3. What are the three ways to apply a security template to a computer running a
Windows operating system?
Lesson Summary
■ A security template is a collection of configuration settings stored as a text file with
an .inf extension.
■ Security templates contain basically the same security parameters as Group Policy
Objects, including account, local, and event log policies, file system and registry
permissions, system service parameters, and restricted groups.
■ To create and modify security templates, you use the Security Templates snap-in
for Microsoft Management Console.
■ To apply a security template to a computer, you can use group policies, the Secu
rity Configuration And Analysis snap-in, or the Secedit.exe utility.
■ Windows Server 2003 includes a number of pre-defined templates that enable you
to restore the default security parameters created by the Windows Setup program
and to implement secure and highly secure configurations for workstations, mem
ber servers, and domain controllers.
Lesson 3: Deploying Security Templates
Once you have created or modified your security templates, it is time to deploy them
on your computers running Windows operating systems. There are several methods
you can use to apply security templates, which provide different capabilities, including
mass deployments to groups of computers, scripted deployments, and analysis of a
computer’s existing security configuration.
After this lesson, you will be able to ■ Use group policies to deploy security templates.
■ Use the Security Configuration And Analysis snap-in to compare a computer’s security
settings with a security template and apply a template to the computer.
■ Understand the functions of the Secedit.exe command line program.
Estimated lesson time: 30 minutes Using Group Policies
To configure a large group of computers in a single operation, you can import a secu
rity template into the Group Policy Object for a domain, site, or organizational unit
object in Active Directory. However, there are a few cautions that you must observe
when using group policies to deploy security templates.
Group Policy Deployment Cautions
As with other security settings, the configuration parameters you import into the Group
Policy Object for a specific container are inherited by all the objects in that container,
including other containers. Most networks use different levels of security for computers
performing various roles, so it is relatively rare for administrators to apply a security
template to a domain or site object, because then all the computers in that domain or
site receive the same settings. At the very least, your domain controllers should have a
higher level of security than the other computers on your network.
Tip When creating security templates for importation into group policies, the best practice is
to place your computers into organizational units according to their roles and create individual
templates for each organizational unit. This way you can customize the security configuration for
each role, and modify the template for each role as needed, without affecting the others.
Another consideration when importing security templates into Group Policy Objects is
the amount of data in the template itself. Every computer running a Windows operating
system in an Active Directory container refreshes its group policy settings every 90 min
utes, except for domain controllers, which refresh their settings every five minutes. It is
possible for a security template to contain a large number of settings, and the continual
refreshing of large templates to a large fleet of computers can generate a great deal of
Active Directory traffic and place a heavy burden on the network’s domain controllers.
Note When you look at the sizes of the pre-defined security templates included with Windows
Server 2003, it is easy to see which ones you should not deploy using group policies. Most of
the templates are less than ten kilobytes, with the notable exceptions of the “DC Security.inf”
and “Setup Security.inf” templates, which are 127 and 784 kilobytes respectively.
Deploying Security Templates Using Group Policies
To deploy a security template using group policies, you select an Active Directory
object that has a GPO and import the template into the GPO. The template’s settings
then become part of the GPO, overwriting any existing values. The importation pro
cess proceeds as follows:
Bạn đang xem 3. - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 293 PHẦN 6 PPTX