Predefined security templates

Windows 2000 includes several incremental security templates. By default, these templates are stored in:

Systemroot\Security\Templates

These predefined templates can be customized using the Security Templates Microsoft Management Console (MMC) snap-in and can be imported into the Security Settings extension of the Group Policy snap-in.

 Caution

• These security templates are constructed with the assumption that they will be applied to Windows 2000 computers that use the default security settings for Windows 2000. In other words, these templates incrementally modify the default security settings, if they are on the computer. They do not install the default security settings, then perform the modifications.
• You cannot secure Windows 2000 systems that are installed on FAT file systems.
• Predefined security templates should not be applied to production systems without testing to ensure that the right level of application functionality is maintained for your network and system architecture.

The predefined security templates are:

• Default workstation (basicwk.inf)
• Default server (basicsv.inf)
• Default domain controller (basicdc.inf)
• Compatible workstation or server (compatws.inf)
• Secure workstation or server (securews.inf)
• Highly secure workstation or server (hisecws.inf)
• Secure domain controller (securedc.inf)
• Highly secure domain controller (hisecdc.inf)

Security Levels

The templates were designed to cover five common requirements for security:

• Basic (basic*.inf)

The basic configuration templates are provided as a means to reverse the application of a different security configuration. The basic configurations apply the Windows 2000 default security settings to all security areas except those pertaining to user rights. These are not modified in the basic templates because application setup programs commonly modify user rights, to enable successful use of the application. It is not the intent of the basic configuration files to undo such modifications.

• Compatible (compat*.inf)

The default Windows 2000 security configuration gives members of the local Users group strict security settings, while members of the local Power Users group have security settings that are compatible with Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to run in the standard Windows environment for Users, while still allowing applications that are not certified for Windows 2000 to run successfully under the less secure Power Users configuration. However, if Windows 2000 users are members of the Power Users group in order to run applications not certified for Windows 2000, this may be too unsecure for some environments. Some organizations may find it preferable to assign users, by default, only as members of the Users group and then decrease the security privileges for the Users group to the level where applications not certified for Windows 2000 run successfully. The compatible template is designed for such organizations. By lowering the security levels on specific files, folders, and registry keys that are commonly accessed by applications, the compatible template allows most applications to run successfully under a User context. In addition, since it is assumed that the administrator applying the compatible template does not want users to be Power Users, all members of the Power Users group are removed.

• Secure (secure*.inf)

The secure templates implement recommended security settings for all security areas except files, folders, and registry keys. These are not modified because file system and registry permissions are configured securely by default.

• Highly Secure (hisec*.inf)

The highly secure templates define security settings for Windows 2000 network communications. The security areas are set to require maximum protection for network traffic and protocols used between computer running Windows 2000. As a result, such computers configured with a highly secure template can only communicate with other Windows 2000 computers. They will not be able to communicate with computers running Windows 95 or 98 or Windows NT.

• Dedicated Domain Controller (dedica*.inf)

Local user security on domain controllers running Windows 2000 is not ideally secure by default. This enables an administrator to run existing server-based applications on domain controllers (not recommended) in a backwards-compatible fashion. If you do not run server based-applications on domain controllers (recommended), the default file system and registry permissions for the local users group can be defined in the same ideal fashion as that defined by default for Windows 2000 workstations and stand-alone servers. By implementing a dedicated security template these ideal security settings for local users on Windows 2000 domain controllers are applied.

For how to use predefined templates, see To customize a predefined security template