A security template is a collection of configuration settings stored as a text file with an .inf extension. Security templates can contain many of the same security parameters as GPOs. However, security templates present these parameters in a unified interface, enable you to save your configurations as files, and simplify the process of deploying them when and where they are needed.
The settings that you can deploy by using security templates include many of the security policies covered in this objective, including audit policies, user rights assignments, security options, event log policies, and restricted groups. By itself, a security template is a convenient way to configure the security of a single system. When you combine security templates with Group Policy or scripting, they enable administrators to maintain the security of networks consisting of hundreds or thousands of computers running various versions of Microsoft Windows.
By using these tools together, administrators can create complex security configurations and mix and match those configurations for each of the various roles computers serve in their organizations. When deployed across a network, security templates enable you to implement consistent, scalable, and reproducible security settings throughout the enterprise.
Using the Security Templates console
Security templates are plain text files that contain security settings in a variety of formats, depending on the nature of the individual settings. Although it is possible to work with security template files directly by using any text editor, Windows Server 2012 R2 provides a graphical interface that makes the job much easier.
To create and manage security templates, you use the Security Templates snap-in for MMC. You can also download and install the Security Compliance Manager (SCM) tool from the Microsoft website; this tool provides similar functionality plus a collection of system
security baselines. By default, the Windows Server 2012 R2 Administrative Tools menu does not include an MMC containing the Security Templates snap-in, so you have to create one yourself by using the MMC Add Or Remove Snap-Ins dialog box. When you create a new template, the console provides an interface like the one shown in Figure 6-9.
FIGURE 6-9 The Security Templates snap-in
The left pane of the Security Templates snap-in points to a default folder in which the console stores the template files you create by default. The snap-in interprets any file in this folder with an .inf extension as a security template, even though the extensions do not appear in the console.
When you create a new template in the console, you see a hierarchical display of the policies in the template and their current settings. Many of the policies are identical to those in a GPO, both in appearance and function. You can modify the policies in each template just as you would those in a GPO.
Creating security templates
To create a new security template from scratch, use the following procedure.
1. Open the Run dialog box and, in the Open text box, type mmc and click OK. An empty MMC appears.
2. Click File, Add/Remove Snap-In to open the Add Or Remove Snap-Ins dialog box.
3. From the Available Snap-Ins list, select Security Templates and click Add. The snap-in appears in the Add Or Remove Snap-Ins dialog box.
4. Click OK. The snap-in appears in the MMC.
5. Click File, Save As. A Save As combo box appears.
6. Type a name for the console to save it in the Administrative Tools program group.
7. Expand the Security Templates node.
8. Right-click the security template search path and, from the shortcut menu, select New Template. A dialog box appears.
9. In the Template name field, type a name for the template and click OK. The new template appears in the console. Leave the console open.
When you create a blank security template, there are no policies defined in it. Applying the blank template to a computer will have no effect on it.
Working with security template settings
Security templates contain many of the same settings as GPOs, so you are already familiar with some of the elements of a template. For example, security templates contain the same local policy settings described earlier in this chapter; the templates are just a different way to configure and deploy those policies. Security templates also provide a means for configuring the permissions associated with files, folders, registry entries, and services.
Security templates have more settings than Local Computer Policy, because a template includes options for both standalone computers and computers that are participating in a domain.
Importing security templates into GPOs
The simplest way to deploy a security template on multiple computers simultaneously is to import the template into a GPO. Once you import the template, the template settings become part of the GPO, and the network’s domain controllers deploy them to all the computers affected by that GPO. As with any Group Policy deployment, you can link a GPO to any domain, site, or OU object in the Active Directory tree. The settings in the GPO are then inherited by all the container and leaf objects subordinate to the object you selected.
To import a security template into a GPO, use the following procedure.
1. In Server Manager, on the Tools menu, select Group Policy Management. The Group Policy Management console appears.
2. Expand the forest container and browse to your domain. Then expand the domain container and select the Group Policy Objects folder. The GPOs that currently exist in the domain appear on the Contents tab.
3. Right-click the GPO into which you want to import the template and click Edit. A Group Policy Management Editor window for this policy opens.
4. Browse to the Computer ConfigurationPoliciesWindows SettingsSecurity Settings node. Right-click the Security Settings node and, from the shortcut menu, select Import Policy. The Import Policy From dialog box appears.
5. Browse to the security template file you want to import and click Open. The policy settings in the template are copied to the GPO.
6. Close the Group Policy Management Editor and Group Policy Management console.

No comments:
Post a Comment