It can be a hassle to deal with existing legacy systems like Windows 9x workstations and applications on your Windows 2000 network. With these older systems in your environment, you can’t take full advantage of the higher-level security that Windows 2000 offers, such as NTLMv2, which is the enhanced networking authentication with a higher level of security to prevent password snooping.
I recommend that you replace these archaic systems with Windows 2000/XP workstations and Windows 2000/XP-certified applications if at all possible. However, if for some reason you can’t, you can use the Compatible Security Template on your Windows 2000 workstation to allow Windows 9x applications to run. In this Daily Feature, I’ll show you how it’s done.
The Security Templates snap-in
Windows 2000 gives you a centralized way of defining your security roles with the Security Templates snap-in for the MMC. Security templates give you a single point of entry where you can view all system security settings, adjust and apply them to a local computer, or import them to a Group Policy. These templates can serve as the building blocks for configurations you can use in security analysis with the Security Configuration And Analysis snap-in tool.
Adding the Security Templates snap-in
You can add the Security Templates snap-in to an existing console or create a new console. To create a new console, click Start, and then click Run. Type mmc, and click OK. To enable the Security Templates snap-in in an existing MMC, open the console.
To add the snap-in to a console, go to the Console menu, click Add/Remove Snap-in, and then click Add. Select Security Templates, and then click Add. Click Close, and then click OK. On the Console menu, click Save. You’ll need to enter a name for the console. After you enter the name, click Save.
Security template settings
The templates are simple text-based .inf files. This means you can edit the template attributes with Notepad to set all of your settings. You can set almost all of your security settings with these templates, except for the Internet Protocol (IP) Security and public key policies, which have their own tools for deployment.
Security templates cover the following objects:
- Account Policies: security for passwords, account lockouts, and Kerberos policies
- Local Policies: user rights and logging for security events
- System Services: security and startup mode for local services
- Restricted Groups: local group membership administration
- Registry: security for local registry keys
- File System: security for the local file system
After you've configured your security template, you can import it to a Group Policy object. Any objects to which the Group Policy object is a member will receive the security template settings that you've applied. However, Local Group Policies are a special type of Group Policy. Local Group Policies can’t override the domain-based policy, and only your local policies are part of the local security template settings. The initial template applied to a computer during setup is called the Local Computer Policy. The Local Computer Policy can be saved to a security template file to back up the initial system security settings.
Default Security Templates
There are four default Security Templates that you can apply to Windows 2000. These templates are:
- Basic: Basic templates are for the default security settings for almost all security areas, except user rights and group membership.
- Secure: Secure templates provide the security settings for areas of the operating system that are not covered by the basic permissions, including the account policy, auditing, and some security-relevant registry keys.
- Highly secure: Highly secure templates are for Windows 2000-based computers that operate in native Windows 2000 Active Directory domains. In this mode, all network communications must be digitally signed and encrypted. Systems configured with this template can’t communicate with other versions of Windows clients or UNIX and Macintosh OS X systems using SAMBA for Windows connectivity.
- Compatible: The Compatible template (Compatws.inf) opens up the default permissions for the Local Users group so that legacy programs are more likely to run.
You can also create or customize your own template. For the purposes of this Daily Feature, I’m going to focus on Compatws.inf. The Compatible template is handy because it will enable older Windows 9x applications, such as Office 97, to run on Windows 2000/XP.
Problems running older apps in Windows 2000/XP
Older Win9x applications sometimes won’t run in Windows 2000/XP because of its higher security restrictions. Some users may have problems running applications, while others won’t. Diagnosing the problem can be maddening because whether an older application runs or not sometimes depends on how the user logs on to the workstation.
If a user logs on to the workstation with Power Users or Administrator rights, then these older applications will usually run because 2000/XP gives those users more rights to the underlying operating system. A user who logs on as a member of the User group won’t have sufficient rights. The application will launch and find that, due to security restrictions, it can’t access parts of the operating system it needs. Therefore the application fails.
The Compatible template gets around this restriction. It loosens the restricted rights of the User group. After running the template, users in the User group will have sufficient rights to run older applications with a greater chance of success.
A security issue
As you can probably guess, there's a downside to using the Compatible template to run older apps in Windows 2000/XP: users will have more opportunity to run programs accidentally, including programs that can damage the system, such as viruses and Trojan horses. This is why Microsoft recommends that you replace the older applications with Windows 2000/XP-certified applications rather than crippling 2000/XP’s built-in security.
Editing the templates
You have a couple of options for editing the templates. If you're adventurous, have a lot of free time, and like the fact that there isn't much documentation, you can go to C:\WINNT\Security\Templates and edit the .inf files with your favorite text editor. An easier option is to click Start | Run | MMC; press [CTRL]M to add a module; click Add and select Security Templates; and open the tree to the template that you wish to edit.
Next, drop down the tree in the MMC to display the settings for Compatws, or, alternatively, open C:\WINNT\Security\Templates\Copmatws.inf in your favorite text editor. You'll see that the only settings are for the registry and some files. You can leave these as they are or go through the different settings to change what you may need to for your particular environment.
I prefer to edit the Event log information to set the maximum size, as well as how long entries should hang around. This is also helpful if your old applications send lots of errors to the event logs. Once you've set your additional settings, just save the template to a new name. You're now ready to apply your template.
Applying your template
Now that you've saved your template, you need to apply it to your local system. First try the template out on a test system or your own system to verify that your settings don’t lock you out. To apply your settings to a local computer, load the Security Configuration And Analysis snap-in; press [CTRL]M to add a module; click Add ([ALT]D); and select it. Then right-click Security Configuration And Analysis—you may need to select a working database if one isn't already set—and click Open Database to set a working database. Select Import Template. Select a Security Template file, and click Open.
You can repeat the previous step for each template you want to merge into the database. You can also use a group policy to enable your new template throughout the domain. To apply the settings, right-click Security Configuration And Analysis, and then click Configure System Now. If you get an error message, you might not have access to the database on your system. In that case, find someone with administrator access to apply your settings, or change the global settings for the security database access rights. For more information about the Security Configuration And Analysis tool, see the Daily Drill Down “Analyze your Windows 2000 server’s security with the Security Configuration and Analysis Snap-in.”