Admin Tip #74: Windows 2000 Default Security Policy Templates

Hits: Failed to execute CGI : Win32 Error Code = 3


Windows 2000 ships with a broad selection of security templates. You can use them as they are, or use them as the starting point for your organization's security templates. You can tighten a normal or standard level template or loosen a secure template. The initial template applied to a computer is called the Local Computer Policy. The Local Computer Policy can be exported to a security template file, to preserve initial system security settings. This enables restoration of the initial security template at any later point. The predefined templates can be customized using the Security Templates mmc snap-in and can be imported into the Security Settings extension of the Group Policy snap-in. See SecEdit, a commandline utility, for a tool to script the analysis, configuration and validation of security settings using templates. In any case, it is very informative to review the default security templates. These templates can be found in the %systemroot%\security\templates folder. The security templates incrementally modify default Windows 2000 security settings that exist on a clean install. The security templates are:

Template File

Default security for:

basicwk.inf standard workstation
basicsv.inf standard server
basicdc.inf standard domain controller
compatws.inf compatible workstation or server
notssid.inf Terminal Services backward compatibility
securews.inf secure workstation or server
hisecws.inf high security workstation or server
securedc.inf secure domain controller
hisecdc.inf high security domain controller

The procedure to retro-fit Windows 2000 security when upgrading from Windows NT:

Templates:

Basic

The basic templates can be considered as back outs for changes made by applying one of the more stringent templates. You can reapply the basic template to return to default security settings. User rights and group membership are unaffected by templates. If you upgrade from NT to W2K, one should apply to get the built-in Users group appropriately restricted. The upgraded PC after the basic template is applied, would have Windows 2000 default security settings.

Compatible

The Compatible configuration liberalizes the default permissions for the Users group so that older apps such as Office 97 are more likely to run. If you do not want to change the default permissions for Users, you will have to use the default Power Users group to achieve equivalent ability to run old apps.

Terminal Services

Needed to allow older programs to run under Terminal Services on a W2K server. The template grants additional permissions to Terminal Services users. Once this template is applied the system has the same default permissions as a standard Windows 2000 server that is running Terminal Services.

Secure

The secure template does not effect permissions but sets tighter parameter setttings for account policy, password policy, and audit policy. It also tightens up security sensitive registry setting. Access control lists are not modified by the secure templates because it is assumed that default W2K security settings are already in effect, and that users are members of the Users group. The Secure template removes all members of the Power Users group to enforce this assumption.

Highly Secure

The highly secure templates are designed for W2K only environments where down-level clients are not supported. This configuration requires all network communications to be digitally signed and encrypted. The Highly Secured template reduces Power Users the same access granted to normal users to the file system and registry keys. This template removes the Terminal Server user from all file system and registry ACLs ensuring that users logging on to Terminal Server environments are subject to the same restrictions as normal users.

The secure and highly secure templates for workstations include a gotcha!. After applying the template, authenication is restricted to NTLMv2 and this will cause problems with NT4 domain controllers unless they have had SP4 or later applied. Basically the W2K Pro workstation can not join an NT domain or if already part of a domain, it may have problems keeping the workstation trust valid. Either don't apply the secure templates or upgrade your NT domain controllers to SP4 or later. If you haven't done this already, you have bigger problems than this issue.

There are real possiblities for getting into security gotcha!s when upgrading a box from NT to W2K. The basic templates should work well although you might lose local restrictions defined used as your organization's standard. Applying more strict templates raise the potential for security settings conflicts between the templates and the legacy settings resulting from the upgrade process.

There was an interesting gotcha! when you use XP workstation to create W2K templates :

  • "Windows Cannot Read Template Information" Error Message When You Try to View a Windows XP-based Template in a Windows 2000 Domain

    Related Tips: