This step-by-step article describes how to apply predefined security
templates. Microsoft Windows Server 2003 includes several predefined security
templates that you can apply to increase the level of security on your network.
You can modify security templates to suit your requirements by using
Security Templates in Microsoft Management Console (MMC).
Predefined Security Templates in Windows Server 2003
Default security (Setup security.inf)
The Setup security.inf template is created during
installation, and it is specific for each computer. It varies from computer to
computer, based on whether the installation was a clean installation or an
upgrade. Setup security.inf represents the default security settings that are
applied during the installation of the operating system, including the file
permissions for the root of the system drive. It can be used on servers and
client computers; it cannot be applied to domain controllers. You can apply
portions of this template for disaster recovery purposes.
Do not apply
Setup security.inf by using Group Policy. If you do so, you may experience decreased performance.
Note In Microsoft Windows 2000, two miscellaneous security templates exist, ocfiless (for file servers) and ocfilesw (for workstations). In Windows Server 2003, these files have been superseded by the Setup security.inf file.
This template is created when a server is promoted to a
domain controller. It reflects file, registry, and system service default
security settings. If you reapply this template, these settings are set to the default values. However, the template may overwrite permissions on new files, registry keys, and system services
created by other programs.
This template changes the default file and
registry permissions that are granted to the members of the Users group in a
manner that is consistent with the requirements of most programs that do
not belong to the Windows Logo Program for Software. The Compatible template
also removes all members of the Power Users group.
information about the Windows Logo Program for Software, visit the following
Microsoft Web site:
NOTE: Do not apply the Compatible template to domain
The Secure templates define enhanced security settings
that are least likely to affect program compatibility. For example, the
Secure templates define stronger password, lockout, and audit settings.
Additionally, the templates limit the use of LAN Manager and NTLM
authentication protocols by configuring clients to send only NTLMv2 responses
and by configuring servers to refuse LAN Manager responses.
There are two
predefined Secure templates in Windows Server 2003: Securews.inf for
workstations and Securedc.inf for domain controllers. For additional
information about using these templates and other security templates, search Help and
Support Center for "predefined security templates".
Highly Secure (hisec*.inf)
The Highly Secure templates specify additional
restrictions that are not defined by the Secure templates, such as encryption
levels and signing required for authentication and data exchange over secure
channels and between Server Message Block (SMB) clients and servers.
System root security (Rootsec.inf)
This template specifies the root permissions. By default,
Rootsec.inf defines these permissions for the root of the system drive. You can use this template to reapply the root directory permissions if they are
inadvertently changed, or you can modify the template to apply the same root
permissions to other volumes. As specified, the template does not overwrite
explicit permissions that are defined on child objects; it propagates only the
permissions that are inherited by child objects.
No Terminal Server user SID (Notssid.inf)
You can apply this template to remove Windows Terminal Server
security identifiers (SIDs) from the file system and registry locations when Terminal Services is not
being run. After you do so, system security does not necessarily improve.
For more detailed information about all predefined templates in
Windows Server 2003, search Help and Support Center for "predefined security
Important Implementing a security template on a domain controller may change the settings of the Default Domain Controller Policy or Default Domain Policy. The applied template may overwrite permissions on new files, registry keys and system services created by other programs. Restoring these policies might be required after you apply a security template. Before you follow these steps on a domain controller, create a backup of the SYSVOL share.
Apply a Security Template
Click Start, click Run,
type mmc, and then click OK.
On the File menu, click Add/Remove
In the Available Stand Alone Snap-ins
list, click Security Configuration and Analysis, click
Add, click Close, and then click
In the left pane, click Security Configuration and Analysis and view the
instructions in the right pane.
Right-click Security Configuration and
Analysis, and then click Open Database.
File name box, type the name of the database file, and then
the security template that you want to use, and then click
Open to import the entries that are contained in the template
to the database.
Right-click Security Configuration and
Analysis in the left pane, and then click Configure