Security Templates Overview

Windows 2000 provides a centralized method of defining security with the Security Template snap-in. It is a single point of entry where the full range of system security can be viewed, adjusted, and applied to a local computer or imported to a Group Policy object. Security Templates does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. Security templates can also be used as a base configurations for security analysis, when used with the Security Configuration and Analysis snap-in.

What is a security template?

• Security Policies:
• Account Policies: security for passwords, account lockouts, and Kerberos policies
• Local Policies: User rights, and logging for security events.
• Restricted Groups: local group membership administration
• Registry: security for local registry keys
• File System: security for the local file system
• System Services: security and startup mode for local services

You can import a security template to a Group Policy object. Any computer or user accounts in the site, domain, or organizational unit to which the Group Policy object is applied will receive the security template settings. Local Group Policy is a special Group Policy object: it cannot override domain-based policy, and only local and account policies are part of the local security template settings.

Importing a security template to a Group Policy object eases domain administration by configuring security for multiple computers at once. A Group Policy object defines access, configuration and usage settings for accounts and resources. For more information on Group Policy, see Group Policy

Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of IP Security and public key policies, all security attributes can be contained in a security template.

The initial template applied to a computer is called the Local Computer Policy. The Local Computer Policy can be exported to a security template file, to preserve initial system security settings. This enables restoration of the initial security template at any later point. The only possible exceptions to this rule are legacy systems that are being upgraded to Windows 2000. For example, if a Windows NT 4.0-based computer has a customized security template that must not be overwritten, the new Local Computer Policy will not be applied during the upgrade. In this case, security can be configured and applied after the installation.

For information on how to use the Secedit.exe command line tool to automatically assign security templates to computers, see Automating security configuration tasks