Since Windows 2000, predefined security templates have become part of the Windows environment. In this tip, I describe...
what's in various releases introduced since Windows 2000 and recount how different versions of identical files have different features, along with incredibly brief descriptions.
Predefined Windows Security Template Details
Table 1 describes predefined template files, from %systemroot%securitytemplates. Empty cells mean a file is missing in the corresponding OS; when file sizes change, it's safe to assume contents also change -- usually, to accommodate new security features, version names, and so forth. For more information on .inf files, visit www.microsoft.com/technet/ and search on the filename.
Table 1: Predefined Windows Security Template files
|Template filename||Windows 2000 Pro||Windows 2000 Srvr||Windows XP Pro||Windows Srvr 2003|
Template file descriptions
- basicdc.inf, basicsv.inf, basicwk.inf: makes NTFS permissions on upgraded machines identical to new installs on domain controllers, servers, workstations
- compatws.inf: permits admins to change default User group permissions to grant higher-level privileges without promoting members to Power Users group
- DC security.inf: registry and file settings for Windows 2000 domain controllers
- hisecdc.inf, hiscws.inf: extends secure*.inf; requires higher-levels encryption, signing, and authentication domain controllers and workstations
- iesacls.inf: Windows Server 2003 lockdown for Internet Explorer security settings
- notssid.inf: turns off Terminal Server SIDs on servers where TS not in use
- ocfiless.inf, ocfilessw.inf: increases local security of optional components: IE, NetMeeting, IIS, etc. on servers and workstations
- rootsec.inf: specifies new root permissions introduced with Windows XP Pro
- securedc.inf, securews.inf: defines enhanced security settings least likely to impact application compatibility for domain controllers and workstations
- setup security.inf: computer-specific template; default security settings applied during installation, including root system drive file permissions
In my next tip, I'll cover default security templates that live in %systemroot%inf, and how they can sometimes save your bacon!
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.