Security Templates

Another MMC snap-in, Security Templates, allows you to view and configure template settings, as well create new templates. Templates files are in an .inf format, readable in any text editor. A small example of the password policy settings of a template file are shown below:
[System Access]
;----------------------------------------------------------------
;Account Policies - Password Policy
;----------------------------------------------------------------
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0

Windows 2000 provides a number of templates by default. You should have an understanding on the provided template files and why you would use them. The names of templates provide an idea of when/how they are to be used. The last two letters in the template file name (before the .inf extension) usually tell you which type of system a template is meant for – WS for a workstation, DC for a domain controller, SV for a server. For example, the hisecws.inf identifies the template as applying highly secure settings to a workstation. Beyond this, there are five main security levels outlined in the default templates, with each outlined below:

Basic*.inf – Basic. These templates apply the default security configuration to a system. These would be useful if you set too high a level of security on a system and wanted to return settings back to the default.

Compat*.inf – Compatible. Windows 2000 gives members of the Users group more strict security settings than in NT 4.0. As such, some applications (such as those certified for NT 4 but not Windows 2000) may not function correctly (or potentially at all) on Windows 2000. When this template is applied, applications run under the Power Users level of privilege, even though the user may not have that level of access.

Secure*.inf – Secure. Contains settings recommended for securing a system except for those relating to files, folders, and registry keys, which are configured securely by default.

Hisec*.inf – Highly Secure. Provides settings to provide a much higher level of protection, including network security. In this configuration, a system can only communicate with other Windows 2000-based systems, for example.

Dedica*.inf – Dedicated Domain Controller. Contains recommended security settings for a domain controller that is not also acting as an application server.

Template files are stored in %systemroot%\security\templates by default.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.