Windows 2000 includes several pre-defined security templates that you can apply to increase the level of security for computers that are running either Windows 2000 Professional or Windows 2000 Server. These security templates are plain text files that you manually edit by using text editor such as Notepad. However, it is recommended that you use the Security Templates Microsoft Management Console (MMC) to make changes to these templates. This article describes how to apply predefined security templates.
Important Implementing a security template on a domain controller may change the settings of the Default Domain Controller Policy or the Default Domain Policy. The applied template may overwrite permissions on new files, registry keys and system services created by other programs. Restoring these policies may be required after you apply a security template. Before you follow these steps on a domain controller, create a backup of the SYSVOL share.
There are four categories of pre-built security templates:
The basic, secure, and high security templates represent increasing levels of security. The miscellaneous templates include compatibility templates, optional components templates, and original setup security templates.
The basic templates include:
Basicdc: Applies a basic level of security for domain controllers.
Basicsv: Provides a basic level of security for file and print servers.
Basicwk: Provides a basic level of security for workstations.
Higher-level security templates include:
Securedc: Provides a higher level of security for domain controllers.
Securews: Provides a higher level of security for workstations.
The following templates provide the highest level of security for Windows 2000-based computers but are not compatible with network connectivity with other Windows operating systems:
Miscellaneous security templates include:
ocfiless: Used for file servers.
ocfilesw: Used for workstations.
setup security: Applies the default Windows 2000 security configuration.
These security templates add security settings for optional components such as Terminal Services and certificate services.
You can apply security template settings by using the Security Configuration and Analysis snap-in. When you use this snap-in, you can import security templates and apply them to a computer, site, domain, or to an organizational unit. You can apply the security settings to a local computer configuration or to a Group Policy Object. You can also use this tool to analyze the security settings for a local computer or for a Group Policy Object.
To apply security template settings:
At a command prompt, type mmc.
Click Add/Remove Snap-in on the Console menu.
Click Add in the Add/Remove Snap-in dialog box.
In the Add Standalone Snap-in dialog box, click the Security Configuration and Analysis snap-in, click Add, click Close, and then click OK.
To create a new security database, right-click the Security Configuration and Analysis node in the left pane, and then click Open Database.
Type a name for the database in the Open database dialog box, and then click Open.
In the Import Template dialog box, click the security template that you want to apply, and then click Open.
Right-click the Security Configuration and Analysis node in the left pane, and then click Configure Computer Now.
Note You can save security templates with a different name and then imported the templates into the database. You can make granular changes to the security template and apply those changes incrementally with the Security Configuration and Analysis snap-in.
For more information about predefined security templates, click Start, click Help, type predefined security templates in the Search box, and then press ENTER. After you do this, Help topics are displayed that describe predefined security templates.