Windows Security Templates

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a question about Security Templates.

Q:
How can I make a template that would be as identical as when a wks are a
member of an AD Domain?
This is for standalone users.
Reason I ask is because I am wondering what security is applied when a user
is a member of the domain, like encryptions, passwords stored in reg? etc!!

So I guess I want to make something that is "almost" as secure as being in a
domain when you are working standalone (workgroup)

Hope this makes sense
 
Domain computers, other than domain controllers, only will have domain
password policy applied to override their local security policy. Nothing
else such as security options or user rights are applied to a regular domain
computer. Therefore you can configure a template to your custom needs for
password/account policy. Good practice would be to enable password
complexity and use passwords of at least eight characters in length. Other
security settings can be configured but a lot depends on the type of network
they will be in and what other operating systems they will work with. The
Windows 2000 Security Hardening Guide can help you with that and includes
some example templates. I would also consider doing the registry mod to
disable storing of lm hashes on your computers if possible. The links below
will help. -- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx
--- Windows 2000 Security Hardening Guide.
http://support.microsoft.com/kb/299656/en-us/ --- disable lm hash
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --- security
settings and incompatibilities
 
thanks mate :)

Steven L Umbach said:
Domain computers, other than domain controllers, only will have domain
password policy applied to override their local security policy. Nothing
else such as security options or user rights are applied to a regular domain
computer. Therefore you can configure a template to your custom needs for
password/account policy. Good practice would be to enable password
complexity and use passwords of at least eight characters in length. Other
security settings can be configured but a lot depends on the type of network
they will be in and what other operating systems they will work with. The
Windows 2000 Security Hardening Guide can help you with that and includes
some example templates. I would also consider doing the registry mod to
disable storing of lm hashes on your computers if possible. The links below
will help. -- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx
--- Windows 2000 Security Hardening Guide.
http://support.microsoft.com/kb/299656/en-us/ --- disable lm hash
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --- security
settings and incompatibilities
Click to expand...
 
I think it is mostly true to say that any policy that can be applied from
AD using GPO can also be set in a template for use with a standalone.

The main difference is that when these settings are in a GPO that are
enforced and reapplied, if need be, by the policy engine. A secondary
difference is found in settings that are part of an adm template rather
than as part of the main Sce template.

In a standalone environment one can do a one-time application of the
template using the Security Configuration and Analysis MMC snap-in,
and one can do an import of the security policy portion into the local
security policy, but the local policy engine will not enforce and reapply
the settings - if they get changed they get changed (the only settings
imported into local policy, the security settings, will be handled by the
local policy engine).
 
Back
Top