Sign in with
Sign up | Sign in
Your question

Windows Security Templates

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 31, 2005 9:31:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have a question about Security Templates.

Q:
How can I make a template that would be as identical as when a wks are a
member of an AD Domain?
This is for standalone users.
Reason I ask is because I am wondering what security is applied when a user
is a member of the domain, like encryptions, passwords stored in reg? etc!!

So I guess I want to make something that is "almost" as secure as being in a
domain when you are working standalone (workgroup)

Hope this makes sense
Anonymous
a b 8 Security
February 1, 2005 12:37:22 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Domain computers, other than domain controllers, only will have domain
password policy applied to override their local security policy. Nothing
else such as security options or user rights are applied to a regular domain
computer. Therefore you can configure a template to your custom needs for
password/account policy. Good practice would be to enable password
complexity and use passwords of at least eight characters in length. Other
security settings can be configured but a lot depends on the type of network
they will be in and what other operating systems they will work with. The
Windows 2000 Security Hardening Guide can help you with that and includes
some example templates. I would also consider doing the registry mod to
disable storing of lm hashes on your computers if possible. The links below
will help. -- Steve

http://www.microsoft.com/technet/Security/prodtech/win2...
--- Windows 2000 Security Hardening Guide.
http://support.microsoft.com/kb/299656/en-us/ --- disable lm hash
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --- security
settings and incompatibilities

"Acidbat" <Acidbat@discussions.microsoft.com> wrote in message
news:FDEAC059-8196-4100-A5EA-BE2F2BC53B60@microsoft.com...
>I have a question about Security Templates.
>
> Q:
> How can I make a template that would be as identical as when a wks are a
> member of an AD Domain?
> This is for standalone users.
> Reason I ask is because I am wondering what security is applied when a
> user
> is a member of the domain, like encryptions, passwords stored in reg?
> etc!!
>
> So I guess I want to make something that is "almost" as secure as being in
> a
> domain when you are working standalone (workgroup)
>
> Hope this makes sense
Anonymous
a b 8 Security
February 1, 2005 12:37:23 AM

Archived from groups: microsoft.public.win2000.security (More info?)

thanks mate :) 

"Steven L Umbach" wrote:

> Domain computers, other than domain controllers, only will have domain
> password policy applied to override their local security policy. Nothing
> else such as security options or user rights are applied to a regular domain
> computer. Therefore you can configure a template to your custom needs for
> password/account policy. Good practice would be to enable password
> complexity and use passwords of at least eight characters in length. Other
> security settings can be configured but a lot depends on the type of network
> they will be in and what other operating systems they will work with. The
> Windows 2000 Security Hardening Guide can help you with that and includes
> some example templates. I would also consider doing the registry mod to
> disable storing of lm hashes on your computers if possible. The links below
> will help. -- Steve
>
> http://www.microsoft.com/technet/Security/prodtech/win2...
> --- Windows 2000 Security Hardening Guide.
> http://support.microsoft.com/kb/299656/en-us/ --- disable lm hash
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --- security
> settings and incompatibilities
>
> "Acidbat" <Acidbat@discussions.microsoft.com> wrote in message
> news:FDEAC059-8196-4100-A5EA-BE2F2BC53B60@microsoft.com...
> >I have a question about Security Templates.
> >
> > Q:
> > How can I make a template that would be as identical as when a wks are a
> > member of an AD Domain?
> > This is for standalone users.
> > Reason I ask is because I am wondering what security is applied when a
> > user
> > is a member of the domain, like encryptions, passwords stored in reg?
> > etc!!
> >
> > So I guess I want to make something that is "almost" as secure as being in
> > a
> > domain when you are working standalone (workgroup)
> >
> > Hope this makes sense
>
>
>
Anonymous
a b 8 Security
February 1, 2005 12:55:48 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I think it is mostly true to say that any policy that can be applied from
AD using GPO can also be set in a template for use with a standalone.

The main difference is that when these settings are in a GPO that are
enforced and reapplied, if need be, by the policy engine. A secondary
difference is found in settings that are part of an adm template rather
than as part of the main Sce template.

In a standalone environment one can do a one-time application of the
template using the Security Configuration and Analysis MMC snap-in,
and one can do an import of the security policy portion into the local
security policy, but the local policy engine will not enforce and reapply
the settings - if they get changed they get changed (the only settings
imported into local policy, the security settings, will be handled by the
local policy engine).

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Acidbat" <Acidbat@discussions.microsoft.com> wrote in message
news:FDEAC059-8196-4100-A5EA-BE2F2BC53B60@microsoft.com...
>I have a question about Security Templates.
>
> Q:
> How can I make a template that would be as identical as when a wks are a
> member of an AD Domain?
> This is for standalone users.
> Reason I ask is because I am wondering what security is applied when a
> user
> is a member of the domain, like encryptions, passwords stored in reg?
> etc!!
>
> So I guess I want to make something that is "almost" as secure as being in
> a
> domain when you are working standalone (workgroup)
>
> Hope this makes sense
!