Default security template windows xp

The Compatible template also removes all members of the Power Users group. The Secure templates define enhanced security settings that are least likely to affect program compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. There are two predefined Secure templates in Windows Server Securews.

For additional information about using these templates and other security templates, search Help and Support Center for "predefined security templates". The Highly Secure templates specify additional restrictions that are not defined by the Secure templates, such as encryption levels and signing required for authentication and data exchange over secure channels and between Server Message Block SMB clients and servers.

This template specifies the root permissions. By default, Rootsec. You can use this template to reapply the root directory permissions if they are inadvertently changed, or you can modify the template to apply the same root permissions to other volumes. As specified, the template does not overwrite explicit permissions that are defined on child objects; it propagates only the permissions that are inherited by child objects. These include:. When you finish defining security settings, right-click on the template that you have created and select the Save command from the shortcut menu to save your changes.

When Windows displays the list of available snap-ins, select the Security Configuration and Analysis snap-in, shown below, and then click the Add button, followed by the OK button.

The first thing that you will need to do after loading the snap-in for the first time is to create a database. As you can see in the figure below, you can create a database by right-clicking on the Security Configuration and Analysis container, choosing the Open Database command from the shortcut menu, and then typing a name for a new database. When you use this tool in the future, you can reuse the database that you are creating now. At this point, you will be prompted to load a security template for analysis.

Select the security template that you had previously created, and click Open. Once you have imported the template, the tool is ready to use. You can use the Security Configuration and Analysis tool to either configure a computer or to analyze a computer.

For established Windows PCs, you will probably want to perform an analysis. To do so, right-click on the Security Configuration and Analysis container, and select the Analyze Computer Now command from the shortcut menu.

When prompted, enter the desired log file path, and click OK. When the analysis finishes, you can review the log file or you can browse the console. This reference topic describes the common scenarios, architecture, and processes for security settings. Security policy settings are rules that administrators configure on a computer or multiple computers for the purpose of protecting resources on a computer or network. The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable administrators to manage security settings for multiple computers from any computer joined to the domain.

Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. To manage security configurations for multiple computers, you can use one of the following options:. Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object.

A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local computer, or used to analyze security.

For more information about managing security configurations, see Administer Security Policy Settings. Account Policies. These polices are defined on computers; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:. Password Policy. These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts. Account Lockout Policy. These policies determine the conditions and length of time that an account will be locked out of the system.

Account lockout policies are used for domain or local user accounts. Kerberos Policy. These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement. Local Policies. These policies apply to a computer and include the following types of policy settings:. Audit Policy.

Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log success, failure, or both.

User Rights Assignment. Specify the users or groups that have logon rights or privileges on a computer. Security Options. Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on. Windows Firewall with Advanced Security. Specify settings to protect the computers on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your computer and the network.

Network List Manager Policies. Specify settings that you can use to configure different aspects of how networks are listed and displayed on one computer or on many computers. Public Key Policies. Software Restriction Policies. Specify settings to identify software and to control its ability to run on your local computer, organizational unit, domain, or site. Application Control Policies. Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.

Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. Advanced Audit Policy Configuration. Specify settings that control the logging of security events into the Security log on the computer. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.

The Security Settings extension to Group Policy provides an integrated policy-based management infrastructure to help you manage and enforce your security policies.

A group of servers with the same functionality can be created for example, a Microsoft Web IIS server, and then Group Policy Objects can be used to apply common security settings to the group. If more servers are added to this group later, many of the common security settings are automatically applied, reducing deployment and administrative labor. Security Settings policies are used to manage the following aspects of security: accounts policy, local policy, user rights assignment, registry values, file and registry Access Control Lists ACLs , service startup modes, and more.

As part of your security strategy, you can create GPOs with security settings policies configured specifically for the various computer roles in your organization, such as domain controllers, file servers, member servers, clients, and so on.

You can create an organizational unit OU structure that groups computers according to their roles. Using OUs is the best method for separating specific security requirements for the different computer roles in your network. This means that the ACLs will be modified on the registry key for that service when the template is applied. Its a known bug in SCE, a very annoying one for anyone who's had to deal with it. What are you trying to accomplish with the groups?

It sounds like you want to create some groups and add some users to them. Restricted groups can't create groups, it only enforces membership. Restricted groups will remove any members added manually when group policy is refreshed. People normally use it to prevent adding accounts to powerful groups like Administrators and Backup Operators, not to simply populate groups.

The fact that it will remove accounts that are added manually can be confusing and frustrating when other admins are trying to maintain the systems.

Use the command prompt utility net. Type 'net help localgroup' for details on how to use the utility. You can write a shell script that you run on each system. Don't use that template as a starting point. Use the security guidance I listed to get started. You can use GPOAccelerator to apply group policy locally, but you'd have to spend some time figuring out how to customize the group policies it has.

You'd have to do some customization to use it too, you should investigate both to figure out which one would be easier for you to adopt. If you don't want to invest the time to customize either of these you can do what you originally planned and only apply settings via security templates. This would be quicker but note that security templates include about settings, there are 2 or 3 hundred other security settings available in group policy that cannot be applied with them.

FYI-my entire goal on this effort is to ensure consistent and accurate policies on each of the computers, to implement user management, and to lock down all computers as best as possible in such a way that the same policy can be applied to all devices.

It should be noted that these computers generally have little to no user interaction. Once this effort is over, we may go into further detail by hardening ports, programs and services specific to each device. But this is a first step to make sure we have user managment and baseline security.

I am ready all this data. Everything I am reading the files that came with the tool kit is writen from the viewpoint of a domain being present. Do you know of any guides that assume there is no domain? Wednesday, September 23, PM. Specifically, if a setting is not applicable to a device but I set and apply that setting anyway, what is the effect?

Also, what is the effect of applying a security template that has service settings defined in it that the computer does not have. For example, in my custome security template, if I define the startup type of the Alerter service as disabled but the computer I am applying the template to does not have the alerter service installed, what happens?

Alerter is just an example, I realize it is a standard service. Is it possible to define additional settings? I imagin there would be a way to do this for developers. The "Local Computer Policy" snap-in via the group policy snapin. Does this snap-in contain all the builtin windows security settings or are there more somewhere else?

You mention that the group policy snapin has about an additional security settings that the security templates do not have. Can you clarify where these are and what they are. Is there a way to define my groups and users using the MMC in such a way that, during implementation, I can just open the saved MMC consol and just apply the settings, groups, users, etc with one click and just the MMC.

Can you explain the section called "administrative templates"? These look like security settings for specific applications. How is this list generated? What happens if I apply these to another computer that does not have all the applications installed? Is there a way add software settings to the administrative template for software not installed on this development computer?

Tuesday, September 29, PM. No, it does not. Open gpedit. You can completely customize them, but you're asking for an in-depth briefing on group policy architecture and how to customize the group policy editor user interface.

GPO sections are split by "computer configuration" and "user configuration". Are the settings in each completely unique to the other? If so what is the order of presidence? Any recommended documentation on implementing GPOs in a non-domain non-active directory environment? I now know how to apply them in an active directory.