Académique Documents
Professionnel Documents
Culture Documents
Security Templates
One of the great benefits of Windows 2000 domains is the ability to centrally
control enterprise computing environments with Group Policy. Group Policies
allow administrators to configure computer settings and user rights and
permissions with extremely granular controls. Windows also allows you to
standardize security configurations on computers by applying security
templates. In this lab, you will create a new organizational unit (OU) and
create a new group policy object (GPO) for this new OU. You will then edit a
security template provided by the U.S. National Security Agency (NSA) and
import this template into the GPO. This will significantly harden the security
posture of computers assigned to this OU.
Patton IKE
10.0.2.7 10.0.2.4
10.0.0.0/16
Internet
VTE-Launchpad
10.0.254.254
2. A Windows 2000 (W2K) member server that is used for file and print
services. Domain group policy and security templates will be applied
1 Remotely access the W2K domain controller via the Remote Desktop
Connection (RDC)
Windows 2000 domains allow for the creation of OUs that enable more
granular application of security policies by placing users and/or computers
into isolated containers. A new OU will be created for Windows 2000 Member
Servers.
1. Click Start > Programs > Administrative Tools > Active Directory Users
and Computers. There is also a shortcut to this MMC on the desktop of
IKE.
2. Right click on the aia.class domain and select New > Organizational Unit
1. From within the Active Directory Users and Computers OU, click on the
‘Computers’ folder. In the right pane, right click on the computer named
Patton, select ‘Move’ and then select the ‘Member Servers’ OU.
2. Click ‘OK’ to commit the move.
Note: Group policy Objects created via this method (from within the
Active Directory Users and Computers MMC) are automatically linked to
the parent container. This means that the GPO will be applied to
whatever objects are inside the container (in this case, the OUs) when the
domain policies are refreshed. This is done at periodic scheduled intervals
and upon log in to the domain.
4 Security Templates
1. Click on the Start button and Select ‘Run’. Type MMC and click ‘OK’.
2. From within the Microsoft Management Console, Click ‘Console’ and select
‘Add/Remove Snap-In’. Click the ‘Add’ button and then scroll down and
select the ‘Security Templates Snap-In’ and then click ‘Add’. Click ‘Close’
and then click ‘OK’.
3. Expand the Security Templates icon by clicking the + sign. Now right
click on Security Templates and then select ‘New Template Search Path’
(see figure 4)
4. Now browse to C:\NSA Templates and click ‘OK’ (see figures 4 and 5)
Now you will edit the w2k_server template so that unnecessary services will
be disabled and the local administrator account will be renamed. You will
also configure log on banner warning messages. Note: In normal production
environments, care should be taken when disabling services and thorough
testing should be conducted prior to implementation.
1. Double click the C:\NSA Templates folder, then double click on the
w2k_server template and in the right pane, double click on ‘System
Services’ folder.
Note: The above table represents only some of the services that can
be locked down in most production environments. There are other
services that are important to secure, however they are generally
more environment specific. When implementing this configuration in
production, you should review all services and minimize any that are
not appropriate for your environment, but again test thoroughly first.
3. Select the ‘Everyone’ group and then click ‘Remove’. Now click the ‘Add’
button and add the ‘Administrators’, ‘System’, and ‘Authenticated Users’
Groups to the ACL. Ensure that you apply the appropriate permissions to
each group (see note above). Click ‘OK’ twice.
Now you will configure the security template to rename the local
administrator account for all of the member servers in the OU. This is
done to obfuscate this built-in privileged account and supports the
defense-in-depth goal.
5. Click on the ‘Local Policies’ icon from within the Security Templates MMC
and then double click the ‘Security Options’ icon in the right-hand pane.
6. Click on the ‘Rename Administrator Account Policy’, click the ‘Define this
policy in the template’ check box and type ‘acarnegie’ in the box. Click
‘OK’.
Finally, you are going to add log on banners to all Windows boxes in the AIA
domain. Banners can be set to anything from legal disclaimers, to
appropriate use reminders, to daily greetings. Each time a user attempts to
log on, they will see this message banner.
8. When the template policy window opens, check ‘Define this policy setting
in the template’ and in the text field, enter: ‘Warning! This computer is
for official use only!’ and Click ‘OK’.
9. Double-click ‘Message title for users attempting to log on’. Check ‘Define
this policy setting in the template’ and in the text field, enter: ‘Log on
Warning!’ and Click ‘OK’.
10. Now right click on the ‘w2k_server’ template file and select ‘Save As’.
Type w2k_server_edited in the box and click ‘Save’ and then close the
Security Templates MMC. Click ‘NO’ if you get a ‘Save Console Settings’
message.
In order to apply the newly edited security template, you will need to import
it into the group policy object for the member servers organizational unit.
1. Open Active Directory Users and Computers from the shortcut on the
desktop of IKE.
4. Select the ‘Group Policy’ tab, then select the ‘member_servers_GPO’ GPO
and then click the ‘Edit’ button.
7. Finally, open a windows command prompt by clicking Start > Run and
typing ‘CMD’ in the box, then click ‘OK’. From the command prompt,
Note: With Windows 2000, it can indeed take several minutes for the policy
settings to be propagated to remote computers. Therefore for the sake of brevity,
you will reboot Patton and hence, quickly be able to verify that the new group
policy security settings have been applied.
1. Close the remote desktop connection to IKE by clicking the X within the
Remote Desktop Window at the top of the screen.
4. Once you’re logged in, Click Start > Shut Down, select Restart and then
click OK.