Admin Tip #74: Windows 2000 Default Security Policy Templates |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
Template File |
Default security for: |
basicwk.inf | standard workstation |
basicsv.inf | standard server |
basicdc.inf | standard domain controller |
compatws.inf | compatible workstation or server |
notssid.inf | Terminal Services backward compatibility |
securews.inf | secure workstation or server |
hisecws.inf | high security workstation or server |
securedc.inf | secure domain controller |
hisecdc.inf | high security domain controller |
The procedure to retro-fit Windows 2000 security when upgrading from Windows NT:
Templates:
Basic
The basic templates can be considered as back outs for changes made by applying one of the more stringent templates. You can reapply the basic template to return to default security settings. User rights and group membership are unaffected by templates. If you upgrade from NT to W2K, one should apply to get the built-in Users group appropriately restricted. The upgraded PC after the basic template is applied, would have Windows 2000 default security settings.
Compatible
The Compatible configuration liberalizes the default permissions for the Users group so that older apps such as Office 97 are more likely to run. If you do not want to change the default permissions for Users, you will have to use the default Power Users group to achieve equivalent ability to run old apps.
Terminal Services
Needed to allow older programs to run under Terminal Services on a W2K server. The template grants additional permissions to Terminal Services users. Once this template is applied the system has the same default permissions as a standard Windows 2000 server that is running Terminal Services.
Secure
The secure template does not effect permissions but sets tighter parameter setttings for account policy, password policy, and audit policy. It also tightens up security sensitive registry setting. Access control lists are not modified by the secure templates because it is assumed that default W2K security settings are already in effect, and that users are members of the Users group. The Secure template removes all members of the Power Users group to enforce this assumption.
Highly Secure
The highly secure templates are designed for W2K only environments where down-level clients are not supported. This configuration requires all network communications to be digitally signed and encrypted. The Highly Secured template reduces Power Users the same access granted to normal users to the file system and registry keys. This template removes the Terminal Server user from all file system and registry ACLs ensuring that users logging on to Terminal Server environments are subject to the same restrictions as normal users.
The secure and highly secure templates for workstations include a gotcha!. After applying the template, authenication is restricted to NTLMv2 and this will cause problems with NT4 domain controllers unless they have had SP4 or later applied. Basically the W2K Pro workstation can not join an NT domain or if already part of a domain, it may have problems keeping the workstation trust valid. Either don't apply the secure templates or upgrade your NT domain controllers to SP4 or later. If you haven't done this already, you have bigger problems than this issue.
There are real possiblities for getting into security gotcha!s when upgrading a box from NT to W2K. The basic templates should work well although you might lose local restrictions defined used as your organization's standard. Applying more strict templates raise the potential for security settings conflicts between the templates and the legacy settings resulting from the upgrade process.
There was an interesting gotcha! when you use XP workstation to create W2K templates :
Related Tips: