Printer Friendly Version

In the first two parts of this series, you learned how to use Microsoft's Management Console (MMC) to automatically configure and enforce security policies by creating security templates. You also learned how to create a security template and assign Account Policies, Local Policies, and Event Log security policies to it for a basic Windows 2000 server. In Part 3, I'll teach you how to configure and assign System Services, Registry Settings, and File System Settings security policies.

Refreshing Our First Two Lessons

Before I show you how to create a different template for specific server types such as a DNS server, a DHCP server, and an Exchange server, we need to finish learning how to configure the remaining policies for a basic Windows 2000 server. By using security templates you can ensure that security policies are automated. Once a template is in place the policies are regenerated and loaded into memory each time a system is re-started.

As you'll recall, to get to the screen where you do the actual policy configuration, you first need to start up the Microsoft Management Console. You can do this from the Start menu by opening up the Run box and typing MMC as shown below.

Starting the MMC.

After you add the Security Template snap-in (explained in Part 1 of this series), you need to select the template called basicsv, and then open the System Services configuration window as illustrated below.

The System Services Configuration Window.

You are now ready to configure and assign System Services settings. The System Services settings allow you to stipulate which services get launched on startup. You can configure the System Services in the same method you configured the Local Policy settings and the Event Log settings.

Configuring and Assigning System Services Security Policies

The System Services settings should be unique to your organization, and should be a topic of discussion among the systems administrators before you configure them. Keeping that in mind, Table 1 shows an example list of System Service settings designed for a typical, client-server enterprise architecture. Your organization may actually have more services installed on its servers than the ones listed in Table 1.

When you install a new server application it usually adds new services to Systems Services list. The applications that you have running on your server will determine what applications show up in the System Services setting list. The list on your server is likely to be slightly different than the list in Table 1. You will also notice that your Windows 2000 services, as well as your application services, are both mixed together in this list and are listed in alphabetical order.

When configure System Settings, you will want to give the Administrators group full control. To configure the System settings on a group-by-group basis, you need to double-click on the Service name, and then click the Edit Security button as shown in below. You will then see the Allow/Deny security settings by group.

Configuring Security Policy Settings.

In most cases, the group known as Authenticated Users should never have Full Control and their settings for most applications should be set to more restrictive settings such as Read access as shown below.

Authenticated Users Have Limited Control.

You will need to step through this process for each and every application and each and every group. It is important that you know what you are doing when you apply these configuration controls. If you are unsure, leave the default settings in place.

Table 1. Example of System Services Setting for Windows 2000
Service Name	Startup	Permission
Alerter	Manual	Configured
Application Management	Manual	Configured
ASP .NET State Service	Manual	Not defined
Ati HotKey Poller	Not Defined	Configured
Auotmatic Updates	Not Defined	Not Defined
Background Intelligent Transfer Service	Disabled	Configured
ClipBook	Manual	Configured
COM+ Event System	Manual	Configured
Computer Browser	Automatic	Configured
Crypkey License	Not Defined	Not Defined
DefWatch	Automatic	Configured
Dfs (distributed file system)	Disabled	Configured
DHCP Client	Automatic	Configured
Distributed Link Tracking Server	Automatic	Configured
Distributed Link Tracking Client	Automatic	Configured
Distributed Transaction Coordinator	Disabled	Configured
DNS Client	Automatic	Configured
Event Log	Automatic	Configured
Fax Service	Disabled	Configured
File Replication	Disabled	Configured
FTP Publishing Service	Disabled	Configured
IIS Admin Service	Disabled	Configured
Indexing Service	Manual	Configured
Infrared Monitor	Disabled	Configured
Intel File Transfer	Manual	Configured
Intel PDS	Manual	Configured
Internet Connection Sharing	Disabled	Configured
Intersite Messaging	Disabled	Configured
IPSec Policy Agent	Automatic	Configured
Kerberos Key Distribution Center	Disabled	Configured
License Logging Service	Disabled	Configured
Logical Disk Manager	Automatic	Configured
Logical Disk Manager Administrative Service	Manual	Configured
Messenger	Automatic	Configured
Net Logon	Automatic	Configured
NetMeeting Remote Desktop Sharing	Disabled	Configured
Network Connections	Manual	Configured
Network DDE	Manual	Configured
Network DDE DSDM	Manual	Configured
Norton AntiVirus Client	Automatic	Configured
Norton AntiVirus Server	Automatic	Configured
Network News Transport Protocol (NNTP)	Disabled	Configured
NT LM Security Support Provider	Manual	Configured
Performance Logs and Alerts	Manual	Configured
Plug and Play	Automatic	Configured
Portable Media Serial Number Service	Manual	Configured
Print Spooler	Automatic	Configured
Protected Storage	Automatic	Configured
Remote Access Auto Connection Manager	Manual	Configured
Remote Access Connection Manager	Manual	Configured
Remote Procedure Call (RPC)	Automatic	Configured
Remote Procedure Call (RPC Locator)	Manual	Configured
Remote Registry Service	Disabled	Configured
Removable Storage	Automatic	Configured
RIP Listener	Manual	Configured
Routing and Remote Access	Manual	Configured
RunAs Service	Manual	Configured
SAV Roam	Not defined	Not defined
Security Accounts Manager	Automatic	Configured
Server	Automatic	Configured
Simple Mail Transport Protocol (SMTP)	Disabled	Configured
Simple TCP/IP Services	Not defined	Not defined
Smart Card	Not defined	Not defined
Smart Card Helper	Not defined	Not defined
SNMP Service	Automatic	Configured
SNMP Trap Service	Automatic	Configured
Symantec AntiVirus	Automatic	Configured
Symantec AntiVirus Definition Watcher	Automatic	Configured
Symantec Event Manager	Automatic	Configured
Symantec Network Drivers Service	Automatic	Configured
Symantec Password Validation	Automatic	Configured
Symantec Settings Manager	Automatic	Configured
System Event Notification	Automatic	Configured
Task Scheduler	Automatic	Configured
TCP/IP NetBIOS Helper Service	Automatic	Configured
Telephony	Manual	Configured
Telnet	Manual	Configured
TrueVector Internet Monitor	Not defined	Not defined
Uninterruptible Power Supply	Automatic	Configured
Utility Manager	Manual	Configured
Windows Installer	Manual	Configured
Windows Management Instrumetation	Automatic	Configured
Windows Management Instrumetation Driver Extension	Manual	Configured
Windows Time	Automatic	Configured
World Wide Web Publishing Service	Automatic	Configured
ZipToA	Not defined	Not defined