Template File Default security for: The procedure to retro-fit Windows 2000 security when Templates: Basic The basic templates can be considered as back outs Compatible The Compatible configuration liberalizes the default Terminal Services Needed to allow older programs to run under Terminal Secure The secure template does not effect permissions but Highly Secure The highly secure templates are designed for W2K only The secure and highly secure templates for workstations include a gotcha!. There are real possiblities for getting into security gotcha!s when upgrading There was an interesting gotcha! when you use XP workstation to create W2K Related Tips:
Windows 2000 ships with a broad selection of security
templates. You can use them as they are, or use them as the starting point for
your organization’s security templates. You can tighten a normal or standard
level template or loosen a secure template. The initial template applied to a
computer is called the Local Computer Policy. The Local Computer Policy can be
exported to a security template file, to preserve initial system security
settings. This enables restoration of the initial security template at any later
point. The predefined templates can be customized using the Security Templates mmc snap-in and can be imported into the
Security Settings extension of the Group Policy snap-in.
See SecEdit, a commandline utility, for a tool to
script the analysis, configuration and validation of security settings using
templates. In any case, it is very informative to review the default security
templates. These templates can be found in the %systemroot%\security\templates folder. The security
templates incrementally modify default Windows 2000 security settings that exist
on a clean install. The security templates are:
basicwk.inf
standard workstation
basicsv.inf
standard server
basicdc.inf
standard domain controller
compatws.inf
compatible workstation or server
notssid.inf
Terminal Services backward compatibility
securews.inf
secure workstation or server
hisecws.inf
high security workstation or server
securedc.inf
secure domain controller
hisecdc.inf
high security domain
controller
upgrading from Windows NT:
/verbose
/verbose
for changes made by applying one of the more stringent templates. You can
reapply the basic template to return to default security settings. User rights
and group membership are unaffected by templates. If you upgrade from NT to W2K,
one should apply to get the built-in Users group appropriately restricted. The
upgraded PC after the basic template is applied, would have Windows 2000 default
security settings.
permissions for the Users group so that older apps such as Office 97 are more
likely to run. If you do not want to change the default permissions for Users,
you will have to use the default Power Users group to achieve equivalent ability
to run old apps.
Services on a W2K server. The template grants additional permissions to Terminal
Services users. Once this template is applied the system has the same default
permissions as a standard Windows 2000 server that is running Terminal
Services.
sets tighter parameter setttings for account policy, password policy, and audit
policy. It also tightens up security sensitive registry setting. Access control
lists are not modified by the secure templates because it is assumed that
default W2K security settings are already in effect, and that users are members
of the Users group. The Secure template removes all members of the Power Users
group to enforce this assumption.
environments where down-level clients are not supported. This configuration
requires all network communications to be digitally signed and encrypted. The
Highly Secured template reduces Power Users the same access granted to normal
users to the file system and registry keys. This template removes the Terminal
Server user from all file system and registry ACLs ensuring that users logging
on to Terminal Server environments are subject to the same restrictions as
normal users.
After applying the template, authenication is restricted to NTLMv2 and this will
cause problems with NT4 domain controllers unless they have had SP4 or later
applied. Basically the W2K Pro workstation can not join an NT domain or if
already part of a domain, it may have problems keeping the workstation trust
valid. Either don’t apply the secure templates or upgrade your NT domain
controllers to SP4 or later. If you haven’t done this already, you have bigger
problems than this issue.
a box from NT to W2K. The basic templates should work well although you might
lose local restrictions defined used as your organization’s standard. Applying
more strict templates raise the potential for security settings conflicts
between the templates and the legacy settings resulting from the upgrade
process.
templates :
Try to View a Windows XP-based Template in a Windows 2000 Domain
Security
Enterprise
Policy
Users
Set
Configuration Editor
Routing and Remote Access Service From Starting