Part VI ✦ Managing the Network Figure 23-4: Edit computer policies. Understanding Security Templates You can use security templates in Windows 2000 and XP to create a security policy for your network. Security templates use the same security features as group policies, computer poli- cies, and Registry protection; however, using a security template enables you to organize all policies in one area for easy administration. Most home network users do not need to use security templates for their network. Security templates are more for business networks. You must consider the information on your net- work and how important it is to keep private. If your network is in healthcare, for example, you have patient’s records that must be kept secure because of HIPAA Health Insurance Portability and Accountability Act regulations. In this case, security is extremely important. However, if you have a small business that makes signs for clients, the information on your computers is not likely to be as sensitive as other businesses. After creating a security template, you can import the template to a local computer or to net- work. You save a template to an INF file, which is text-based. Because it’s a text file, you can easily copy, paste, import, and otherwise manipulate the contents of the file. You use the MMC to edit predefined security templates or to create your own. You need to understand the effects of an imported security template, and you should do extensive testing before applying a template to your entire network. If you want to work with security templates, see your Windows 2000 or Windows XP Professional documentation for more information. This section simply describes the templates and some of the changes you can make. Small Business Tip Chapter 23 ✦ Using Policies to Secure Windows Understanding default security settings Windows includes predefined security templates you can use. You can also create new tem- plates; however, if you’re just learning to configure security templates, you should stick with Windows’ predefined templates to start. Predefined templates include using a highly secure environment, implementing a less secure environment, and securing the system root. One of the predefined templates enables you to reapply default settings. Windows has default security settings. When you work with a security template, you are changing these default settings. Windows includes three basic levels of security for users: Users, Power Users, and Administrators groups: ✦ The Users group does not allow users to modify the operating system settings or use others’ data. ✦ Power Users enables users to run Windows programs that are not certified also referred to as legacy applications, which Users cannot do. Power Users may also mod- ify computer settings. ✦ Administrators can perform computer maintenance and, therefore, have complete con- trol over the system. In a home networking situation, you can most likely let each computer’s owner have Administrator status over his or her own computer. Even in a small-business network, many employees can have Administrator status. However, if you have young children at home or inexperienced users at home or work, then you should either create a new group with fewer permissions or keep these users in the Users group. Using predefined templates There are several predefined security templates you can use. Some you can use to make your network more secure but still workable; others can be more technical with more complex security features. These templates do not install default settings to a computer; these tem- plates only modify default settings. You cannot use them on computers that do not already have default security settings, such as Windows 98, Me, or an operating system other than Windows 2000 or XP Professional. When modifying a predefined template, you should save the modified template under a new name so that you do not permanently change the original template. ✦ The Default security Setup Security.inf applies to a specific computer and enables the user file permissions for the root of the drive. You use the default security template in case of a disaster, when installing Windows Windows applies the default template, or when you want to reapply the security settings to a local computer. Never edit the Setup Security.inf, because it gives you the opportunity to reapply the default settings if need be. Never apply the Setup Security.inf to Group Policies; it could seriously degrade performance throughout the network. Apply the Setup Security.inf only to a local computer. Don’t use the default security settings to apply as a group policy; you’ll lose any specific and individual settings, such as Administrator. Use the default security settings only on an indi- vidual computer. Tip Tip Tip Part VI ✦ Managing the Network ✦ You might want to use the System Root security template Rootsec.inf. This security template is used in Windows XP Professional only and specifies permissions for the root of the system drive. You can use this template if you need to reapply root direc- tory permissions on a computer. Use this template if your root permissions are acci- dentally changed. This template does not apply to subdirectories children of the root; it applies only to the root drive of a single system. ✦ Another security template you might use is the Compatible Compatws.inf template. This template grants permissions to Administrators, Power Users, and Users, by default. You can use this template to improve security of the system by making sure that the appropriate users are members of each group. You can make changes to the templates to increase security with the least impact on applications. You might want to relax permissions for users in your home network using the Compatws.inf while increasing security for administrators. Do not use the Compatws.inf for a domain controller. The Compatws.inf template is too secure for a domain controller but perfect for the administrator’s computer or a payroll com- puter, for example. Note Tip IP Security and Public Key Policies You can include most security attributes in a security template; however, you cannot include IP Security and public key policies. ✦ IP Security IPSec is a common means of integrity, authentication, and IP encryption through cryptographic security services. It uses encryption to establish the integrity of a datastream. In addition, IPSec ensures that the data is not tampered with during transit and provides confirmation about the datastream origin. IPSec encrypts packets of data that can be routed and switched on any network that supports IP traffic; therefore, the IP packet can travel the local area network, intranet, extranet, or Internet securely and transparently. In addition, the end workstation and applications do not require any extra security soft- ware or other modification. There are federal regulations governing the exporting of IPSec encryption because IPSec is such a strong encryption. ✦ Public key policies use certificates to control authentication between domains and trusted domains, and in enterprise networks. You can use public key policy settings in group policies. In public key policy settings, a computer automatically submits certificate requests and installs the issued certificate. A certificate is a method of authentication between open networks, such as the Internet. The certificate secures a public key to the corresponding private key. Certificates are digitally signed, thus guaranteeing authenticity and higher security. You do not need to use public key settings in your home or small-business network. If you do plan to join a larger network, such as a corporate or enterprise network, you might then want to consider the use of IPSec and public key policies. Chapter 23 ✦ Using Policies to Secure Windows ✦ There are the Secure templates Secure.inf. These templates apply a bit less security than the High Security templates. The Secure templates define stronger password, lock- out, and audit settings without adversely affecting the application settings. The secure templates work best in a clientserver environment. You must use Windows NT 4 or 2000 and a domain to apply some of these templates to a member machine. You must run LAN Manager in a workgroup using Windows 98 plus install DS Client Pack. For more information, see Windows 2000 or XP documentation. ✦ The High Security templates Hisec.inf use security settings that have high levels of encryption and signing. You use the secure templates with domains in a corporate or enterprise setting. You most likely will not need this high security in your home or small-business network. Using Security Configuration and Analysis You can use Security Configuration and Analysis to check your network and system for secu- rity flaws. Security Configuration and Analysis is an administrative tool in Windows 2000 and Windows XP. You can use this tool to check your system and to make suggestions for ways to better secure your network. You use the Security Configuration and Analysis tool to analyze your system and also make changes to templates. If you’re going to make changes to templates, however, make sure you understand the consequences to the changes you are about to make by testing thoroughly before implementing those changes. You open an empty Microsoft Management Console MMC in which to use administrative tools. After you create the MMC for Security Configuration and Analysis, you can save it to use again.

1. Open an MMC by clicking Start ➪ Run and typing MMC in the Open text box. Click OK.

An empty MMC appears see Figure 23-5. Figure 23-5: Start with an empty MMC. Part VI ✦ Managing the Network

2. Click File ➪ AddRemove Snap-in. The AddRemove Snap-in dialog box appears, as

shown in Figure 23-6. Figure 23-6: Add a snap-in. 3. Click Add. The Add Standalone Snap-in dialog box appears. 4. Locate Security Configuration and Analysis, as shown in Figure 23-7, and click Add. Figure 23-7: Add the Standalone Snap-in.