Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


July 2007

Safely Deploy Security Templates

The Windows Server 2003 Security Guide gives you some powerful tools—use them wisely
From the July 2007 Edition
of Windows IT Pro
Russell Smith
Feature
InstantDoc #96177
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

In addition to providing valuable guidance for hardening your Windows Server 2003 systems, Microsoft's Windows Server 2003 Security Guide contains a series of security templates that you can apply to servers in your environment according to their role. You can choose from three categories of templates:

  • Legacy Client (LC) for environments still running legacy applications that aren't compatible with standard security settings

  • Enterprise Client (EC) for environments aiming to implement the standard level of security recommended by Microsoft

  • Specialized Security – Limited Functionality (SSLF) for high-security environments in which limited functionality is acceptable

For each template category, the guide provides templates for such roles as Domain Controller, Member Server, File Server, and Web Server. Using the templates, you can quickly comply with Microsoft's best practices on a single server or across a series of servers through Active Directory (AD) and Group Policy (GP).

But isn't Windows Server 2003 secure out of the box? And if so, why would you need to use these security templates?

Windows Server 2003 is indeed more secure than any previous version of Windows Server, but different server roles have varying security requirements. And there's still a huge range of additional security settings that you can configure for your particular needs.

In addition, by using these templates to configure server security, you can control, manage, and enforce your servers' security configuration from a central location—AD. Instead of having different or unknown settings that are manually configured (or not controlled by policy) on every server, you can be sure of the configuration and easily manage it.

Although the templates give you an easy way to comply with Microsoft's best practices and simplify configuration management, deploying the templates can create compatibility problems with other applications and affect functionality. To successfully deploy the templates, you need to plan for them early in the security design stage as well as understand the changes they make to your systems and how to roll them out without affecting functionality. You also need to know how to override the templates to meet your organization's security needs.

Inside the Templates
When you deploy the Security Guide templates, they configure four main areas of security. Those areas are

  • Account Policies (Password, Lockout, Kerberos)

  • Local Policies (Audit, User Rights Assignment, Security Options)

  • Event Log

  • Restricted Groups

Unlike previous versions of the Security Guide, Version 2.1 doesn't include a System Services section for defining services and related security settings. Now, you need to either define the settings for each service manually or use the Security Configuration Wizard (SCW) to create a Group Policy Object (GPO) that is based on combined settings from a security template and the wizard's recommended configuration for services when you run it against a reference machine. You can also use the SCW to add Windows Firewall and IPSec configuration settings to a GPO.

The settings configured under the Account Policies, Event Log, and Restricted Groups sections are relatively straightforward and shouldn't cause many problems as long as you understand how the features work. (You can read an overview of the Security Guide at http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx.) However, User Rights Assignment and Security Options settings under the Local Policies section can cause functionality problems in your environment if you don't plan for them carefully.

For example, deploying the EC – Member Server security template to a member server running Exchange Server 2003 could limit or break your Exchange Server functionality. If Exchange SMTP is configured to accept connections using Windows Integrated Authentication from a server in another Exchange organization, the EC – Member Server security template will prevent SMTP communication between the two servers. The SMTP queue will begin to fill up, and your email won't go anywhere.

Windows Integrated Authentication for Exchange SMTP relies on legacy NTLM authentication, and at the root of the problem are the NTLM settings configured in the EC – Member Server template. Table 1 describes the NTLM configuration before and after the template is deployed. As you can see, in an environment where the EC security templates have not been deployed, there are no special requirements for NTLM session security. However, the EC security templates configure the maximum security requirements, causing Windows Integrated Authentication on Exchange SMTP connectors to fail.

However, as we'll see in a moment, you can override the templates' security policies for particular servers to maintain needed functionality.

   Previous  [1]  2  3  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

More fun TechEd 2005 Resources

Kevin points out some more TechEd resources ...

WinInfo Short Takes: Week of October 13, 2008

An often irreverent look at some of the week's other news... ...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

User Provisioning and Access Control

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Microsoft Exchange & Windows Connections event returns to Las Vegas Nov 10 - 13
Connections returns to Las Vegas for this exciting event where each attendee will receive SQL Server 2008 standard with 1 CAL. Co-located with Microsoft ASP.NET, SQL Server, and SharePoint Connections with over 250 in-depth sessions.

Free Online Event! Virtualization:Get the Facts!
Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!

Check Out Hyper-V Video on ITTV
Watch Karen Forster's interview on Hyper-V's performance on ITTV.net.

Ease Your Scripting Pains with the Flexibility of PowerShell!
Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!

Latest Advancements in SSL Technology
There are a variety of different kinds of SSL to explore to ensure customer data is kept confidential and secure. In this paper, we will discuss some of these SSL advances to help you decide which would be best for your organization.

PASS Community Summit 2008 in Seattle on Nov 18-21
The don’t-miss event for Microsoft SQL Server Professionals. Register now and you’ll enjoy top-notch Microsoft and Community speakers and more.



Solving PST Management Problems
In this white paper, read about the top PST issues and how to administer local/network PST Files.

Get Protected -- Data Protection Manager 2007
Protect your virtualized environment with Data Protection Manager

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Maximize Your SharePoint Investment: Get Your Data Moving
Watch this web seminar now to learn how to maximize your SharePoint investment! Join us as we take a look at the complex business of securing, accessing and managing vast amounts of information in a global network and various ways to get your data moving.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing