Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Templates Lecture 7.

Published byJeremy Day Modified over 5 years ago

Similar presentations

Presentation on theme: "Security Templates Lecture 7."— Presentation transcript:

1 Security Templates Lecture 7

2 Role of Security Templates
WS 2008 includes another mechanism to deploy security configuration settings = security templates = a collection of configuration settings stored as a text file with the .inf extension Consist of policies and settings to use to control a computer’s security configuration using local policies or group policies (cf. previous lecture) Existing preconfigured security templates to quickly and easily implement security settings on servers and workstations. They can be used as they are or changed according to needs. 2

3 Role of Security Templates (cont.)
To configure any of the following types of policies and parameters: Account Policies: Enables specification of password restrictions, account lockout policies, and Kerberos policies Local Policies: Enables configuring of audit policies, user rights assignments, and security options policies Event Log policies: Enables configuration of maximum event log sizes and roll-over policies Restricted Groups: Enables specification of users who are permitted to be members of specific groups Roll-over: renversement 3

4 Role of Security Templates (cont.)
System Services: Enables specification of the startup types and permissions for system services Registry Permissions: Enables setting access control permissions for specific registry keys File System Permissions: Enables specification of access control permissions for NTFS files and folders For each role, just go through the list quickly. We will use some during the lab but you do not need to spend to much time but only explain that they exist. 4

5 ST Deployment Using Active Directory service Group Policy Objects, Windows Server 2008 Security Configuration And Analysis snap-in or the Secedit.exe command-line utility When you associate a ST with an Active Directory object, settings in template become part of the GPO associated with the object. You can also apply a ST directly to a computer, in which case the settings in the template become part of the computer’s local policies This slide is quite important because without association ST won’t apply. 5

6 Advantages of ST ST are plain text files: easy to work with and modify the text file ST make it easy to store security configurations of various types so that you can easily apply different levels of security to computers performing different roles Save ST containing original settings → simply apply it to the GPO to return to default settings Here nice because mapping between TYPE and ROLE to be define for security settings. 6

7 Using the Security Templates Snap-in
By default, WS 2008 Administrative Tools folder does not include an MMC console with the Security Templates snap-in, so you have to create one yourself using the MMC Add/Remove Snap-in function 7

8 Using the Security Templates Snap-in (cont.)
list of all the template files found by Snap-In in Windows\Security\Templates folder on the system drive

9 Using the Security Templates Snap-in (cont.)
hierarchical display of the policies in the template as well as their current settings The contents of a security template

10 Default Security Templates
Predefined ST to use or to modify Provide different levels of security for servers performing specific roles Located in the Windows\Security\Templates folder Setup Security.inf: Contains default security settings created by the WS 2003 Setup program. Settings in ST depend on nature of the installation (an upgrade or a clean install). Can use this ST to restore original security configuration to a computer that has been modified This slides refers to previous comment that I did about preexisting default STs. Again, the notion of roles appears. From here it is more detailed and I would emphasize and go slowly through the different types of group in the different cases. 10

11 Default Security Templates (cont.)
DC Security.inf: A computer running WS 2008 creates this ST only when promoted to a DC. The ST contains default file system and registry permissions for domain controllers, as well as system service modifications Securedc.inf: contains policy settings that increase security on a DC to a level that remains compatible with most functions and applications: more stringent account policies, enhanced auditing policies and security options, and increased restrictions for anonymous users and LAN Manager systems DC = Domain Controller Ask them again about LAN Manager to see if they do remember what has been said… 11

12 Deploying Security Templates Using Group Policy Objects
Creating and modifying ST does not improve security unless you apply those templates To configure large group of computers in a single operation, can import a ST into the Group Policy Object for a domain, site, OU object in Active Directory

13 Deploying Security Templates Using Group Policy Objects (cont.)
Caution: Configuration parameters imported into Group Policy Object for a specific container are inherited by all the objects in that container, including other containers When creating ST for deployment via GPOs, the best practice is to place computers into OUs according to their roles and create individual security templates for each OU Again the notion of Role! 13

14 The Security Configuration And Analysis Tool
MMC snap-in to interactively apply a ST to the local computer Also provides ability to analyze current system security configuration and compare it to a baseline saved as a ST Determine if someone changed a computer’s security settings and if the system conforms to your organization’s security policies Not per default: Must add the snap-in to a console Explain what a baseline is: it is just taken as default reference for setting in case something changed in computer… 2. has already been said. 14

15 The Security Configuration And Analysis Tool (cont.)
The Security Configuration And Analysis snap-in

16 Secedit Command Line Secedit.exe is a command-line utility that can perform the same functions as the Security Configuration And Analysis snap-in Advantage of Secedit.exe Can call it from scripts and batch files, enabling automation of ST deployments Can use it to apply only part of a ST to a computer, something you cannot do with the Security Configuration And Analysis snap-in or with Group Policy Objects Ask students about what a batch file is, in case... 16

17 Secedit Command Line (cont.)
Secedit Options Configure: Applies all or part of a security DB to local computer. Also configure the program to import a ST into the specified database before applying the DB settings to the computer. Analyze: Compares the computer’s current security settings with those in a security DB. Can configure the program to import a ST into the DB before performing the analysis. Program stores the results of the analysis in the DB itself, which you can view later using the Security Configuration And Analysis snap-in. Import: Imports all or part of a security template into a specific security database.

18 References Designing Security for a Microsoft 2008 Server Network, Roberta Bragg, Microsoft Press Book MCSE : Planning, Implementing, and Maintaining a Windows Server 2008 Active Directory Infrastructure: Michael Cross Jeffery A. Martin Todd A. Walls, Syngress Certification MCSE : Planning and Maintaining a Windows Server 2008 Network Infrastructure: Martin Grasdal, Laura E. Hunter, Michael Cross Syngress Certification

Download ppt "Security Templates Lecture 7."

Similar presentations

Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.

Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.
Guide to MCSE 70-290, Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.

Guide to MCSE , Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
MIS 431 - Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.

MIS Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.

Similar presentations

Ads by Google