Tip

Custom network security policy checklist

A well-designed security policy, commonly associated with the gpedit snap-in console, is a powerful tool in your network security arsenal. Using built-in tools found in Windows XP, you can create and enforce your own custom security policy for all of the systems in your network.

To perform a security audit: 
1. From the start menu, select "run". Type "mmc", then click "ok".
2. Select "file", then "add/remove snap-in".
3. Click "add".
4. Select "security configuration and analysis", then click "add".
5. Click "close", then "ok".
6. Right click on "security configuration and analysis" in the left window.
7. Select "open database".
8. Type the name that you would like the database to be called. The name has no effect on the analysis.
9. Select the template that you would like to compare the system against. This may be a custom template or one of the default Windows templates. The default templates are:

    Requires Free Membership to View

  • Compatws.inf – This should only be used if older applications need weaker security settings to access the registry and file system.
  • DC security.inf – This is used to configure security of a computer that was upgraded from Windows NT to Windows 2000/2003.
  • Hisecdc.inf – This is used to increase security and communications with the domain controllers.
  • Hisecws.inf – This is used to increase security and communications for the client computers and member servers.
  • Notssid.inf – Similar to Compatws.inf , this is used to weaken security to allow older applications to run on Windows Terminal Services.
  • Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.
  • Securedc.inf – Similar to DC security.inf, but is less restrictive and less secure.
  • Securews.inf – This is used to increase security and communications for the client computers and member servers.
  • Setup security.inf – This resets the security policy to defaults. Can be used to restore the security policy if a change causes problems.


10. Right-click on "security configuration and analysis" in the left window.
11. Select "analyze computer now" to display discrepancies between the template and the current policy. Or, select "configure computer now" to enforce the selected template.
12. Specify the location of the log, click "ok".
13. The left window will display the category, the right window will display the results.

To create a custom security template:
1. From the start menu, select "run". Type "mmc" and click "ok".
2. Select "file", then "add/remove snap-in".
3. Select "add".
4. Select "security configuration and analysis", click "add".
5. Click "close".
6. Click "ok" to close the add/remove snap-in window.
7. Right-click on "security configuration and analysis" in the left window.
8. Select "open database" and type the name that you would like the database to be called. The name has no effect on the policy. Click "open".
9. Select any template to modify.
10. Right-click on "security configuration and analysis" in the left window.
11. Select "analyze computer now".
12. Specify the location of the log, click "ok". This may take a few minutes.
13. The left window will display the category, and the right window will display the specific settings. You can modify the settings for the template here.
14. After all the desired settings have been modified, right-click on "security configuration and analysis", then select "save".
15. Right-click on "security configuration and analysis", then select "export template".
16. Name the template as desired, then click "save".
17. Now you may close the console. You do not need to save the console when prompted.
18. The new template will be located in the Windows directory under Security/Templates.

A security policy is only a portion of an effective security solution, but it should still be carefully considered and aggressively implemented. Following these steps will help you, the administrator, to enforce policies on client machines with no cost and minimal effort.

Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.
 

This was first published in March 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.