and
approved, the settings can be defined in a
security template - Security Configuration and Analysis snap-in or
Secedit.ext tool can be used to view a security
template
7The Security Configuration Manager Tools
(continued)
8The Security Configuration Manager Tools
(continued)
9Predefined Security Templates
- Administrator may design a custom security
template - Windows Server 2003 is packaged with several
predefined security templates - Windows Server 2003 provides a template for each
category of computer - Only computers running Windows Server 2003,
Windows XP, and Windows 2000 can take advantage
of security template configurations and
deployments
10The Default Template
- Default security settings are stored in a
template called Setup Security.inf - Contents will depend on the original
configuration of the computer - Allows for easy configuration of security back to
default, original settings
11Incremental Templates
- These templates modify security settings
incrementally - Should only be applied to machines already
running the default security settings - Standard incremental templates include
- Compatws.inf
- Securews.inf and Securedc.inf
- Hisecws.inf and Hisecdc.inf
- DC Security.inf
- RootSec.inf
12Activity 13-1 Browsing Predefined Security
Templates
- Objective Explore settings associated with
built-in security templates - Start ? Run ? mmc
- Add the Security Templates snap-in
- View the contents of various templates
- View settings of Account Lockout Policy
13Applying Security Templates
- Can be applied to either the local machine or the
domain via GPOs - To apply to a local machine, run secpol.msc
- To apply to several computers using GPO, use
Active Directory Users and Computers snap-in - Settings applied using Group Policy will always
override local settings - Group policy security settings refreshed at
reboot, at 90-minute intervals for servers and
workstations, and every 5 minutes on domain
controllers
14Applying Security Templates (continued)
15Applying Security Templates (continued)
16Applying Security Templates (continued)
17Activity 13-2 Applying a Security Template
- Objective Apply a security template to a single
computer - Start ? Run ? secpol.msc
- Choose Import policy and highlight compatws.inf
18Creating Security Templates
- Sometimes you may need to modify a predefined
security template or create a new one using the
Security Templates snap-in - New security templates not preconfigured with any
security-related settings - The Account Policies node has three
subcategories - Password Policy
- Account Lockout Policy
- Kerberos Policy
19Creating Security Templates (continued)
20Creating Security Templates (continued)
21Creating Security Templates (continued)
- When configuring the account policy for computers
in Active Directory domain, the GPO containing
security template settings must be linked to a
domain object - Other nodes include
- Local policies
- Event log
- Restricted groups
- System services
- Registry
- File System
22Creating Security Templates (continued)
23Creating Security Templates (continued)
24Creating Security Templates (continued)
25Activity 13-3 Creating a Security Template
- Objective Define a new security template to meet
custom requirements - Start ? run ? mmc
- Add the Security Templates snap-in
- Modify Password Policies
- Modify Account Lockout Policy
26Managing and Troubleshooting Security Templates
- A security baseline template is a security
template that contains a set of security settings
that define the minimum security settings that
must be applied to a particular computer - Compare a security baseline template to the
actual configuration of computers in your network
to ensure that security is maintained
27Analyzing System Security using the Security
Configuration and Analysis Snap-in
- Allows administrators to compare current system
settings to a previously configured security
template - Uses a container, also referred to as a security
database, to store imported templates - You can compare settings of security templates in
the security database to actual computer settings
using the Analyze Computer Now option
28Analyzing System Security using the Security
Configuration and Analysis Snap-in (continued)
29Analyzing System Security using the Security
Configuration and Analysis Snap-in (continued)
30Analyzing System Security using the Security
Configuration and Analysis Snap-in (continued)
31Analyzing System Security using the Security
Configuration and Analysis Snap-in (continued)
- To apply the settings in the database to a local
computer, right click Security Configuration and
Analysis and choose Configure Computer Now - You can export settings in the database to a new
security template file - The newly created file can be applied to other
computers or to a GPO
32Analyzing System Security using the Security
Configuration and Analysis Snap-in (continued)
33Analyzing System Security using the Security
Configuration and Analysis Snap-in (continued)
34Activity 13-4 Analyzing Security Settings Using
Security Configuration and Analysis
- Objective Use the Security Configuration and
Analysis snap-in to compare security template
settings to settings on the local computer - Start ? Run ? mmc
- Add the Security Configuration and Analysis
snap-in - Select the Open Database option
- Select Analyze Computer Now
35Using the Secedit Command-Line Tool
- Used to create and apply security templates and
analyze security settings - Main switches include
- /analyze
- /CFG filename
- /configure
- /DB filename
- /export
- /GenerateRollback
- /import
- /log filename
36Using the Secedit Command-Line Tool (continued)
- Secedit switches also include
- /quiet
- /validate
- /verbose
37Activity 13-5 Analyzing Security Settings Using
Secedit.exe
- Objective Use the Secedit utility to compare
security template settings to settings on the
local computer - Start ? Run ? cmd
- Type specified command
- View resulting log in Notepad
38Summary
- Windows Server 2003 simplifies the management of
security-related settings on computers using
Security Configuration Manager tools - Security templates define baseline security
settings for use on computers - Each security template organizes security-related
settings into seven categories - Windows Server 2003 comes with several predefined
security templates
39Summary (continued)
- You may create security templates using the
Security Templates snap-in - You may apply the settings in a security template
to the local computer or to a GPO in an Active
Directory database - The Security Configuration and Analysis snap-in
can analyze a computers security settings,
modify security template settings, and apply
security templates to computers - Secedit.exe command-line utility can analyze and
set security-related settings on a computer