Cooking Up Results: Create your own Windows XP Security template

by John Sheesley | Feb 04, 2004 8:00:00 AM

Tags: Microsoft Windows, John Sheesley, Microsoft Windows XP, Security Configuration, security, console, analysis, Analysis container, database, workstation

Takeaway: Using templates, you can quickly create uniform security for all workstations in your network. Here's a short recipe for creating, saving, and applying custom XP security templates.

What you need

• PC running Windows XP (may also substitute Windows 2000 Professional)
• Microsoft Management Console
• Security Configuration And Analysis Snap-In
• Security policy for your network

Procedure
Start an empty Microsoft Management Console (MMC) session. Select the Add/Remove Snap-Ins command from the console’s File menu. Click the Add button on the Add/Remove Snap-In properties sheet. Scroll to the bottom of the list, select the Security Configuration And Analysis option from the list, and click the Add button. Then click Close and OK.

Create a database. Right-click the console’s Security Configuration And Analysis container in the left pane. Select Open Database. Enter a database name in the File Name field of the Open Database window. Click Open.

Select a starting template in the Import Template window. Choose from:

• COMPATWS—basic workstation
• HISECWS—high-security workstation
• SECUREWS—medium-security workstation

Do not use the other templates. They are primarily for Windows servers. Select the template and click Open.

Analyze the computer to compare current settings with the chosen template. Right-click the console’s Security Configuration And Analysis container in the left pane. Select Analyze Computer Now.

Enter the path and filename information in the Error Log File Path field. Click OK. When the snap-in finishes analyzing your computer, you'll see the screen shown in Figure A.


Browse the tree and check the recommended database settings against your current settings. Discrepancies appear with a red X, as shown in Figure B.


Determine if the settings need to be modified or if Database Setting is appropriate for the computer based on your organization's security policy. Modify only those Database Settings that do not meet desired settings. Desired settings may be the current computer settings or personally preferred settings.

To modify a setting, double-click the item in the right pane. The Properties window will appear. Make changes to the item as desired. To disable the setting, deselect the Define This Policy In The Database check box.

After making all changes, save the template. Right-click the console’s Security Configuration And Analysis container in the left pane. Click Export Template. Enter a name for the template in the File Name field. Click Save. You can then copy this file to other computers to apply uniform settings across the network.

To apply security settings based on the template on the workstation, right-click the Security Configuration And Analysis container and select Configure Computer Now. Enter the path to the error log file. Click OK to apply the template.

Close the Security Configuration And Analysis console. If desired, save changes when prompted to save the Security Configuration And Analysis console for later use without using the Add/Remove Snap-Ins step. This save request does not affect the security template or settings you've made.

Restart the workstation to ensure that all settings take effect.

Print/View all Posts Comments on this article

What about multiple machines? Retribution | 02/05/04

Network Rollout would be very very useful... Cherry Black | 02/05/04

Group Policy bkmead | 02/05/04

use secedit relisntab@... | 02/05/04

What about multiple machines, with Netware? gandalf4hire | 02/12/04

NetWare John Sheesley - TechRepublic Pro | 02/12/04