Security Templates Lecture 7

Role of Security Templates WS 2008 includes another mechanism to deploy security configuration settings = security templates = a collection of configuration settings stored as a text file with the .inf extension Consist of policies and settings to use to control a computer’s security configuration using local policies or group policies (cf. previous lecture) Existing preconfigured security templates to quickly and easily implement security settings on servers and workstations. They can be used as they are or changed according to needs. 2

Role of Security Templates (cont.) To configure any of the following types of policies and parameters: Account Policies: Enables specification of password restrictions, account lockout policies, and Kerberos policies Local Policies: Enables configuring of audit policies, user rights assignments, and security options policies Event Log policies: Enables configuration of maximum event log sizes and roll-over policies Restricted Groups: Enables specification of users who are permitted to be members of specific groups Roll-over: renversement 3

Role of Security Templates (cont.) System Services: Enables specification of the startup types and permissions for system services Registry Permissions: Enables setting access control permissions for specific registry keys File System Permissions: Enables specification of access control permissions for NTFS files and folders For each role, just go through the list quickly. We will use some during the lab but you do not need to spend to much time but only explain that they exist. 4

ST Deployment Using Active Directory service Group Policy Objects, Windows Server 2008 Security Configuration And Analysis snap-in or the Secedit.exe command-line utility When you associate a ST with an Active Directory object, settings in template become part of the GPO associated with the object. You can also apply a ST directly to a computer, in which case the settings in the template become part of the computer’s local policies This slide is quite important because without association ST won’t apply. 5

Advantages of ST ST are plain text files: easy to work with and modify the text file ST make it easy to store security configurations of various types so that you can easily apply different levels of security to computers performing different roles Save ST containing original settings → simply apply it to the GPO to return to default settings Here nice because mapping between TYPE and ROLE to be define for security settings. 6

Using the Security Templates Snap-in By default, WS 2008 Administrative Tools folder does not include an MMC console with the Security Templates snap-in, so you have to create one yourself using the MMC Add/Remove Snap-in function 7

Using the Security Templates Snap-in (cont.) list of all the template files found by Snap-In in Windows\Security\Templates folder on the system drive

Using the Security Templates Snap-in (cont.) hierarchical display of the policies in the template as well as their current settings The contents of a security template

Default Security Templates Predefined ST to use or to modify Provide different levels of security for servers performing specific roles Located in the Windows\Security\Templates folder Setup Security.inf: Contains default security settings created by the WS 2003 Setup program. Settings in ST depend on nature of the installation (an upgrade or a clean install). Can use this ST to restore original security configuration to a computer that has been modified This slides refers to previous comment that I did about preexisting default STs. Again, the notion of roles appears. From here it is more detailed and I would emphasize and go slowly through the different types of group in the different cases. 10

Default Security Templates (cont.) DC Security.inf: A computer running WS 2008 creates this ST only when promoted to a DC. The ST contains default file system and registry permissions for domain controllers, as well as system service modifications Securedc.inf: contains policy settings that increase security on a DC to a level that remains compatible with most functions and applications: more stringent account policies, enhanced auditing policies and security options, and increased restrictions for anonymous users and LAN Manager systems … DC = Domain Controller Ask them again about LAN Manager to see if they do remember what has been said… 11

Deploying Security Templates Using Group Policy Objects Creating and modifying ST does not improve security unless you apply those templates To configure large group of computers in a single operation, can import a ST into the Group Policy Object for a domain, site, OU object in Active Directory

Deploying Security Templates Using Group Policy Objects (cont.) Caution: Configuration parameters imported into Group Policy Object for a specific container are inherited by all the objects in that container, including other containers When creating ST for deployment via GPOs, the best practice is to place computers into OUs according to their roles and create individual security templates for each OU Again the notion of Role! 13

The Security Configuration And Analysis Tool MMC snap-in to interactively apply a ST to the local computer Also provides ability to analyze current system security configuration and compare it to a baseline saved as a ST Determine if someone changed a computer’s security settings and if the system conforms to your organization’s security policies Not per default: Must add the snap-in to a console Explain what a baseline is: it is just taken as default reference for setting in case something changed in computer… 2. has already been said. 14

The Security Configuration And Analysis Tool (cont.) The Security Configuration And Analysis snap-in

Secedit Command Line Secedit.exe is a command-line utility that can perform the same functions as the Security Configuration And Analysis snap-in Advantage of Secedit.exe Can call it from scripts and batch files, enabling automation of ST deployments Can use it to apply only part of a ST to a computer, something you cannot do with the Security Configuration And Analysis snap-in or with Group Policy Objects Ask students about what a batch file is, in case... 16

Secedit Command Line (cont.) Secedit Options Configure: Applies all or part of a security DB to local computer. Also configure the program to import a ST into the specified database before applying the DB settings to the computer. Analyze: Compares the computer’s current security settings with those in a security DB. Can configure the program to import a ST into the DB before performing the analysis. Program stores the results of the analysis in the DB itself, which you can view later using the Security Configuration And Analysis snap-in. Import: Imports all or part of a security template into a specific security database. …

References Designing Security for a Microsoft 2008 Server Network, Roberta Bragg, Microsoft Press Book MCSE 70-294: Planning, Implementing, and Maintaining a Windows Server 2008 Active Directory Infrastructure: Michael Cross Jeffery A. Martin Todd A. Walls, Syngress Certification MCSE 70-293: Planning and Maintaining a Windows Server 2008 Network Infrastructure: Martin Grasdal, Laura E. Hunter, Michael Cross Syngress Certification