If you don't use restricted groups as you recommend, what enforces the group policies if the group definitions do not? Well, I don't think I should start over, but I will definetly study that stuff in detail and ensure all principles are applied. Haven't had time to review yet.
Why would MS do that to me? I guess the security templates aren't as powerful as I had thought. I will research your references. Okay, thank you very much for all the information. I got a week or two worth of study. I will come back to this post and ask more questions if and when I come to them, which I probably will. First stop, security guidance. Office Office Exchange Server. Not an IT pro? Windows Server TechCenter. Sign in. United States English. Ask a question. Quick access. Search related threads.
Remove From My Forums. Asked by:. Archived Forums. Sign in to vote. I am not allowed to purchase new equiupment this year. We have to do stuff similar to the DoD in terms of lock and key, classification of critical assets, security settings, user management, IDS, etc, etc, etc, etc, etc, etc, The first thing that needs to be done is to apply a security template manually and locally to each device inorder to ensure consistent and correct policies. Again, there are no domain controllers.
It's an administrative nightmare, but this is just temporary and we have to have it in place this year. This is the first time I have designed a security template. I am almost done, but need the following questions answered before I move on. Question 1: Services listing In the security template there is a section called services; I am well familiar with service hardening in general from the service.
My question is this, in the services section of the hisecws template, where is this list populated from? Is it populated when you open the template based on what services I have on this developement machine or is it part of the template? If I am going to apply this template to computers at each site, then it would not be appropriate to use the services that are installed on this development computer; however, if the services listing in the templates is consistent, as viewed on any computer, and represents a typical services listing for any freshly installed WinXP OS, then this would seem to be perfect.
So, where is this services list coming from? Is it based on my computer, or is it hardcoded into the template? Question 2: Groups vs. Restricted Groups In the user rights section of the security template, I have assigned any number of 4 custom groups to each setting.
I do not want to use any of the default groups. Again, no domain controller so everything will be local policies. Now I have reached the section called restricted groups.
Is this where I assign usernames to each group and actually define the groups for this device? Are usernames automatically created using this method, or do I have to do this somewhere else? I have read tons of documentation on the "user rights" and "restricted groups" sections, buit nothing ties these two sections together in a logical way. Is it correct that, for the above condition and my desire to keep it simple I should: 1.
Restricted groups section: delete all groups listed by default. Restricted groups section: add my four custom groups. Restricted groups section: make sure the members of list is empty for each group. User rights section: assign the users rights for each group.
Friday, September 18, PM. Gunslinger; The list of services is based on what's present on the computer where you've opened the editor. Modifying the startup type of services can cause all sorts of problems, there are only a small number of services that you should consider disabling such as Messenger. See the XP Security Guide linked below. Restricted groups and user rights aren't really related except by the fact that they both involve user and group accounts.
Based on what you've stated I strongly recommend against using the restricted groups feature, its complex and its easy to cause problems if you don't understand the feature completely. Modifying user rights is also very risky, be certain that you understand what you are doing I have another concern, you are using security templates and specifically mentiion hisecws.
The hisecws template includes settings that are not supported by Microsoft. Instead, please use our security guidance as a starting point for your work. Note that there are many group policy settings that you can't apply with security templates, you should experiment with the GPOAccelerator for deploying the settings locally.
I've pasted a passage from the user guide below. I hope that you take my advice to heart. I have helped scores of organizations to harden their systems over the years. I have been involved in developing hardening guidance for the entire federal government.
I know firsthand the problems people typically run into: using hisecws, modifying services, using restricted groups, and reconfiguring user rights are 4 of the most challenging areas. I know government agencies that made mistakes in these areas and faced reimaging thousands of computers. And whatever you do, be sure that you thoroughly test before applying your changes to production computers. Thanks for the reply. Then right-click on Command Prompt and choose Run as Administrator.
If you are running Windows 10, Windows 8, Windows 7, or Windows Vista and need to reset the security settings to their default values, use this command instead:. Now just wait for Windows to go through all the registry settings and reset them. Now you should be able to use your computer without any of the remnants of local security settings from previously applied Group Policies.
If you have any questions, feel free to comment. Founder of Help Desk Geek and managing editor. He began blogging in and quit his job in to blog full-time. He has over 15 years of industry experience in IT and holds several technical certifications. Read Aseem's Full Bio. Now that we have our snap-in set, we can compare the security settings on the local system with those in the template.
Now we need to create a new database and import the template settings. We will name it CompareSettings and click Open. Next, we have to import our template, that is, we need to select the template that we are going to compare to the local computer.
At this point we need to compare the settings in the template with the settings on the local computer. Click OK to accept the path to the error log file. The following window will appear.
If we browse the the Account Policies and then Password Policy, we can see the settings from our database and the current computer settings. Notice the red X and the green check mark. A red X tells us that the setting on the local computer does not match the setting in the template, while the green check mark tells us that the settings do match. Notice that we have two columns for details. Those columns are the Database Setting template setting and Computer Setting current setting applied on the computer.
All settings will then be applied. To check our new settings we can go to our Group Policy Editor and navigate to the, for example, Password Policy.
Notice that our settings now include minimum password length of 8 characters. While we can manually edit group policy settings to achieve the desired configuration, we can simplify the process by importing a predefined template.
Windows XP ships with several predefined templates. We can also import our template while we are in Group Policy Editor. We will select it and click Open. Notice how our password policy has changed.
0コメント