Windows 2000 Default Security Policy Templates


Windows 2000 ships with a broad selection of security
templates. You can use them as they are, or use them as the starting point for
your organization’s security templates. You can tighten a normal or standard
level template or loosen a secure template. The initial template applied to a
computer is called the Local Computer Policy. The Local Computer Policy can be
exported to a security template file, to preserve initial system security
settings. This enables restoration of the initial security template at any later
point. The predefined templates can be customized using the Security Templates mmc snap-in and can be imported into the
Security Settings extension of the Group Policy snap-in.
See SecEdit, a commandline utility, for a tool to
script the analysis, configuration and validation of security settings using
templates. In any case, it is very informative to review the default security
templates. These templates can be found in the %systemroot%\security\templates folder. The security
templates incrementally modify default Windows 2000 security settings that exist
on a clean install. The security templates are:


































Template File


Default security for:

basicwk.infstandard workstation
basicsv.infstandard server
basicdc.infstandard domain controller
compatws.infcompatible workstation or server
notssid.infTerminal Services backward compatibility
securews.infsecure workstation or server
hisecws.infhigh security workstation or server
securedc.infsecure domain controller
hisecdc.infhigh security domain
controller

The procedure to retro-fit Windows 2000 security when
upgrading from Windows NT:


  • Server :

    • Convert partitions to NTFS
    • cd %windir%\security\templates
    • secedit /configure /cfg basicsv.inf /db basicsv.sdb /log basicsv.log
      /verbose

  • Workstation :

    • Convert partitions to NTFS
    • cd %windir%\security\templates
    • secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log
      /verbose


Templates:

Basic

The basic templates can be considered as back outs
for changes made by applying one of the more stringent templates. You can
reapply the basic template to return to default security settings. User rights
and group membership are unaffected by templates. If you upgrade from NT to W2K,
one should apply to get the built-in Users group appropriately restricted. The
upgraded PC after the basic template is applied, would have Windows 2000 default
security settings.

Compatible

The Compatible configuration liberalizes the default
permissions for the Users group so that older apps such as Office 97 are more
likely to run. If you do not want to change the default permissions for Users,
you will have to use the default Power Users group to achieve equivalent ability
to run old apps.


Terminal Services

Needed to allow older programs to run under Terminal
Services on a W2K server. The template grants additional permissions to Terminal
Services users. Once this template is applied the system has the same default
permissions as a standard Windows 2000 server that is running Terminal
Services.


Secure

The secure template does not effect permissions but
sets tighter parameter setttings for account policy, password policy, and audit
policy. It also tightens up security sensitive registry setting. Access control
lists are not modified by the secure templates because it is assumed that
default W2K security settings are already in effect, and that users are members
of the Users group. The Secure template removes all members of the Power Users
group to enforce this assumption.


Highly Secure

The highly secure templates are designed for W2K only
environments where down-level clients are not supported. This configuration
requires all network communications to be digitally signed and encrypted. The
Highly Secured template reduces Power Users the same access granted to normal
users to the file system and registry keys. This template removes the Terminal
Server user from all file system and registry ACLs ensuring that users logging
on to Terminal Server environments are subject to the same restrictions as
normal users.


The secure and highly secure templates for workstations include a gotcha!.
After applying the template, authenication is restricted to NTLMv2 and this will
cause problems with NT4 domain controllers unless they have had SP4 or later
applied. Basically the W2K Pro workstation can not join an NT domain or if
already part of a domain, it may have problems keeping the workstation trust
valid. Either don’t apply the secure templates or upgrade your NT domain
controllers to SP4 or later. If you haven’t done this already, you have bigger
problems than this issue.

There are real possiblities for getting into security gotcha!s when upgrading
a box from NT to W2K. The basic templates should work well although you might
lose local restrictions defined used as your organization’s standard. Applying
more strict templates raise the potential for security settings conflicts
between the templates and the legacy settings resulting from the upgrade
process.

There was an interesting gotcha! when you use XP workstation to create W2K
templates :

  • “Windows Cannot Read Template Information” Error Message When You
    Try to View a Windows XP-based Template in a Windows 2000 Domain

    Related Tips:


  • Leave a Comment

    Your email address will not be published.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top