S 2.366 Use of security templates under Windows Server 2003

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Settings relevant to security can be specified in Windows Server 2003 using security templates. Since most areas of the system have security-related aspects, templates are an important and powerful administration tool. With their help, you can standardise and centrally administer settings. The most important tools for templates are the Security Configuration Editor (SCE) and Security Configuration Wizard (SCW, first available in Service Pack 1). A brief description can be found in the Resources for IT-Grundschutz (see Use of security templates under Windows Server 2003 in the Resources for Windows Server 2003).

In contrast to administrative templates (S 2.368 Handling of administrative templates under Windows Server 2003 and higher), security templates contain actual values for the settings of all options. Activating a security template in the local security policy immediately changes the system configuration. All template settings are activated immediately and configured with a real value.

The template type available in Windows NT 4.0 (files with the .pol extension) should not be used any more with Windows Server 2003. Existing security templates of this type should be recreated as group policy objects. The Gpolmig.exe programme available in the Windows Server 2003 Resource Kit can make this task much easier.

General precautionary measures for security templates

Some threats are listed in T 3.81 Inappropriate use of security templates for Windows Server 2003 and higher. Through careful planning and implementation and by following basic rules, it is possible to ensure that the security templates have the desired effect on the target system.

The time and expense required for development and testing should be estimated at the start. The time and expense necessary depends on the number of different target system configurations, the type and number of the settings in a given template, and the template distribution strategy used for the target systems. This should be clarified in advance in a requirements analysis that takes the existing IT system security policies into account.

A test and development environment, or at least a temporary, isolated test server, is recommended in all cases. The higher the number of settings and target configurations is, the more time and expense is required for the test environment. In addition, the more test server configuration in a certain area matches the actual configuration of potential target servers, the easier it is to predict the effects of a template in this area.

The technical expense for individual settings, for example the password length, is minimal and does not entail much risk (a test environment is not absolutely necessary for this). This is especially true when the settings are transferred automatically as group policies to all relevant server and clients.

The distribution and activation of the security templates in the production environment (referred to as rollout in the following) poses a significant risk, especially when the effects of critical settings on the target server cannot be adequately determined in the test phase. In this case, it is necessary to restrict the rollout at first to individual, less critical servers and only expand the rollout after this initial rollout is successful. Furthermore, rollback scenarios should be planned and tested. Rollback means the ability to place the configuration of the server back into its previous state. Allowances for backing up the system status and reliable restoration should be integrated into the rollout and rollback scenarios.

In many cases, security is higher when a large number of settings are distributed among several security templates and then rolled out in stages. For example, there may be templates for certain Windows Server 2003 components, for certain government agencies or company departments, or for certain security levels (e.g. basic security and high security). This procedure is much more flexible when developing additional templates since it is possible to replace specific templates while keeping the proven basic settings. When rolling out in stages, conflicts can arise when two templates define values for the same setting. The rollout strategy must decide which template settings take precedence.

Security templates can be rolled out manually on a single server or automatically on several servers. Manual rollout is performed using the SCE or SCW console and is recommended for servers with very high protection requirements since this makes it possible to quickly detect and eliminate undesired side effects. Automation is attained through scripts or the Active Directory. The latter is more suitable for a rollout in stages because it makes it easier to install a series of templates and specify the template settings taking precedence.

It becomes clear that that a suitable strategic concept must be specified for a particular IT area before security templates can be used in the productive environment. Using security templates, the release process for configuration changes in Windows Server 2003 as well as the preparation concepts (S 4.281 Secure installation and preparation of Windows Server 2003) can be designed to be much more transparent. They should be integrated into a release process designed in the context of safeguard S 2.221 Change management.

Security Configuration Editor (SCE)

The SCE consists of the following consoles in a standard installation:

• Local Security Policy (under Start | Control Panel | Administrative Tools): sets security settings directly on local servers
• Security Templates: creates and manages security templates (.inf files), but does not make any changes to the configuration on the server
• Security Configuration and Analysis: for modelling security settings and analysing the system with the help of an intermediate configuration database, exporting and importing security templates, testing for conformity to policies, and activating a modelled security configuration

The Security Templates and Security Configuration and Analysis consoles are called from the Microsoft Management Console (MMC).

Using the tools provided with the SCE, settings for all aspects of authentication and for signing network traffic between Windows computers can be specified. In addition, all central security settings for a server can be set here, including the monitoring policies and authorisations in the file system and in the registry database, among other settings. In domains, the SCE consoles are provided with additional settings for Kerberos as well as other domain-wide settings. All these settings can be stored in security templates. It is always recommended to use the most recent settings provided by the manufacturer (see the Resources for IT-Grundschutz, Use of security templates under Windows Server 2003 in the Resources for Windows Server 2003).

Windows Server 2003 comes with sample security templates for different security requirements. These templates are located in the directory C:\WINDOWS\Security\Templates. Additional, documented templates are available from the manufacturer.

The settings specified for Restricted Groups, System Services, Registry and File System cannot be undone by performing a rollback. Such settings can be set to different values by applying a different security template. One rollback variation includes parallel development of rollback templates that then overwrite the settings of the security templates actually in use with non-critical values in an emergency. Resource authorisations (ACL) and object monitor settings (SACL) are particularly critical. The authorisation concepts implemented in the security templates can permanently destroy the existing authorisation structures when the templates are applied. In this case, safeguard S 2.370 Administration of access rights under Windows Server 2003 and higher must be taken into account.

Mandatory values for all settings under Account Policies, Local Policies, and Event Log should be specified for each server. To specify the values, consult the security policies and security concepts for the information system being examined and the corresponding IT-Grundschutz safeguards. Furthermore, the default settings in Windows Server 2003 as well as the security templates provided can be used as a reference. A valid security template or set of security templates should be available for every server. The security configurations of the servers should conform to the most recently documented status of the security templates.

The requirement for conformity should be specified in an security policy for the corresponding information system.

The Security Configuration Wizard (SCW) is an extension, and in some ways a simplification, of the SCE. The same basic principles apply to the wizard. Information and recommendations for the operation of the SCW can be found in the Resources for IT-Grundschutz (see Use of security templates under Windows Server 2003 in the Resources for Windows Server 2003).

Documentation

For minimal documentation of the security templates, it is sufficient to state in the system documentation which template files are used on each server (files with the .inf or .xml extension), their version numbers, and in the case of user-defined templates, their contents. Through appropriate version management and access control for the templates, it should be possible to determine who edited which templates at what times. If the templates are distributed by the Active Directory, then all additional factors determining the effectiveness of the settings for the server or servers must be documented, e.g. the Organizational Unit (OU), security filters, and WMI filters. It must be possible at all times to determine the source of each security setting.

On this basis, the documentation and, if necessary, test concepts, user-defined scripts, and distribution and rollback scenarios arising in conjunction with security templates should be created. The documentation should also be used as a basis for the planning of regular evaluations of system and security logs.

Transformation and style sheet files are provided for displaying and printing the security templates of the SCW (C:\WINDOWS\security\msscw\transformfiles). These are adequate for use as the basic documentation of the server roles in the system documentation.

The GPMC console (Group Policy Management Console) is well suited for documenting the active settings as long as Active Directory is being used. Reports can be exported to an HTML file in a printable format for the group policy objects, resultant sets of policy, and group policy models (mark the desired object | select the menu Action | Save Report...).

Review questions:

• Under Windows Server 2003, are security templates used and integrated into the testing and release process of change management?
• Were rollout and rollback strategies for security templates under Windows Server 2003 or rollback templates planned and tested?
• Are the settings in the security templates under Windows Server 2003 based on the current security recommendations of the manufacturer?
• Are the settings made in the security templates under Windows Server 2003 documented comprehensibly?
• Are the security template files subject to version and access control?