Using Windows Security Templates for Baselines
Creating a baseline of security for servers and clients is essential for a secure environment.
- By Derek Melber
As we said in our last article
(Top Six Settings in Windows Security Templates), the security templates are loaded with amazing options for setting security on a computer. So far we've discussed:
- Account Policies
- User Rights
- Event log settings
- Restricted groups
- System Services
- Registry permissions
- File and folder permissions
Before discussing baselines, I want to make sure that my definition and your definition of are in sync. A baseline is the suite of security settings established for the computers in your organization. Think of a security baseline as all of the settings that allow your computer to perform its duties, but nothing more.
As we all know, Microsoft does not ship its operating systems configured to be secure. Microsoft also does not configure the default installation to be secure. Instead, they configure the OSes to be functional, which opens up many security vulnerabilities.
A security baseline consists of the security configurations for all areas of the computer. There will be baselines for the different types of computers, such as clients, domain controllers, file servers, Web servers, and file servers.
The security templates cover many of these areas, but templates are not 100 percent capable of configuring all of your security baseline settings. However, it is a large portion of the security baseline settings and something that can make the configuration of the security on a computer much easier and consistent.
Configuring Security Templates
When considering how to design your security templates for baselines, determine which computers will require different security baselines. For example, it is almost certain that Windows XP Professional computers will have a different security baseline than your Windows Server 2003 domain controllers. Likewise, your human resource department client computers will most likely have different security baselines than the client computers used by your IT staff, even if they are both running Windows XP Professional. From these considerations, you will end up with a list of different security template baselines that you will need to create.
Once you have determined the different security template baselines that you need, you are ready to create them. The best tool for creating the security template baseline is the Security Templates snap-in. Unless the Microsoft Management Console (MMC) has been disabled on your computer, you can access this yourself on your personal computer by following these steps:
Figure 1. Security templates
snap-in showing the default security templates.
- Click the Start button.
- Select the Run menu option.
- Type MMC into the text box and click the OK button.
- Select Console from the Toolbar to get the menu options.
- Select the Add-Remove snap-in menu option.
- Click the Add button.
- Select Security Templates from the Snap-ins list, then click the Add button.
- Click the Close button, then click the OK button.
- Expand the Security Templates node, then expand the C:\Winnt\Security\Templates node to see the list of security templates, as shown in Figure 1.
As you can see, there are already some security templates created for you. You can either start with one of these or create your own. Unless you are fully aware of what is included in the default security templates, it might be a good idea to just create your own security templates.
To create your own security templates, just right-click on the C:\WINNT\Security\Templates node and select New Template. This will create a new security template with a name and description that you specify. Ideally you will want to name the security template so it can easily be determined what its function is by its name. The new security template will be stripped from any configurations. After you have created the new security template, you need to examine each section of the security template configuring the settings to match your security baseline.
One method of streamlining the creation of security templates is to create a matrix of all of the security template baselines. Then, create the security template that consists of the common settings across all security templates. Once this security is created, you can right click on it in the Security Templates snap-in and copy it, then configure the small differences that make up the other templates.
Deploying the Security Templates
Now that you have the baselines established for the different computers and you have each of the security templates configured for each baseline, you are ready to deploy the settings to your computers using one of three methods: manual deployment to each computer, use of a command line tool, or use of Group Policy Objects.
I will initially stress that we are talking about establishing baselines on all of the computers in your environment. So, if you have hundreds or thousands of computers that need to be configured, this option is not efficient. However, I wanted to ensure that you were aware of this option. Here, you will use the Security Configuration and Analysis (SCA) snap-in. Accessing the snap-in is similar to accessing the Security Templates snap-in, except you add the different snap-in into the MMC.
SCA can only work on the computer that you are working at. It can _ t remotely configure the computer with the security template information. To configure the computer with the security template settings, you first need to create a database to hold the security template settings. To do this, just right click on the Security Configuration and Analysis node and select Open Database. This will provide you with an interface to select a name for the database and a security template. Select the security template that corresponds to the server baseline that you desire. After the database is created, you just need to configure the computer. To do this, right click on the SCA node and select the Configure Computer Now option.
Command Line Tools
Figure 2. Typical GPO for
importing a security template.
You can also deploy your security baseline with a command line tool version of the SCA. The tool that you will run is SECEDIT.EXE, which can be run from the command prompt on each computer, but this would be as time consuming as using the SCA itself. Another option is to put the following command in a script and deploy the script to all of the computers. The deployment can be via login scripts, startup scripts, or your management program such as SMS. The command that you will run is:
SECEDIT /configure /db db1.sdb /cfg sectemplatename.inf /log logname.log
This will configure the local computer using a database name of db1.sdb, a security template name of sectemplatename.inf, and a log file of logname.log. All three of these names are variables. (Note: The current directory will be used if no path is specified for each of the three filenames.)
Even though the first two options work, they are not scalable to an entire network. The time and effort involved can negate the benefit of using the security template in the first place.
Instead, you can use GPOs to deploy the security templates. This requires a good Active Directory design, with organizational units (OUs) for each type of computer baseline. After specific OUs are in place, the computer accounts for the target computers need to be located in the correct OU. Then, a GPO needs to be created for each security template and linked to the appropriate OU. Finally, the security template can be deployed.
The steps of creating OUs and moving computer accounts into them should be a task that every administrator is familiar with, and no auditor should be concerned with. As for working with the security template in the GPO, this also falls outside of the bounds of the auditor, but I will add the key steps here to illustrate the simplicity of the task.
To get the security template into the GPO, edit the GPO using either the Active Directory Users and Computers console or the Group Policy Management Console. Once you find the desired GPO in the console, edit the properties of the GPO. You should see an interface similar to Figure 2 when you are editing the GPO and importing a security template.
To get to the menu shown in Figure 2, right click on the Security Settings node. This will open a list; select the required security template. Once the security template is imported, just quit the group policy editor.
The security template will deploy to the target computer in approximately 90 minutes or less. If a domain controller is the target, new settings are installed in under five minutes.
The true benefit to this method is the ease of deployment, the breadth of the target computers, and the persistence. GPOs ensure that the settings are not altered using the local GPO. The GPOs at the OU level will supersede the local GPOs, so even the local administrator cant override these settings.
Security templates can make establishing the baseline on all of your computers simple and easy. Use the GPO method to deploy the security templates and your work will be reduced dramatically.
Additional articles by Derek Melber