Microsoft Security Templates and Group Policies

Microsoft security templates are text files designed to apply specific policies to individual computer systems. Templates are great tools for hardening Microsoft servers to a specific standard. Templates may also be used to analyze the server’s configuration, providing an audit report of where the server’s configuration does not match the template. The tool for applying the text template (stored as an *.inf file) is the Microsoft Management Counsel snap-in called “Security Configuration and Analysis” (SCA). With SCA, you may import a template, then either apply it to the computer or perform an analysis.

Unfortunately, the ability to export or print the results of the audit is very limited. While the graphical output of the security analysis lists the computer and template standards separately, the log file only lists the fact that a discrepancy exists. If the server is actually more secure than the template, it is still a discrepancy. If the names in a list are in different orders, it is shown as a discrepancy, even if for all practical purposes the result is identical.

Superficially, security templates function a bit like Bastille for Linux. It’s a standard template for applying policies to a single system. It can also audit for compliance with those policies.

In Windows, the options specified in the template end up being applied to the local security policy. You can see this by looking at the Local Computer Policy snap-in after applying the template. All the values in the template are now part of the local system policy.

Now suppose the machine is part of a domain. The domain policy will overwrite the local system policy! The template that has just been applied to the server will vanish. If the domain policies are weaker than the template policies, the template policies will be rolled back. The same holds true if the server is part of an organizational unit – though an OU must be deliberately created, while every Active Directory implementation has a domain with a default domain security policy. The policies in the template must be consistent with those in the domain and the OU.

Standard security templates are available from a variety of sources. I advocate using those provided by Microsoft. I make an assumption that these have been reasonably well tested and will likely not break applications. The templates are provided in the Windows Server 2003 Security Guide, found at :
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx.

The templates are actually not designed to be applied to individual servers. They are intended to be applied to the domain and to various OUs holding servers of different types. An OU is defined for IIS servers, another for file servers, and so forth. A server can have three templates applying security policies – a domain policy, a member server OU policy, then another OU for the type of server. If your environment does not have this domain and OU structure, you can still apply the templates by hand, one at a time, to individual servers.

Security templates are not really the equivalent of the hardening scripts used in the Unix world. The cannot be applied to servers at once, one at a time, in isolation from other servers – at least not if the servers are members of a domain. Active Directory provides flexibility and power to enforcing policies. You will be assured that every server in the OU follows the same security policy. If the policy changes, it will automatically change for all applicable servers. The disadvantage is that it becomes harder to isolate changes to a subset of servers. You may not want to change the policy for all servers in a domain or OU – you may only want to change one server’s policy.