Security Templates



Eddie
07-09-2005, 10:51 PM
I have a windows 2003 native mode domain. I want to use the high security
templates from microsoft. I have ran the security config analyzer which show
me some of the changes that i believe will not cause any issues in my domain.
Is there any gotchas I have to look out for? I am looking for some of the
common mistakes that people make deploying these templates.

Faisal [MSFT]
07-09-2005, 10:52 PM
you are asking a huge question, better to review the documentation and check
on support website. Sec templates if misconfigured have huge consequences so
you should know what you are up to.

Windows 2003 Security templates
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/secmod129.mspx

"Eddie" <Eddie@discussions.microsoft.com> wrote in message
news:2FD8E441-29F3-440F-892D-A688BD052EB6@microsoft.com...
>I have a windows 2003 native mode domain. I want to use the high security
> templates from microsoft. I have ran the security config analyzer which
> show
> me some of the changes that i believe will not cause any issues in my
> domain.
> Is there any gotchas I have to look out for? I am looking for some of the
> common mistakes that people make deploying these templates.

Eddie
07-09-2005, 10:52 PM
ok, is there away to backup the current so I reaply it if for some reason the
new is not working? I ran the security conig analyzt so I am confident that
the new template will work fine but I would like to be safe.

"Faisal [MSFT]" wrote:

> you are asking a huge question, better to review the documentation and check
> on support website. Sec templates if misconfigured have huge consequences so
> you should know what you are up to.
>
> Windows 2003 Security templates
> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/secmod129.mspx
>
> "Eddie" <Eddie@discussions.microsoft.com> wrote in message
> news:2FD8E441-29F3-440F-892D-A688BD052EB6@microsoft.com...
> >I have a windows 2003 native mode domain. I want to use the high security
> > templates from microsoft. I have ran the security config analyzer which
> > show
> > me some of the changes that i believe will not cause any issues in my
> > domain.
> > Is there any gotchas I have to look out for? I am looking for some of the
> > common mistakes that people make deploying these templates.
>
>
>

Roger Abell
07-09-2005, 10:52 PM
Policies may be backed up with GPMC.
The way to go about this however is to recognize that, as is stated in
the writeups with the templates, these are example templates. That is,
they are not so much intended to be used off-the-shelf but to be used as
a guide to the settings that could be used in the different circumstances.

Since the exact set of policy values that will effect an objective and also
not cause problems is so very dependent on the specifics of the deployed
environment, you must use judgement for each policy.
It is recommended that you use a new GPO, in which you set the policies
you have selected, likely part by part. With all the deltas so isolated
into
a separate GPO, rolling back the affect is nearly as simple as unlinking
the GPO, but keep in mind that some things are not reversed in this way.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Eddie" <Eddie@discussions.microsoft.com> wrote in message
news:3223E479-AF5E-41B4-8D67-B95D76669398@microsoft.com...
> ok, is there away to backup the current so I reaply it if for some reason
the
> new is not working? I ran the security conig analyzt so I am confident
that
> the new template will work fine but I would like to be safe.
>
> "Faisal [MSFT]" wrote:
>
> > you are asking a huge question, better to review the documentation and
check
> > on support website. Sec templates if misconfigured have huge
consequences so
> > you should know what you are up to.
> >
> > Windows 2003 Security templates
> >
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/secmod129.mspx
> >
> > "Eddie" <Eddie@discussions.microsoft.com> wrote in message
> > news:2FD8E441-29F3-440F-892D-A688BD052EB6@microsoft.com...
> > >I have a windows 2003 native mode domain. I want to use the high
security
> > > templates from microsoft. I have ran the security config analyzer
which
> > > show
> > > me some of the changes that i believe will not cause any issues in my
> > > domain.
> > > Is there any gotchas I have to look out for? I am looking for some of
the
> > > common mistakes that people make deploying these templates.
> >
> >
> >

Salvador Manaois III
07-09-2005, 10:53 PM
Programatically, you can use secedit to analyze, import/export, configure and
generate rollbacks of security templates. In my case, I normally create a
backup of the existing settings in the security database before applying a
new security template. This ensures that I can always rollback to my previous
settings should I find the new settings unsuitable.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b1007de8-a11a-4d88-9370-25e244560587.mspx

....badz...
mcse/mcsa
smanaois3[at]gmail[dot]com
rants: http://www.rancidroot.blogspot.com

"Roger Abell" wrote:

> Policies may be backed up with GPMC.
> The way to go about this however is to recognize that, as is stated in
> the writeups with the templates, these are example templates. That is,
> they are not so much intended to be used off-the-shelf but to be used as
> a guide to the settings that could be used in the different circumstances.
>
> Since the exact set of policy values that will effect an objective and also
> not cause problems is so very dependent on the specifics of the deployed
> environment, you must use judgement for each policy.
> It is recommended that you use a new GPO, in which you set the policies
> you have selected, likely part by part. With all the deltas so isolated
> into
> a separate GPO, rolling back the affect is nearly as simple as unlinking
> the GPO, but keep in mind that some things are not reversed in this way.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Eddie" <Eddie@discussions.microsoft.com> wrote in message
> news:3223E479-AF5E-41B4-8D67-B95D76669398@microsoft.com...
> > ok, is there away to backup the current so I reaply it if for some reason
> the
> > new is not working? I ran the security conig analyzt so I am confident
> that
> > the new template will work fine but I would like to be safe.
> >
> > "Faisal [MSFT]" wrote:
> >
> > > you are asking a huge question, better to review the documentation and
> check
> > > on support website. Sec templates if misconfigured have huge
> consequences so
> > > you should know what you are up to.
> > >
> > > Windows 2003 Security templates
> > >
> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/secmod129.mspx
> > >
> > > "Eddie" <Eddie@discussions.microsoft.com> wrote in message
> > > news:2FD8E441-29F3-440F-892D-A688BD052EB6@microsoft.com...
> > > >I have a windows 2003 native mode domain. I want to use the high
> security
> > > > templates from microsoft. I have ran the security config analyzer
> which
> > > > show
> > > > me some of the changes that i believe will not cause any issues in my
> > > > domain.
> > > > Is there any gotchas I have to look out for? I am looking for some of
> the
> > > > common mistakes that people make deploying these templates.
> > >
> > >
> > >
>
>
>


Security Templates