Default and predefined security templates

What's in the Windows-supplied templates.

Since Windows 2000, predefined security templates have become part of the Windows environment. In this tip, I describe...

what's in various releases introduced since Windows 2000 and recount how different versions of identical files have different features, along with incredibly brief descriptions.

Predefined Windows Security Template Details
Table 1 describes predefined template files, from %systemroot%securitytemplates. Empty cells mean a file is missing in the corresponding OS; when file sizes change, it's safe to assume contents also change -- usually, to accommodate new security features, version names, and so forth. For more information on .inf files, visit www.microsoft.com/technet/ and search on the filename.

Table 1: Predefined Windows Security Template files

Template filename Windows 2000 Pro Windows 2000 Srvr Windows XP Pro Windows Srvr 2003
Date Size Date Size Date Size Date Size
basicdc.inf 12/7/1999 15,256 12/7/1999 15,256
basicsv.inf 5/4/2001 280,826 5/4/2001 280,826
basicwk.inf 5/4/2001 256,936 5/4/2001 256,936
compatws.inf 12/7/1999 53,969 12/7/1999 53,969 8/23/2001 67,884 3/25/2003 67,613
DC security.inf 3/7/2002 23,008 5/1/2003 206,978
hisecdc.inf 12/7/1999 6,524 12/7/1999 6,524 8/23/2001 7,784
hiscws.inf 12/7/1999 17,382 12/7/1999 17,382 8/23/2001 8,015
iesacls.inf 3/25/2003 2,098
notssid.inf 12/7/1999 1,357
ocfiless.inf 12/7/1999 783,208 17/7/1999 783,208
ocfilessw.inf 12/7/1999 489,613 12/7/1999 489,613
rootsec.inf 3/25/2003 713
securedc.inf 12/7/1999 6,391 12/7/1999 6,391 8/23/2001 7,789 3/25/2003 7,881
securews.inf 12/7/1999 7,018 12/7/1999 7,018 8/23/2001 7,713 3/25/2003 7,835
setup security.inf 3/6/2002 522,914 3/6/2002 573,046 12/27/2001 788,192 5/1/2003 797,932

Template file descriptions

  • basicdc.inf, basicsv.inf, basicwk.inf: makes NTFS permissions on upgraded machines identical to new installs on domain controllers, servers, workstations
  • compatws.inf: permits admins to change default User group permissions to grant higher-level privileges without promoting members to Power Users group
  • DC security.inf: registry and file settings for Windows 2000 domain controllers
  • hisecdc.inf, hiscws.inf: extends secure*.inf; requires higher-levels encryption, signing, and authentication domain controllers and workstations
  • iesacls.inf: Windows Server 2003 lockdown for Internet Explorer security settings
  • notssid.inf: turns off Terminal Server SIDs on servers where TS not in use
  • ocfiless.inf, ocfilessw.inf: increases local security of optional components: IE, NetMeeting, IIS, etc. on servers and workstations
  • rootsec.inf: specifies new root permissions introduced with Windows XP Pro
  • securedc.inf, securews.inf: defines enhanced security settings least likely to impact application compatibility for domain controllers and workstations
  • setup security.inf: computer-specific template; default security settings applied during installation, including root system drive file permissions

In my next tip, I'll cover default security templates that live in %systemroot%inf, and how they can sometimes save your bacon!


Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in June 2003

Dig Deeper

PRO+

Content

Find more PRO+ content and other member only offers, here.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close