Windows 2000 Default Security Policy Templates

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows 2000 ships with a broad selection of security templates. You can use them as they are, or use them as the starting point for your organization's security templates. You can tighten a normal or standard level template or loosen a secure template. The initial template applied to a computer is called the Local Computer Policy. The Local Computer Policy can be exported to a security template file, to preserve initial system security settings. This enables restoration of the initial security template at any later point. The predefined templates can be customized using the Security Templates mmc snap-in and can be imported into the Security Settings extension of the Group Policy snap-in. See SecEdit, a commandline utility, for a tool to script the analysis, configuration and validation of security settings using templates. In any case, it is very informative to review the default security templates. These templates can be found in the %systemroot%\security\templates folder. The security templates incrementally modify default Windows 2000 security settings that exist on a clean install. The security templates are:

Template File	Default security for:
basicwk.inf	standard workstation
basicsv.inf	standard server
basicdc.inf	standard domain controller
compatws.inf	compatible workstation or server
notssid.inf	Terminal Services backward compatibility
securews.inf	secure workstation or server
hisecws.inf	high security workstation or server
securedc.inf	secure domain controller
hisecdc.inf	high security domain controller

The procedure to retro-fit Windows 2000 security when upgrading from Windows NT:

Server :

Convert partitions to NTFS
cd %windir%\security\templates
secedit /configure /cfg basicsv.inf /db basicsv.sdb /log basicsv.log /verbose

Workstation :

Convert partitions to NTFS
cd %windir%\security\templates
secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log /verbose

Templates:

Basic

The basic templates can be considered as back outs for changes made by applying one of the more stringent templates. You can reapply the basic template to return to default security settings. User rights and group membership are unaffected by templates. If you upgrade from NT to W2K, one should apply to get the built-in Users group appropriately restricted. The upgraded PC after the basic template is applied, would have Windows 2000 default security settings.

Compatible

The Compatible configuration liberalizes the default permissions for the Users group so that older apps such as Office 97 are more likely to run. If you do not want to change the default permissions for Users, you will have to use the default Power Users group to achieve equivalent ability to run old apps.

Terminal Services

Needed to allow older programs to run under Terminal Services on a W2K server. The template grants additional permissions to Terminal Services users. Once this template is applied the system has the same default permissions as a standard Windows 2000 server that is running Terminal Services.

Secure

The secure template does not effect permissions but sets tighter parameter setttings for account policy, password policy, and audit policy. It also tightens up security sensitive registry setting. Access control lists are not modified by the secure templates because it is assumed that default W2K security settings are already in effect, and that users are members of the Users group. The Secure template removes all members of the Power Users group to enforce this assumption.

Highly Secure

The highly secure templates are designed for W2K only environments where down-level clients are not supported. This configuration requires all network communications to be digitally signed and encrypted. The Highly Secured template reduces Power Users the same access granted to normal users to the file system and registry keys. This template removes the Terminal Server user from all file system and registry ACLs ensuring that users logging on to Terminal Server environments are subject to the same restrictions as normal users.

The secure and highly secure templates for workstations include a gotcha!. After applying the template, authenication is restricted to NTLMv2 and this will cause problems with NT4 domain controllers unless they have had SP4 or later applied. Basically the W2K Pro workstation can not join an NT domain or if already part of a domain, it may have problems keeping the workstation trust valid. Either don't apply the secure templates or upgrade your NT domain controllers to SP4 or later. If you haven't done this already, you have bigger problems than this issue.

There are real possiblities for getting into security gotcha!s when upgrading a box from NT to W2K. The basic templates should work well although you might lose local restrictions defined used as your organization's standard. Applying more strict templates raise the potential for security settings conflicts between the templates and the legacy settings resulting from the upgrade process.

There was an interesting gotcha! when you use XP workstation to create W2K templates :

"Windows Cannot Read Template Information" Error Message When You Try to View a Windows XP-based Template in a Windows 2000 Domain

Related Tips:

Register Now for Office365 CON - 2017 Online Conference!

Early registration is now open for Office365 CON 2017, the annual online gathering of IT Strategists, Microsoft MVPs and Messaging Technology Vendors. This convenient, annual online event is presented by TechGenix and MSExchange.org for the benefit of busy IT Professionals within the global Office 365 and MS Exchange communities.

Early registrants for this year's conference will also receive a Symantec White Paper: Top 5 SSL/TLS Attack Vectors: How they have impacted IT and how you can avoid them , as well as an invitation to join a special Conference Preview broadcast.

Time and Date: Thursday, March 23, 2017, starting at 10am EDT | 9am CDT | 7am PDT

Newsletter Subscription

WindowsNetworking.com Sections

Featured Freeware

Download Free TFTP Server. The most trusted on the planet by IT Pros

Home
Articles & Tutorials
Building a PowerShell GUI (Part 13)

This article concludes the PowerShell GUI series by demonstrating a technique for changing a virtual machine’s memory allocation by using a GUI interface... Read More

Importance of Service Records (SRV) in an Active Directory Environment

SRV Records, sometimes referred to as Service Records, are required by services such as LDAP, KDC, Global Catalog, KMS and any other applications that registers SRV records to provide services to the clients... Read More

Articles & Tutorials Categories
KBase Tips
How do I list Active Directory Manual Replication Connection Objects?

Tip explains how to get manually created replication connection objects in an Active Directory Forest... Read More

Check Object Replication Status across Active Directory Forest

Tip explains how you can check object replication status Active Directory forest... Read More

Windows Server 2012/2008/2003/2000/XP/NT Administrator Knowledge Base Categories

Reviews
Free Tools
Blogs
Forums
White Papers
Contact Us

Community Area

Windows 2000 Default Security Policy Templates

See Also

See Also

Featured Links