Built-in Security Templates
Microsoft has provided nine built-in security templates to aid in securing your Windows network. All of them have the .inf extension. Here is a brief description of some of these templates and their purpose:
- Securews: strengthens local account policies and is used on workstations.
- Hisecws: stronger than Securews and used on workstations.
- Compatws: allows more legacy applications to work by changing file and registry permissions.
- Setup Security: this template was created when your server or workstation was installed and it captured the security settings at the time of installation. It can be very useful to compare current settings with the default installation security settings.
- DC Security: used to secure a domain controller (DC). You would apply this to a DC to make sure that it has the default security settings for a DC.
- Securedc: templates beginning with "secure" are least likely to impact applications. They enhance security in areas like password complexity, lockout settings and audit settings. The securedc template is designed to do these types of things on a domain controller.
- Hisecdc: the High Secure templates are stronger than the secure templates and provide additional security enhancements, such as authentication and encryption on connections. The hisecdc template does this for domain controllers. If you want to use hisecdc, all domain controllers must be running Windows Server 2000 or 2003.
Some templates are created at system or domain controller installation to provide a baseline of what security was at installation time. These can be very useful as many security administrators were not present when systems were originally installed. Other templates apply to particular applications, like making a server a domain controller, running a server as a terminal server, or the Windows root drive security. These are located in %windir%\Security\Templates and can be viewed as text files.
You can use the Security Configuration and Analysis Tool, along with the templates, to perform these tasks. The use of this tool is discussed later in this section.