Top Six Settings in Windows Security Templates
Understanding what the security templates can provide could be invaluable.
- By Derek Melber
I have long said that it’s impossible to talk about Active Directory or Windows security without also discussing Group Policy objects (GPOs). If you break down a GPO to different sections, you will find one section (under Computer Configuration/Windows Settings/Security Settings) that has plenty of great security configurations. If you take a security template and compare it to this portion of the GPO, you will quickly see that there is a match.
Figures 1 and 2 show you what a typical GPO and security template look like side by side. In Figure 1, you see a typical local GPO and its security settings for a computer. Now, look at Figure 2, which is a full list of the security template. As you can see, there is a direct correlation between the two.
As an auditor, you are quite familiar with many of these settings. So much so that you may be wondering why you have never heard of a security template before. A security template is not just what you see in Figure 2 either. There are some other subfolders and details under each section of the security, which we take a look at here. Here are the top half-dozen settings within a security template to heed:
Setting #1: Account Policy
The account policy settings control almost every aspect of the user password. This will include the initial creation, changing of the password, and what happens when a password is forgotten. The account policy section is broken down into three different categories:
Password Policy: This configures the password itself, with regard to validity period, length of password, and complexity of the password
Account Lockout policy: This configures how the password will react when the user fails to input their correct password multiple times
Kerberos Policy: This controls the Kerberos ticketing for the domain communication. This is ONLY available for GPOs that are linked to the domain level
Setting #2: User Rights
User rights control the entire computer being configured, so there is no way to control only an application or service with user rights. User rights are used regularly to provide privileged access to a computer, without providing Administrative access in a domain or local group. Examples of common user rights include: logon locally, backup files and folders, and change the system time.
Setting #3: Event Log
This is a very important addition to the security templates since it can save hours of configuration and frustration. In the past, the only way to configure the event log settings for the security log was to go to each computer that needed to be configured. This required considerable man hours to initially configure each computer. If a change needed to occur to the setting, all computers would need to be configured individually. With this entry in the security template, you can set the log file size and retention method once, and all computers in the domain will receive the setting automatically. If you need to have different sized files on different computers, it only requires a security template per type of computer!
Setting #4: Restricted Groups
Restricted groups are designed to control the members of a group, either at the domain level or in the local Security Accounts Manager (SAM) of domain members. Restricted groups can be confusing and have strange results. Therefore, it is suggested that you thoroughly test your desired results before your roll them out into production.
Setting #5: System Services
You can control services centrally with security templates and GPOs. Almost every aspect of a service can be configured with a security template—even some settings that you might not have been aware even existed. Here are the options that you can configure for Services from a GPO:
Startup mode: You can configure Automatic, Manual, or Disabled.
Access Control List (ACL): Each service has an ACL, even though you can’t see this from the Service itself. The GPO opens up this option. You can configure users or groups to have access to control (Start, Stop, and Manage, for example) each service.
Setting #6: File and registry permissions
You can configure both the ACL and Security ACL (SACL) for both files and registry keys through the security templates. This gives you ultimate control over every file and registry key, since the interface allows for you to browse for the file and key you want to control. You also control how the permissions act with the other subfolders and files and subkeys in the hierarchical structure of the file system or registry. With the ability to configure the SACL, you can now centralize the settings for what will be audited. So much control that you can toggle the SACL on and off almost at will and have the computer log when you want it to!
As you’ve seen, security templates are full of great security settings. These are the settings that all auditors check even during routine audits. This gives you the first phase in understanding security templates. In a future article, we will explain how to use security templates to make the network more secure, security more consistent, and the auditor’s job easier.
Additional articles by Derek Melber
Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.