This three-part series of quick lessons will help you understand security templates, what they are used for, why you need them, and how to configure and deploy them. Part one gave you a basic overview of security templates, part two discussed why you need them and how to configure them, and part three below offers three different methods for deploying them.
Now that you have baselines established for the different computers and you have each of the security templates configured for each baseline, you are ready to deploy the settings to your computers. There are three options to accomplish this task.
SECURITY TEMPLATE DEPLOYMENT OPTIONS
Manual deployment
Using command line tool for deployment
Using Group Policy Objects for deployment
Manual deployment
Return to security template deployment options
I'd like to stress that we are talking about establishing baselines on all of the computers in your environment, so this option is not very pleasant. But you should know this option exists. Here, you will use the security configuration and analysis (SCA) snap-in, which is similar to the security templates snap-in except that you will add the different snap-in to the MMC.
SCA can only work on the computer you are working on; it can't remotely configure the computer with the security template information. To configure the computer with the security template settings, you first need to create a database to hold the security template settings. To do this, just right click on the SCA node and select Open Database. From the interface, select a name for the database and a security template that corresponds to the server baseline you want. After the database is created, you just need to configure the computer. To do this, right click on the SCA node and select the Configure Computer Now option.
Using a command line tool for deployment
Return to security template deployment options
Another option for deploying your security baseline is to use the command line tool version of the SCA, SECEDIT.EXE. You can run this tool at a command prompt on each computer, but it's as time consuming as using the SCA itself. Another option is to put the following command in a script and deploy the script to all of the computers. The deployment can be done via login scripts, startup scripts, or your management program such as SMS. The command that you will run is:
SECEDIT /configure /db db1.sdb /cfg sectemplatename.inf /log logname.log
This will configure the local computer using a database name of db1.sdb, a security template name of sectemplatename.inf and a log file name of logname.log. All three names are variables. (NOTE: The current directory will be used if no path is specified for each of the three filenames.)
Using GPOs for deployment
Return to security template deployment options
Even though the first two options work, they are not scalable to an entire network of computers. The time and effort involved can negate the benefit of using the security template for establishing baselines on computers. Instead you can use GPOs. This does require a good Active Directory design with organizational units (OUs) for each type of computer baseline. After there are specific OUs in place, the computer accounts for the target computers need to be located in the correct OU. Then, a GPO needs to be created for each security template and linked to the appropriate OU. Finally, the security template can be deployed.
The steps to create OUs and move computer accounts into them should be known by every administrator and no concern to any auditor. Working with the security template in the GPO also falls outside the bounds of the auditor, but I will describe the key steps here to show how simple it is.
To get the security template into the GPO, edit the GPO using either the Active Directory Users and Computers console or the Group Policy Management console. Once you find the desired GPO in the console, edit the properties of the GPO. You should see an interface that looks something like Figure 2 when you are editing the GPO and importing a security template.
Figure 2. Typical GPO for importing a security template.
To get to the menu shown in Figure 2, just right click on the Security Settings node. This will open up a browse list, allowing you to select the required security template. Once the security template is imported, just quit the group policy editor.
The security template will deploy to the target computer in approximately 90 minutes or less. If domain controller is the target, it will get the new settings in less than five minutes.
The true benefit to this method is the ease of deployment, the breadth of the target computers and the persistence. GPOs ensure that the settings are not altered using the local GPO. The GPOs at the OU level will supersede the local GPOs, so even the local administrator can't override these settings.
Where to go from here
You can see that the use of the security templates can make establishing the baseline on all of your computers a simple method, especially if you use the tips I have shown you above. Then, if you use the GPO method to deploy the security templates, your work is reduced dramatically.
More Information from SearchWindowsSecurity.com:
About the Author:
Derek Melber is a SearchWindowsSecurity.com guest contributor and one of the leading solution developers, project leaders and technical instructors in the United States, with an innate understanding of how to decipher, organize and communicate complex issues. Derek is a co-founder of BrainCore.Net LLC, which focuses on exam development and certifications, and is the leading outsource company for Microsoft. Derek has worked with Microsoft Learning on over 20 projects focusing on the MCSA and MCSE tracks. He has also taken his years of experience to develop the only Web site dedicated to Windows auditing and security: www.auditingwindows.com, which showcases the auditing windows security book series, online courses and customized training that Derek provides. Finally, Derek has just finished writing books on Windows security, including the "Administrator shortcut guide to Active Directory security. He has a masters degree from the University of Kansas, Microsoft Certified Systems Engineer Certification, CISM, A+ Certification, and 10 years of solution development, training, public speaking, sales and management experience.
