Outcome 3: Implement secure network administration procedures

Table of Contents

1. Windows Server 2003 Security Features
   1. Physical Access
   2. Principle of Least Privilege
   3. Develop a Security Policy
   4. Security Baseline Settings
   5. Microsoft Baseline Security Analyzer
   6. Using the GUI Version of MBSA
   7. Security Templates
   8. Built-in Security Templates
   9. Group Membership and Privileges
   10. Secure Local PC Systems
   11. Securing the SAM Database
   12. Enforce a Strong Password Policy
   13. Do Not Run Unknown programs
   14. Keep Virus Software up-to-date
   15. Keep Operating System Current
2. NTFS File and Folder Permissions
3. Software Update Infrastructure
4. Network Protocol Security
5. Self Assessment Questions (SAQs)
6. Summary: Implementing secure network administration procedures
7. Summary: Software Update infrastructure

Built-in Security Templates

Microsoft has provided nine built-in security templates to aid in securing your Windows network. All of them have the .inf extension. Here is a brief description of some of these templates and their purpose:

• Securews: strengthens local account policies and is used on workstations.

• Hisecws: stronger than Securews and used on workstations.

• Compatws: allows more legacy applications to work by changing file and registry permissions.

• Setup Security: this template was created when your server or workstation was installed and it captured the security settings at the time of installation. It can be very useful to compare current settings with the default installation security settings.

• DC Security: used to secure a domain controller (DC). You would apply this to a DC to make sure that it has the default security settings for a DC.

• Securedc: templates beginning with "secure" are least likely to impact applications. They enhance security in areas like password complexity, lockout settings and audit settings. The securedc template is designed to do these types of things on a domain controller.

• Hisecdc: the High Secure templates are stronger than the secure templates and provide additional security enhancements, such as authentication and encryption on connections. The hisecdc template does this for domain controllers. If you want to use hisecdc, all domain controllers must be running Windows Server 2000 or 2003.

Some templates are created at system or domain controller installation to provide a baseline of what security was at installation time. These can be very useful as many security administrators were not present when systems were originally installed. Other templates apply to particular applications, like making a server a domain controller, running a server as a terminal server, or the Windows root drive security. These are located in %windir%\Security\Templates and can be viewed as text files.

You can use the Security Configuration and Analysis Tool, along with the templates, to perform these tasks. The use of this tool is discussed later in this section.

Next: Group Membership and Privileges