Whether your organization uses site, domain, or organizational unit (OU) group policies, you can use the Windows XP's Security Configuration And Analysis Snap-in to configure and enforce local group policies to make your XP workstations more secure. Let's discuss how it works.
A crash course in Windows XP group policies
Before I can show you how to use the Security Configuration And Analysis Snap-in, you need to understand a few things about the way that group policies work. Group policies are hierarchical in nature. They are applied at various levels and are combined to form what’s known as the resultant set of policy.
The hierarchy comes into play when a workstation connects to a network that utilizes Active Directory. When a user logs on, the local Windows XP group policy is applied. After that, additional group policies are applied at various levels of Active Directory (assuming that the policies exist). Group policies can be applied at the site, domain, and organizational unit level.
What makes things interesting is that each group policy contains identical group policy elements (settings). Most of the time, a group policy won’t even come close to using every available policy element. Even so, the potential exists for setting contradictions to occur. Windows resolves conflicts by using a “most recent policy wins” algorithm. For example, the final group policy to be applied in the hierarchy is the OU level policy. So if a policy element in the OU level group policy contradicts a policy element implemented at a lower level, the previous policy element will be overwritten by the policy element in the higher level group policy.
The local group policy is the first one applied at login. So elements within the local group policy are very likely to get overwritten by higher level group policy elements. Even so, it’s important to make sure your local group policies are strong, because there are situations in which higher level group policies may not be available. In these situations, the local group policy becomes the machine’s only line of defense. This situation would occur if a user logged in using a local user account rather than a domain account. It might also occur if a user attempted to log into a domain, but the domain controller could not be contacted. In either case, any group policies contained within Active Directory are unavailable and the local security policy forms the machine’s entire resultant set of policy.
Creating an effective local security policy
Although Windows XP’s local security policy doesn’t have a single policy element set by default, Windows XP includes a number of templates that you can use to configure precisely the policy elements needed to secure Windows XP within your particular environment. These templates have two different purposes. First, they can be used to activate the necessary group policy elements within the local security policy. Second, they can be used to audit the local security policy. Remember that security isn't a "set it and forget it" operation. You need to make sure that the security policy elements that you set are still properly set. The templates can assist with this by comparing the existing security settings with the desired security settings to make sure that everything still matches.
Now that I have explained how group policies work and what the templates do, let’s take a look at how to use the templates. You must begin by opening an empty Microsoft Management Console (MMC) session. To do so, enter the MMC command at the Run prompt. Next, select the Add/Remove Snap-Ins command from the console’s File menu. You'll see the Add/Remove Snap-In properties sheet. Click the Add button on the properties sheet’s Standalone tab and you'll see a dialog box containing all of the available snap ins. Scroll toward the bottom of the list and select the Security Configuration And Analysis option from the list and click the Add button. Then click Close and OK.
If this is the first time you've used the Security Configuration And Analysis tool on this machine, you'll need to create a new database. Right-click on the console’s Security Configuration And Analysis container and select the Open Database command from the shortcut menu. Windows will launch the Open Database dialog box. Since no databases presently exist, just type a name that you would like to call your database and then click Open.
Windows will display the Import Template dialog box. This dialog box allows you to select which template to use to secure or to audit the workstation. Technically, you aren’t limited to using a single template. You can import multiple templates into the database. If you do import multiple templates, the group policy elements within those templates will be combined. In the event of contradictory group policy elements within the templates, the template that was the most recently imported takes precedence. In most cases, though, I don’t recommend importing multiple templates because things can get too confusing. If you really need a policy that is made up of elements from various templates, you're usually better off creating a custom template of your own than to try to combine the various templates.
In case you are wondering, a template is really nothing more than an .INF file that’s located in the \WINDOWS\SECURITY\TEMPLATES folder. The template basically tells Windows which registry keys to modify or check. You can see a small portion of a template file’s contents in Figure A.
|This is what a template file looks like in text form.|
Windows XP gives you seven templates to choose from (or you can create your own). Each of these templates gives you a different level of security. But not all of these templates are appropriate for Windows XP. Microsoft actually ported the Security Configuration And Analysis Snap-in and all of the templates directly from Windows 2000. So some of the templates are intended to be used on servers and are inappropriate for a Windows XP workstation.
You can get a feel for which template was designed for what purpose by looking at the template’s file names. For example, COMPATWS is a basic workstation template, HISECWS is a high security workstation template, and SECUREWS is a medium security workstation template. You probably want to avoid some of the other templates though. For example, the HISECDC template was originally intended for a high security domain controller.
After selecting the appropriate template, click Open to import the template into the Security Configuration And Analysis Snap-in. Even though the template has been imported into the database you created, the console will still appear to be blank, because you've told Windows which template that you would like to use, but you haven’t done anything else. To perform any additional actions, you must right-click on the Security Configuration And Analysis container and select the appropriate action. The two primary choices are Analyze Computer Now and Configure Computer Now, but you can also use this menu to import additional templates if necessary.
Auditing the computer
While it might be tempting to jump right in and apply the security template, I recommend auditing the system first, because an audit will compare the computer’s current settings against the settings within the template and notify you of any differences. This provides you with a great opportunity to study the group policy element settings within the template and to check for any undesirable settings. If you do find undesirable settings, you can change them or make a custom template.
To perform an audit of the current security settings, select the Analyze Computer Now option. Windows will prompt you to enter the error log file path. The default location is the \My Documents\Security\Logs folder. Make your selection and click OK to begin the audit.
When the audit completes, Windows will display the group policy tree within the console window. As you navigate through the tree, select any branch that you would like to examine. When you do, the pane on the right will display all of the group policy elements within that branch. Along side of these elements, you'll see the database setting for that group policy element and the computer’s current setting. This allows you to look for discrepancies (see Figure B).
|Auditing the PC allows you to compare the computer’s current settings against those defined in the template.|
Just look to see which group policy settings differ and if anything needs to be changed. Then after you have applied your desired policy, if you were to run this audit again, nothing should differ unless a database setting is not defined. If a database setting hasn’t been defined and the policy element has been defined within the computer, the computer setting will remain.
Building a custom template
Basically, you want to create a custom template any time none of the built-in templates meet your needs. I also recommend creating a custom template if you've had to import multiple templates into the database. Even if you haven’t changed anything after importing multiple templates, creating a custom template will save you work in the long run, because when you next audit the system, you don’t have to import a bunch of templates. Instead you can use a single template that contains the resultant set of policy from the multiple templates that you originally assembled.
For now, though, let’s assume that you have only imported a single template and need to make some changes to it. Making the change is easy. Simply right-click on the group policy element you want to modify, and then select the Properties command from the shortcut menu. You'll see a properties sheet for the policy element, similar to the one shown in Figure C.
|This is a properties sheet for a group policy element.|
The value displayed within this screen is the computer’s current value, not the template’s value. If you want to modify the template, select the Define This Policy Within The Database check box. You may also modify the policy element’s value if necessary. For example, in Figure C, the computer is configured to keep a single password in the password history. When modifying the database, I could keep this value or I could change it to remember 24 passwords. Just remember that if you change the value, it doesn’t have any direct effect on the computer. It only modifies the database. Click OK to make the modification within the database.
Once you've made the necessary modifications to the database, you must build your custom template. Keep in mind that creating a custom template simply involves exporting the settings from the database into an .INF file. The procedure that you'll use is the same whether you have imported a single template or multiple templates into the database.
To create the custom template, right-click on the Security Configuration And Analysis container and select the Export Template from the shortcut menu. You'll be asked what name you would like to give to the new template. Enter a name and Windows will create an .INF file in the Templates folder that you can use as your own custom template.
Applying the template
When you're ready to apply the policy elements within the database to the computer, right-click on the Security Configuration And Analysis container and select the Configure Computer Now command. When you do, Windows will prompt you for the path to the error log file. Make your selection, and then click OK to apply the template. You'll see a screen similar to the one shown in Figure D.
|Applying the security templates takes a few minutes.|
After a few minutes, all of the policy elements within the template should be applied. You can verify this by running another audit of your system.