5.3 How Do Security Templates Work?

Security templates are INF files that contain security settings. These settings can include certain local policies but can also include things like file auditing settings, file permissions, IPSec configurations, registry permissions, and so forth?pretty much any security-related settings, in fact.

You can use a number of different tools to apply a security template to a computer. For example, Windows 2000 and higher includes Secedit.exe, a command-line tool that can be used to (among other things) apply a security template to a computer, effectively copying the settings in the template into the computer's active configuration. Group Policy can also be used to deploy security templates.

Security templates work a bit like Group Policy, in that you can apply multiple templates to a computer. As with Group Policy, the last template applied to a computer "wins." It's as if several different individuals walked up to a computer, one at a time, and made configuration changes. If the first person set up very restrictive file permissions on a folder, but the second person walked up and configured much more lenient permissions, the effective permissions would be whatever the second person configured. If neither person configured a specific setting, that setting remains unchanged?the default setting for the operating system.

Security templates and Group Policy may seem like two different ways to accomplish the same tasks. They aren't. Security templates configure a wide range of security settings that aren't available directly in a GPO, such as file system ACL settings and direct registry settings. A GPO can, however, contain a security template, making it possible to use Group Policy as a security configuration tool.

Some important security technologies that can be implemented, configured, and enforced with Group Policy include:

IP Security
Encrypting File System
Software Restriction Policy
Certificate autoenrollment
User rights
Auditing
Password policy
Any registry changes, whether they apply to an existing Group Policy setting or not
Local group membership requirements

Security templates can also contain configuration information such as:

File permissions
User desktop settings (some of which are configured with Group Policy settings)
User access to various Windows components such as Control Panel or Command Prompt

Together, these two configuration options allow you to control virtually every aspect of a user's Windows environment. However, all this control can be a bad thing. It's important to understand when to use this solution and when not to. Careful planning and risk assessment must be performed before implementing any of these solutions. You can easily destroy a network by implementing the wrong group policy or security template. More information on planning is provided in Chapter 15.

When I say destroy, I mean destroy. As in having to reinstall or restore from backup all computers on the network. Group Policy is very powerful stuff.

When Can't I Use Group Policy or Security Templates?

Group Policy and security templates are available only on Windows 2000, Windows XP, and Windows Server 2003 computers. As a result, you won't be able to secure computers that run an older operating system by using Group Policy or security templates. That's an important consideration for enterprisewide security planning. For example, simply deploying Windows Server 2003 on all your organization's domain controllers won't provide you with any special client security configuration capabilities if all your client computers run Windows 98 or Windows NT Workstation 4.0. Windows Server 2003's centralized security management technologies work only in conjunction with Microsoft's newer Windows operating systems.