Deploying the Templates
As you can see from the Exchange SMTP example, a couple of simple tweaks to
server security can spell disaster for server and application functionality.
Ideally, you should plan for and integrate the templates into your Group Policy
design at an early stage, testing all functionality before going live. After
you've moved an environment into production, implementing the changes required
to deploy these templates becomes very difficult.
Whether you deploy the templates in the
early stages of a system's life or after the system has gone live, you must thoroughly test
the GPOs in a lab environment to ensure that
functionality isn't affected.
Because the templates use many additional registry values that are not true
Group Policy settings—and thus can't be reversed by simply unlinking
the policy—you must back up your system (including the system state)
before deploying policies created by using the templates. The \Software\Policies
and \Software\Microsoft\Windows\CurrentVersion\Policies subkeys under HKEY_CURRENT_USER
and HKEY_LOCAL_MACHINE are the only places where true, non-persistent policies
are defined. Figure 1 shows some examples
of TCP/IP parameters that are configured in other areas of the registry. Because
the TCP/IP parameters defined in the template are not located in the areas of
the registry mentioned above, the changes will be persistent and can't be reversed
by removing the GPO.
Creating a New GPO
You should always create new GPOs for deploying the Security Guide templates.
Don't import settings into existing policies such as the Default Domain Policy.
Importing settings into an already configured policy (unless you clear the security
database beforehand) will create a confusing combination of settings from the
template and the original policy. For ease of use and management, the policies
should be unique known quantities, as defined in Microsoft's documentation.
You should also retain the original configuration of the Default Domain Policy
in case you need to roll back to the previous configuration.
Before you start to configure the new policy, you need to choose (or create)
a reference machine that has the same general configuration as the machines
to which you want to deploy the policy. For instance, if you want to deploy
a policy to Exchange servers in your organization, the reference machine should
have Exchange installed and all necessary services running.
Let's walk through using the SCW to import template settings into a new GPO
along with recommended System Services start-up settings by using a reference
machine. Before working through the following steps, install the SCW from Add/Remove
Windows Components under the Add/Remove Programs Control Panel applet. You also
need to download the Security Guide (available at http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89B655-521EA6C7B4DB)
and install the guide and its tools.
-
Start the SCW from Control Panel, Administration Tools. Click Next on
the Welcome screen.
-
Select Create a new security policy, and click Next.
-
Select the name of the reference machine. Use Browse if the machine you're
running SCW on is not the reference machine. I recommend that you run SCW
from the reference machine instead of remotely because certain files are
required on the local machine if you are configuring IIS security, for example.
-
When security database processing is complete, click Next until you reach
the Selected Server Roles screen.
-
Ensure that the selected server roles are the ones you want the server
to perform, and click Next.
-
Confirm the installed features and options, and click Next.
-
Review additional services, and click Next.
-
Decide whether to leave the additional services as is or disable them,
and click Next.
-
Review the changes that will be made to the start-up type of each service
listed, and click Next.
-
Skip the configuration of Network Security, Registry Settings, and Audit
Policy, and click Next until you reach the Security Policy File Name screen.
(Configuring network security is outside the scope of this article, but
of course, you should configure it as part of this procedure. Registry Settings
and Audit Policy are already configured in the security template, and SCW
should not override those settings.)
-
Click the Include Security Templates button, and then click Add.
-
Browse to the location where you installed the Security Guide templates
and select the *.inf file for the role and security level you want to configure—for
example, ECMember Server Baseline.inf. Click OK.
-
In the Security Policy file name text box, save the new policy
file to the root of your C drive (e.g., c:\ec_memberserver) and click Next.
-
Select Apply later, click Next, and then click Finish.
To convert the resulting SCW *.xml file into a GPO, open a command prompt and
execute the following command:
scwcmd transform
/p:c:\ec_memberserver.xml
/g:"EC - Member Server Baseline"
When the command has completed, you will see the new EC – Member Server
Baseline policy in the Group Policy Management Console (GPMC) under the Group
Policy Objects node for the domain. (Note that there is a bug in GPMC when used
on Windows Server 2003 Release 2. If you use GPMC to view the settings for the
new policy, System Services are not displayed. However, if you view the policy
using Group Policy Editor, you will see that System Services start-up settings
have been defined in the policy.)
