Security Templates

Security settings can be set through predefined Security Templates. There are various grades of these of increasingly restrictive security. Each of them can be customised, and saved to be used in various group policies for local machines and domains. This is such a handy and much-used facility that there is an MMC Snap in just for it:

The Security Templates snap-in is used to manage security templates.


This tool permits an existing template to be customised if required and saved in the default folder systemroot\security\templates as an .inf file, for deployment later.

These templates have descriptive names. For example workstations (wk ws, or w), servers (sv or s) and domain controllers (dc) are clearly indicated. This is a useful aide-memoire for the exam.

Compatible Templates

This is needed for compatibility with older applications. These applications should be run under Power Users accounts.

Secure Templates

Amongst other things, these have restricted settings for Security options in Account Policies. Windows NT 4.0 machines must have Service Pack 4 installed to use this

Highly Secure Templates

Communicates only with Windows 2000+ machines, empties the Power Users group, protects network traffic with IPSec.

Setup security

This is the default policy applied to servers and clients and can be used to restore a machine to its original settings.

rootsec

Rootsec applies permissions to the root of the system drive and all its subfolders

iesacls

Iesacls sets permissions on registry keys for internet explorer.

While it’s perfectly possible to edit the .inf files in the Templates folder using Notepad, a safer alternative is suggested here.

Highlight an existing template and save it under a different name. (Right-click and select Save As)

Settings can then be viewed and altered just as if you are editing the local security policy.

Security templates can be easily transferred to other machines and applied. Templates are also a great way of backing up your security settings.

Security Configuration & Analysis

Analysis is done by comparing the current system security settings against a security template imported to a personal database. This template contains the preferred or recommended security settings (base configuration). Values found are compared to the base configuration. If the current system settings match the base configuration settings, they are assumed to be correct. If not, the attributes in question are displayed for investigation.

To perform analysis and configuration using a security template the Security Configuration and Analysis MMC snap-in is used.

The first time the Security Configuration and Analysis MMC is created and opened, no database has been defined. The instructions about how to proceed are quite clear, however!

No existing databases are available, so create one……and click Open

A template for comparison needs to be selected here, Now click Open.

The security settings may now be adjusted (Configured) or examined (Analysed). It’s recommended that an analysis is done first.

Right-click on Security Configuration and Analysis and Select Analyze Computer Now.

The results of the analysis need to be collected into a log file. Windows makes a suggestion for the location of this log but other locations can be selected.

Clicking here reveals the analysing display. This checks items as they are compared with the model in the database.

Nothing appears to have happened after all this, but the items which might need to be altered appear in the tree. To find out if anything needs to be altered, the log file needs to be viewed. Right click here and select view log file.

There are two displays of the analysis results here, shown in the left and right panes. Scroll the right pane, looking for the flagged mismatches.

The analysis can be displayed graphically by browsing through the various policy folders. Items with a red-cross do not match the settings in the template.

You can then apply the template to the machine by right-clicking on Security Configuration and Analysis.

And selecting Configure Computer Now.

All settings in the template are now applied to the computer. N.B. You will need to reanalyze the computer to obtain this page.

Using the Command Line

As well as using the easy to use MMC tools Microsoft Windows ships with the “secedit” utility which can be used to apply templates via the command line. Secedit is a more powerful option because it allows you to apply specific parts of a template rather than the entire template.

For more information on how to use the Secedit command run “secedit –help” from a command prompt.

Local Group Policy

Group Policies are a convenient way for an administrator to prescribe the behaviour of computers, and the rights and permissions of users, from a single console. Group Policies can be applied to single computer and its users, or to wider groups such as domains. A local computer can have only one group policy (a Group Policy Object) in operation. A group policy MMC is not installed by default on a local machine, but part of its content appears as the Local Security Policy MMC, which is installed by default.

The MMC Console is called from START > RUN.

Add the group policy console from the Add/Remove Snap-ins Wizard.

Options here fall into two broad groups, namely settings for the machine as a whole, and settings for the users of the machine.

Software Settings is really only of use within a domain where programs are published or assigned.

Windows Settings is more relevant until the computer is joined to a domain.

This is a way to specify programs to run before the user begins to interact with Windows.

Double-click on the item to view its properties.

No script files have been selected, but one can be added now:

Browse to find a file in the Start-up folder.

One way to specify that all the scripts execute at the same time as far as possible is to use the Administrative Templates facility

expand System…

Then Scripts.

There is a bewildering array of options, here. Fortunately, there are explanations for each policy setting

Double-click on Run startup scripts asynchronously.

select the appropriate radio button.

The Explain tab gives a detailed explanation of the object’s function

The previous and next policy buttons allow the administrator to scroll through all the available policies until he finds one that fulfils his requirements

The quick scan facility is very useful in view of the enormous number of options available:

The best way to get familiar will all of these settings is to play around with them. Be careful not to lock yourself out of the machine.

There are as many options again for configuring users rights…

As can be seen from the panel on the left.

The foregoing configuration opportunities give an administrator a wide range of options for setting security. However, a basic list of essential security features might include disabling the following :

Command Prompt,
Control Panel,
MMC,
Installing programs from floppy, CD or DVD,
Shutdown,
Previous Login name,
Registry editing tools
(You might also consider configuring a Web Home Page.)

Group Policy is applied to the machine and all users of it – including the Administrator.  He can permanently remove his own control.

RHM album Vol 460

New Album from Nop Bayarith and Miss BoPreak.

Click Here Download full Album

Windows 7 Anytime Upgrade

Windows 7 Anytime Upgrade

 

It is the easy way to upgrade your win 7 all version to win 7 ultimate SP1 within a few click so enjoy your time without format new win 7 :) Click here for Download 

Driver Genius Professional Edition 2006

Driver Genius Professional Edition 2006

Driver Genius Professional Edition 2006 is a software that make you easy to find your PC driver with one click and also the easy way to back up and restore your PC driver within one click. Click Here for

Download:   Driver Genius Professional Edition 2006.

How to Enable or Disable Chrome Extension

How to Enable or Disable Chrome Extension

In this video i show you on how to enable or disable Google Chrome extension.

Advance System Care 2012 Po V 5.3.0.246 Ultimate.

Advanced System Care 2012 PRO v5.3.0.246 Ultimate + Serial is a Powerful Software that make your PC run more faster and it include all in one pack. It have friendly interface and easy to use just one click can make your PC run faster. Click here for Download: