Planning Distributed Security |
Windows 2000 provides a set of security templates for your use in setting up your network environment. A security template is a profile of security settings thought to be appropriate to a specific level of security on a Windows 2000 domain controller, server, or client computer. For example, the hisecdc template contains settings appropriate to a highly secure domain controller.
You can import a security profile into a Group Policy object and apply it to a class of computers. You can also import the template into a personal database and use it to examine and configure the security policy of a local computer.
Security templates provide standard security settings to use as a model for your security policies. They help you troubleshoot computers whose security policies are not in compliance with policy or are unknown. Security templates are inactive until imported into a Group Policy object or the Security Configuration and Analysis snap-in to MMC.
Security templates are a standard feature of Windows 2000. There are no prerequisites for using them.
You can edit security templates in the Security Templates snap-in to MMC.
You can use the Security Configuration and Analysis MMC snap-in to import and export templates, and to compare a template to the security settings of the local computer. If you want, you can use this MMC snap-in to configure the computer to match the template.
To import a security template into a Group Policy object, open the Group Policy snap-in to MMC. Right-click the Security Settings container and select the Import Policy option. This brings up a selection of security templates to import.
For more information about using security templates and predefined templates, see Windows 2000 Server Help.
The default clean-install permissions for Windows 2000 provide a significant increase in security over previous versions of Windows NT. This default, clean-install security, is defined by the access permissions granted to three groups: Users, Power Users, and Administrators.
By default, Users have an appropriate access-control policy for nonadministrative system use; Power Users are backward compatible with Windows NT 4.0 Users; and Administrators are all-powerful. Therefore, securing a Windows 2000 system is largely a matter of defining what group the users belong to.
If your site runs only applications that are compatible with the Windows 2000 application specification, then it is possible to make all users be members of the Users group and thus achieve maximum access control security without sacrificing application functionality. If your site runs applications that are not compliant with the Windows 2000 application specification, it is likely that users will need to be Power Users in order to have the privileges necessary to run the noncompliant applications. Thus, before considering the use of additional security templates, it is imperative that you define the level of access (User, Power User, or Administrator) that users need in order to successfully run the applications that must be supported.
Once this has been defined, the security templates can be used as follows:
Basic The Basic security templates apply the Windows 2000 default access control settings previously described. The Basic templates can be applied to a Windows NT computer that has been upgraded to Windows 2000. This will bring the upgraded computer in line with the new Windows 2000 default security settings that are applied only to clean-installed computers. The Basic templates can also be used to revert back to the defaults after making any undesirable changes.
Compatible Some customers might not want their users to be Power Users in order to run applications that are not compliant with the Windows 2000 application specification. They might not want this because Power Users have additional capabilities (such as the ability to create shares) that go beyond the more liberal access control settings necessary to run legacy applications. For customers who do not want their end users to be Power Users, the Compatible template "opens up" the default access control policy for the Users group in a manner that is consistent with the requirements of most legacy applications. For example, Microsoft® Office 97 SR1 runs successfully as a Power User, or as a User under the Compatible configuration. However, Office 97 does not run successfully as a clean-installed User. Note that Microsoft® Office 2000 runs successfully as a clean-installed User because it is compliant with the Windows 2000 application specification. A computer that is configured with the Compatible template must not be considered a secure installation.
Secure The Secure template modifies settings (such as password policy, audit policy, and registry values) that are less likely to have an impact on application functionality and more of an impact on the operational behavior of the operating system and its network protocols. The Secure template provides recommendations that are distinct from the default access control policy that has been defined. The Secure template does not modify any ACLs, but it does remove all members of the Power Users group.
High Secure The High Secure template increases the security defined by several of the parameters in the secure template. For example, while the Secure template might enable SMB Packet Signing, the High Secure template would require SMB packet signing. While the Secure template might warn on the installation of unsigned drivers, the High Secure template blocks the installation of unsigned drivers. In short, the High Secure template configures many operational parameters to their extreme values without regard for performance, operational ease of use, or connectivity with clients using third-party or earlier versions of NTLM. Like the Secure template, the High Secure template also removes all members of the Power Users group.
In summary, use of the security templates must be considered with respect to the default access control policy required by the installed base of applications and the communication requirements of other networked systems. Since the templates modify operating system settings, they must not be applied without passing proper quality assurance measures.