Printer Friendly Version

In the earlier installments of this series, you learned how to use Microsoft's Management Console (MMC) to automatically configure and enforce security policies by creating security templates. Now that you know how to automate security policies for a basic Windows 2000 server, it's time to learn how to distribute this policy so that you can use it on multiple systems and, by doing so, standardize your security configurations.

Refreshing Our Prior Lessons

Windows 2000 enables you to create security templates, also known as .inf files, and reload them into the server each time the server reboots. By doing this, you always re-load the same security configuration that you have already defined and tested. When you set up pre-configured files that reload the security of the system each time it restarts, you can more easily ensure that the right policies are being used.

Another good reason to use security templates is because they allow you to standardize your security configuration across multiple systems. On an enterprise network, you can create one type of security policy for a file and print server, for example, and then distribute it across your network to all file and print servers so they are all configured for security the same way. You can set up one kind of security template for file and print servers, one kind for DNS servers, one kind for database servers, one kind for Web servers, and so forth.

Configure Security Templates Centrally and Implement Them Globally

Once you have proven security templates that you have taken the time to develop, configure, and test, you can install these templates across your enterprise network onto other servers. The process of installing and applying a pre-defined security template to other systems is known as importing it. (Exporting a security template refers to the process of capturing and preserving or "exporting" the existing local security settings into a file for later use.) When you import a template, you take an already developed template and apply the settings. When you "export a template," you really are taking the existing settings and capturing them in a brand new template. The terminology is a bit confusing, and had I been the one to come up with it, I think I would have used other terms.

Import an Existing Security Template

You can use the Security Configuration and Analysis tool to "import" an existing security template from a centralized storage location. It's not a bad idea to keep your security templates all together in a central location. A standard default storage location for security templates is:

%systemroot%\Security\Templates

or...

C:\winnt\security\templates

If you create a network share for your template directory, you can then access the templates across your network, import templates from the share, and then apply them to the appropriate systems. To load the Security Configuration and Analysis tool, start the Microsoft Management Console (MMC) just as you learned how to do in Part 1 of this series.

When the Console1 box appears, click Console and use the dropdown menu to select Add/Remove Snap-in. After the Add/Remove Snap-in box appears, click Add. After you click the Add button, you will be prompted with a list of possible Snap-ins you can add. Select the Security Configuration and Analysis snap-in as illustrated in Figure 1 and then click Close in the Add Standaline Snap-in window.

Installing the Security Configuration and Analysis snap-in.

You will see the Security Configuration and Analysis tool appear in the Add/Remove Snap-in window as illustrated below. Now click OK.

Finishing the installation of the security configuration and analysis snap-in.

Before you can import the security template, however, you first need to create a database into which you will import it. In the left pane of the Console window, right click Security Configuration and Analysis and from the pull down menu select Open Database.

Creating the database for your security template.

If the template you are going to import is called basicsv (this is the template you learned how to configure in Part 1 and Part 2 of this series) then you should use the same name for the database, e.g., basicsv.sdb. The Security Configuration and Analysis tool will automatically put the .sdb extension on the end of the database file. Once you insert the name that you would like to call your database as illustrated below, click Open and immediately a new window will pop open and you will be prompted to select an .inf file from the security template default location.

Naming the database for your security template.

(If you want to share templates across your network, it is the default location that you just selected your template from that should be set up as a network share.) Remember, security templates are really just files and the files end with the extension .inf.

Importing your security template.

Before you import the database, be sure to check the box that says Clear this database before importing. Next click Open. You'll then see instructions on how to use the Security Configuration and Analysis tool in the right pane on the window.

Page 2: Analyze the Security of Your Computer