In a workgroup environment, you may use security templates, Local Group Policy, the Security Configuration and Analysis tool and the secedit command to automate security for a single computer or many computers. This checklist explains how to use the Security Templates and Security Configuration and Analysis snap-ins to automate security configuration and refresh one computer at a time. The next checklist will provide secedit steps to help you automate security for multiple Windows systems. (These tools are available for Windows 2000, Windows XP Professional and Windows Server 2003.)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Checklist: Automate security administration for standalone computers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|  |
|
|
|
|
|
Step 1: Load the Security Templates snap-in in a Microsoft Management Console (MMC) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
To open the MMC, click the Start button, then Run, enter MMC and click OK. Next, from the File menu, select "Add/Remove snap-in", then click Add and select Security Templates |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
from the list. Click Add, then Close and then click OK to open the snap-in in the MMC. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
Step 2: Study security settings to understand what they can do |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Security Templates snap-in provides a number of templates, each with its own security settings. Each template includes security setting configuration details, including |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
password length, disabled services, event log management and set security for files and registry keys. Spend some time reviewing these options. To understand their meanings, |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
download Microsoft's Threats and Countermeasures, which talks about settings in the Windows server/domain arena. Most of the same settings are available for configuring |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
security on a standalone computer. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
Step 3: Determine which settings should be enabled to fulfill your small business security policy |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There are many security templates, each with different security settings. Which one is right for you? There is no easy answer. Security should be managed, but the correct choices for |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
one company are not necessarily the correct choices for another. The templates are only meant as samples. You must determine what is best for your organization and create | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
a template that fulfills that policy. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
Step 4: Create your own custom security template and back it up |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Once you know the level of security you wish to apply, create your own template and make sure the settings reflect your decisions. To create a template, go to the Security Templates |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
console you created, right click one of the existing templates and select "Save as". Then enter a name for your template and click "Save". It will be saved to the | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<system root >\security\templates folder by default. Your template should appear in the console. Open the template and change the settings to those desired. Changing settings |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
does not apply the settings. You must complete step 5 and then 6 below in order to do so. To backup your template, save it again after configuring it, copy the file to a CD-ROM or |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
floppy disk and store in a safe place. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
Step 5: Load the Security Configuration and Analysis snap-in |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Using the MMC console you created for Security Templates, from the File menu, add the Security Configuration and Analysis snap-in. Use this tool to apply a Security Template. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
Step 6: Apply your security template to configure security for the computer |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Right click the Security Configuration and Analysis node and select Open Database. Enter a name for the database and then click OK. Select your security template and then click Open. | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This step adds your template to the database. The computer's security configuration is not changed by this step. | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Right click on Security Configuration and Analysis and select "Configure computer now". The settings in the Security Template will be applied to the computer. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You can copy your template to another computer and use step 5 and 6 to load and apply the template. Make sure you use a template created on Windows XP to update Windows XP, |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
and one created on Windows 2000 to update Windows 2000, and so on. You can also use Security Configuration and Analysis to determine if security settings have been changed. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To do so, use the "analyze" command instead of the "configure" step. To automatically apply security, you'll need to use the secedit command -- the topic of our next checklist. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I am sick and tired of small business IT professionals complaining that Microsoft needs to provide them tools for automating security in a workgroup -- and I am sick and tired of hearing consultants respond, "Move to a domain and use Group Policy." Both parties need to do their research. Microsoft consultants hear this: Many small businesses can not and will not spend the money to purchase a Windows server license and more hardware so they can create a domain just because you say so. They need solutions for their collection of current computers. Small business owners listen up: Native Microsoft tools already exist to automate security in a workgroup environment.
