MODIFYING AN EXISTING TEMPLATE IN THIS PROCEDURE, YOU CREATE A COPY OF...

Question

3.  What are the three ways to apply a security template to a computer running a Windows operating system? Lesson Summary ■ A security template is a collection of configuration settings stored as a text file with an .inf extension. ■ Security templates contain basically the same security parameters as Group Policy Objects, including account, local, and event log policies, file system and registry permissions, system service parameters, and restricted groups. ■ To create and modify security templates, you use the Security Templates snap-in for Microsoft Management Console. ■ To apply a security template to a computer, you can use group policies, the Secu­rity Configuration And Analysis snap-in, or the Secedit.exe utility. ■ Windows Server 2003 includes a number of pre-defined templates that enable you to restore the default security parameters created by the Windows Setup program and to implement secure and highly secure configurations for workstations, mem­ber servers, and domain controllers. Lesson 3: Deploying Security Templates Once you have created or modified your security templates, it is time to deploy them on your computers running Windows operating systems. There are several methods you can use to apply security templates, which provide different capabilities, including mass deployments to groups of computers, scripted deployments, and analysis of a computer’s existing security configuration. After this lesson, you will be able to ■ Use group policies to deploy security templates. ■ Use the Security Configuration And Analysis snap-in to compare a computer’s security settings with a security template and apply a template to the computer. ■ Understand the functions of the Secedit.exe command line program. Estimated lesson time: 30 minutes Using Group Policies To configure a large group of computers in a single operation, you can import a secu­rity template into the Group Policy Object for a domain, site, or organizational unit object in Active Directory. However, there are a few cautions that you must observe when using group policies to deploy security templates. Group Policy Deployment Cautions As with other security settings, the configuration parameters you import into the Group Policy Object for a specific container are inherited by all the objects in that container, including other containers. Most networks use different levels of security for computers performing various roles, so it is relatively rare for administrators to apply a security template to a domain or site object, because then all the computers in that domain or site receive the same settings. At the very least, your domain controllers should have a higher level of security than the other computers on your network. Tip When creating security templates for importation into group policies, the best practice is to place your computers into organizational units according to their roles and create individual templates for each organizational unit. This way you can customize the security configuration for each role, and modify the template for each role as needed, without affecting the others. Another consideration when importing security templates into Group Policy Objects is the amount of data in the template itself. Every computer running a Windows operating system in an Active Directory container refreshes its group policy settings every 90 min­utes, except for domain controllers, which refresh their settings every five minutes. It is possible for a security template to contain a large number of settings, and the continual refreshing of large templates to a large fleet of computers can generate a great deal of Active Directory traffic and place a heavy burden on the network’s domain controllers. Note When you look at the sizes of the pre-defined security templates included with Windows Server 2003, it is easy to see which ones you should not deploy using group policies. Most of the templates are less than ten kilobytes, with the notable exceptions of the “DC Security.inf” and “Setup Security.inf” templates, which are 127 and 784 kilobytes respectively. Deploying Security Templates Using Group Policies To deploy a security template using group policies, you select an Active Directory object that has a GPO and import the template into the GPO. The template’s settings then become part of the GPO, overwriting any existing values. The importation pro­cess proceeds as follows:

MODIFYING AN EXISTING TEMPLATE IN THIS PROCEDURE, YOU CREATE A COPY OF...

3. What are the three ways to apply a security template to a computer running a

Windows operating system?

Lesson Summary

A security template is a collection of configuration settings stored as a text file with

an .inf extension.

Security templates contain basically the same security parameters as Group Policy

Objects, including account, local, and event log policies, file system and registry

permissions, system service parameters, and restricted groups.

To create and modify security templates, you use the Security Templates snap-in

for Microsoft Management Console.

To apply a security template to a computer, you can use group policies, the Secu­

rity Configuration And Analysis snap-in, or the Secedit.exe utility.

Windows Server 2003 includes a number of pre-defined templates that enable you

to restore the default security parameters created by the Windows Setup program

and to implement secure and highly secure configurations for workstations, mem­

ber servers, and domain controllers.

Lesson 3: Deploying Security Templates

Once you have created or modified your security templates, it is time to deploy them

on your computers running Windows operating systems. There are several methods

you can use to apply security templates, which provide different capabilities, including

mass deployments to groups of computers, scripted deployments, and analysis of a

computer’s existing security configuration.

Use group policies to deploy security templates.

Use the Security Configuration And Analysis snap-in to compare a computer’s security

settings with a security template and apply a template to the computer.

Understand the functions of the Secedit.exe command line program.

Using Group Policies

To configure a large group of computers in a single operation, you can import a secu­

rity template into the Group Policy Object for a domain, site, or organizational unit

object in Active Directory. However, there are a few cautions that you must observe

when using group policies to deploy security templates.

Group Policy Deployment Cautions

As with other security settings, the configuration parameters you import into the Group

Policy Object for a specific container are inherited by all the objects in that container,

including other containers. Most networks use different levels of security for computers

performing various roles, so it is relatively rare for administrators to apply a security

template to a domain or site object, because then all the computers in that domain or

site receive the same settings. At the very least, your domain controllers should have a

higher level of security than the other computers on your network.

Tip When creating security templates for importation into group policies, the best practice is

to place your computers into organizational units according to their roles and create individual

templates for each organizational unit. This way you can customize the security configuration for

each role, and modify the template for each role as needed, without affecting the others.

Another consideration when importing security templates into Group Policy Objects is

the amount of data in the template itself. Every computer running a Windows operating

system in an Active Directory container refreshes its group policy settings every 90 min­

utes, except for domain controllers, which refresh their settings every five minutes. It is

possible for a security template to contain a large number of settings, and the continual

refreshing of large templates to a large fleet of computers can generate a great deal of

Active Directory traffic and place a heavy burden on the network’s domain controllers.

Note When you look at the sizes of the pre-defined security templates included with Windows

Server 2003, it is easy to see which ones you should not deploy using group policies. Most of

the templates are less than ten kilobytes, with the notable exceptions of the “DC Security.inf”

and “Setup Security.inf” templates, which are 127 and 784 kilobytes respectively.

Deploying Security Templates Using Group Policies

To deploy a security template using group policies, you select an Active Directory

object that has a GPO and import the template into the GPO. The template’s settings

then become part of the GPO, overwriting any existing values. The importation pro­

cess proceeds as follows:

Bạn đang xem 3. - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 293 PHẦN 6 PPTX

To apply a security template to a computer, you can use group policies, the Secu

and to implement secure and highly secure configurations for workstations, mem

To configure a large group of computers in a single operation, you can import a secu

system in an Active Directory container refreshes its group policy settings every 90 min

then become part of the GPO, overwriting any existing values. The importation pro