Using security templates
Security templates provide a centralized way to manage security-related settings for workstations and servers. You use security templates to apply customized sets of Group Policy definitions to specific computers. These policy definitions generally affect the following policies:
? Account policies Control security for passwords, account lockout, and Kerberos security
? Local policies Control security for auditing, user rights assignment, and other security options
? Event log policies Control security for event logging
? Restricted groups policies Control security for local group membership administration
? System services policies Control security and startup mode for local services
? File system policies Control security for file and folder paths in the local file system
? Registry policies Control the permissions on security-related registry keys
NOTE Security templates are available in all Windows Server installations and can be imported into any Group Policy object (GPO). Security templates apply only to the Computer Configuration area of Group Policy. They do not apply to the User Configuration area. In Group Policy, you’ll find applicable settings under Computer ConfigurationWindows SettingsSecurity Settings. Some security settings are not included, such as those that apply to wireless networks, public keys, software restrictions, and IP security.
Working with security templates is a multipart process that involves the following steps:
1. Use the Security Templates snap-in to create a new template, or select an existing template that you want to modify.
2. Use the Security Templates snap-in to make necessary changes to the template settings, and then save the changes.
3. Use the Security Configuration And Analysis snap-in to analyze the differences between the template with which you are working and the current computer security settings.
4. Revise the template as necessary after you review the differences between the template settings and the current computer settings.
5. Use the Security Configuration And Analysis snap-in to apply the template and overwrite existing security settings.
When you first start working with security templates, you should determine whether you can use an existing template as a starting point. Other administrators might have created templates, or your organization might have baseline templates that should be used. You can also create a new template to use as your starting point, as shown in Figure 5–1.
FIGURE 5–1 View and create security templates with the Security Templates snap-in.
TIP If you select a template that you want to use as a starting point, you should go through each setting that the template applies and evaluate how the setting affects your environment. If a setting doesn’t make sense, you should modify it appropriately or delete it.
You should use the Security Configuration And Analysis snap-in to apply templates rather than the Security Templates snap-in. You can also use the Security Configuration And Analysis snap-in to compare the settings in a template to the current settings on a computer. The results of the analysis highlight areas in which the current settings don’t match those in the template. This is useful to determine whether security settings have changed over time.