Custom network security policy checklist

A well-designed security policy, commonly associated with the gpedit snap-in console, is a powerful tool in your network security arsenal. Using built-in tools found in Windows XP, you can create and enforce your own custom security policy for all of the systems in your network.

A well-designed security policy, commonly associated with the gpedit snap-in console, is a powerful tool in your

network security arsenal. Using built-in tools found in Windows XP, you can create and enforce your own custom security policy for all of the systems in your network.

To perform a security audit: 
1. From the start menu, select "run". Type "mmc", then click "ok".
2. Select "file", then "add/remove snap-in".
3. Click "add".
4. Select "security configuration and analysis", then click "add".
5. Click "close", then "ok".
6. Right click on "security configuration and analysis" in the left window.
7. Select "open database".
8. Type the name that you would like the database to be called. The name has no effect on the analysis.
9. Select the template that you would like to compare the system against. This may be a custom template or one of the default Windows templates. The default templates are:

  • Compatws.inf – This should only be used if older applications need weaker security settings to access the registry and file system.
  • DC security.inf – This is used to configure security of a computer that was upgraded from Windows NT to Windows 2000/2003.
  • Hisecdc.inf – This is used to increase security and communications with the domain controllers.
  • Hisecws.inf – This is used to increase security and communications for the client computers and member servers.
  • Notssid.inf – Similar to Compatws.inf , this is used to weaken security to allow older applications to run on Windows Terminal Services.
  • Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.
  • Securedc.inf – Similar to DC security.inf, but is less restrictive and less secure.
  • Securews.inf – This is used to increase security and communications for the client computers and member servers.
  • Setup security.inf – This resets the security policy to defaults. Can be used to restore the security policy if a change causes problems.


10. Right-click on "security configuration and analysis" in the left window.
11. Select "analyze computer now" to display discrepancies between the template and the current policy. Or, select "configure computer now" to enforce the selected template.
12. Specify the location of the log, click "ok".
13. The left window will display the category, the right window will display the results.

To create a custom security template:
1. From the start menu, select "run". Type "mmc" and click "ok".
2. Select "file", then "add/remove snap-in".
3. Select "add".
4. Select "security configuration and analysis", click "add".
5. Click "close".
6. Click "ok" to close the add/remove snap-in window.
7. Right-click on "security configuration and analysis" in the left window.
8. Select "open database" and type the name that you would like the database to be called. The name has no effect on the policy. Click "open".
9. Select any template to modify.
10. Right-click on "security configuration and analysis" in the left window.
11. Select "analyze computer now".
12. Specify the location of the log, click "ok". This may take a few minutes.
13. The left window will display the category, and the right window will display the specific settings. You can modify the settings for the template here.
14. After all the desired settings have been modified, right-click on "security configuration and analysis", then select "save".
15. Right-click on "security configuration and analysis", then select "export template".
16. Name the template as desired, then click "save".
17. Now you may close the console. You do not need to save the console when prompted.
18. The new template will be located in the Windows directory under Security/Templates.

A security policy is only a portion of an effective security solution, but it should still be carefully considered and aggressively implemented. Following these steps will help you, the administrator, to enforce policies on client machines with no cost and minimal effort.

Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.
 

This was first published in March 2006

Dig deeper on Network Security Monitoring and Analysis

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close