Sign in with
Sign up | Sign in
Your question

how to apply w2k security to w2k member servers under w2k3..

Tags:
  • Security
  • Servers
  • Windows
Last response: in Windows 2000/NT
Share
March 31, 2005 2:51:09 AM

Archived from groups: microsoft.public.win2000.security (More info?)

hi,

I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
20% are w2k servers, I can apply w2k3 member server baseline security to all
w2k3 servers and then apply customized security templates to them according
to specific roles, but how to manage the security to w2k servers using GPO?
if put all w2k servers into one OU and apply baseline security, how to apply
the w2k security template to w2k servers under w2k3 domain? can I just
import the w2k security template into w2k3 GPO and link to w2k servers OU?


thanks!

More about : apply w2k security w2k member servers w2k3

Anonymous
a b 8 Security
March 31, 2005 5:10:16 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I am not sure what the issue is that you (feel you) are seeing.
Policies apply to a specific version or higher of Windows.
For example, there are some policies that apply to W2k and
above, some that apply to XP and above (i.e. W2k3) but not
to W2k, etc..
If one GPO sets W2k and XP era policies all will be applied
to W2k3 and XP machines that are under the influence of that
GPO while only the W2k policies will have effect on the W2k
machines under that GPO's influence.


--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"ben" <ben@discussions.microsoft.com> wrote in message
news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
> hi,
>
> I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
> 20% are w2k servers, I can apply w2k3 member server baseline security to
all
> w2k3 servers and then apply customized security templates to them
according
> to specific roles, but how to manage the security to w2k servers using
GPO?
> if put all w2k servers into one OU and apply baseline security, how to
apply
> the w2k security template to w2k servers under w2k3 domain? can I just
> import the w2k security template into w2k3 GPO and link to w2k servers OU?
>
>
> thanks!
Anonymous
a b 8 Security
April 1, 2005 3:15:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes you can do exactly what you propose and it makes good sense. Create
separate OU's for your Windows 2000 servers and use an OU with a Windows
2000 security template imported into it. Do not mix and match security
templates between Windows 2000 and Windows 2003 computers as you may have
unpredictable results. For domain controllers however do NOT move any out of
the default domain controllers container. You can however create separate
OU's inside of the domain controllers container if need be. Use the Security
Configuration and Analysis mmc snapin to verify the effective security
policy applied to your servers to make sure security settings are what you
expect. The biggest difference in security templates is security options as
Windows 2003 has several more than Windows 2000 and many have been
named. --- Steve


"ben" <ben@discussions.microsoft.com> wrote in message
news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
> hi,
>
> I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
> 20% are w2k servers, I can apply w2k3 member server baseline security to
> all
> w2k3 servers and then apply customized security templates to them
> according
> to specific roles, but how to manage the security to w2k servers using
> GPO?
> if put all w2k servers into one OU and apply baseline security, how to
> apply
> the w2k security template to w2k servers under w2k3 domain? can I just
> import the w2k security template into w2k3 GPO and link to w2k servers OU?
>
>
> thanks!
Related resources
April 1, 2005 3:39:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks, roger.

My questions is actually can I use w2k3 security template to w2k servers?
because w2k3 security settings are different from w2k, so do I have to
separate w2k servers from w2k3 servers with different OU? I previously has
the thought that w2k3 security template can be applied to w2k servers
directly, now looks there are lot differences between them.

"Roger Abell" wrote:

> I am not sure what the issue is that you (feel you) are seeing.
> Policies apply to a specific version or higher of Windows.
> For example, there are some policies that apply to W2k and
> above, some that apply to XP and above (i.e. W2k3) but not
> to W2k, etc..
> If one GPO sets W2k and XP era policies all will be applied
> to W2k3 and XP machines that are under the influence of that
> GPO while only the W2k policies will have effect on the W2k
> machines under that GPO's influence.
>
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "ben" <ben@discussions.microsoft.com> wrote in message
> news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
> > hi,
> >
> > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
> > 20% are w2k servers, I can apply w2k3 member server baseline security to
> all
> > w2k3 servers and then apply customized security templates to them
> according
> > to specific roles, but how to manage the security to w2k servers using
> GPO?
> > if put all w2k servers into one OU and apply baseline security, how to
> apply
> > the w2k security template to w2k servers under w2k3 domain? can I just
> > import the w2k security template into w2k3 GPO and link to w2k servers OU?
> >
> >
> > thanks!
>
>
>
Anonymous
a b 8 Security
April 2, 2005 2:48:22 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The templates are groups of settings.
Each setting has a version level, that is, has a minimum
Windows version. If a setting for W2k3 is in a GPO that
is applied to W2k, the W2k will not know what to do with
the setting so it will have no effect upon it.

As with all templates MS has provided, these are guidelines
and examples. One is supposed to craft from them for ones
own environment and needs. Part of that should include
understanding what policy settings actually will have an
effect on each version of Windows so one does not expect
a lower version to be configured/protected in way that it
actually will not be.

However, applying a set of policies that apply to W2k3
onto a W2k server will not hurt the W2k, they just will
not do anything to it.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"ben" <ben@discussions.microsoft.com> wrote in message
news:75011D9B-EFBD-4D17-88F9-1A96625D3BE6@microsoft.com...
> Thanks, roger.
>
> My questions is actually can I use w2k3 security template to w2k servers?
> because w2k3 security settings are different from w2k, so do I have to
> separate w2k servers from w2k3 servers with different OU? I previously has
> the thought that w2k3 security template can be applied to w2k servers
> directly, now looks there are lot differences between them.
>
> "Roger Abell" wrote:
>
> > I am not sure what the issue is that you (feel you) are seeing.
> > Policies apply to a specific version or higher of Windows.
> > For example, there are some policies that apply to W2k and
> > above, some that apply to XP and above (i.e. W2k3) but not
> > to W2k, etc..
> > If one GPO sets W2k and XP era policies all will be applied
> > to W2k3 and XP machines that are under the influence of that
> > GPO while only the W2k policies will have effect on the W2k
> > machines under that GPO's influence.
> >
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "ben" <ben@discussions.microsoft.com> wrote in message
> > news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
> > > hi,
> > >
> > > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3
servers,
> > > 20% are w2k servers, I can apply w2k3 member server baseline security
to
> > all
> > > w2k3 servers and then apply customized security templates to them
> > according
> > > to specific roles, but how to manage the security to w2k servers using
> > GPO?
> > > if put all w2k servers into one OU and apply baseline security, how to
> > apply
> > > the w2k security template to w2k servers under w2k3 domain? can I
just
> > > import the w2k security template into w2k3 GPO and link to w2k servers
OU?
> > >
> > >
> > > thanks!
> >
> >
> >
April 6, 2005 1:13:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

thanks, steven

"Steven L Umbach" wrote:

> Yes you can do exactly what you propose and it makes good sense. Create
> separate OU's for your Windows 2000 servers and use an OU with a Windows
> 2000 security template imported into it. Do not mix and match security
> templates between Windows 2000 and Windows 2003 computers as you may have
> unpredictable results. For domain controllers however do NOT move any out of
> the default domain controllers container. You can however create separate
> OU's inside of the domain controllers container if need be. Use the Security
> Configuration and Analysis mmc snapin to verify the effective security
> policy applied to your servers to make sure security settings are what you
> expect. The biggest difference in security templates is security options as
> Windows 2003 has several more than Windows 2000 and many have been
> named. --- Steve
>
>
> "ben" <ben@discussions.microsoft.com> wrote in message
> news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
> > hi,
> >
> > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
> > 20% are w2k servers, I can apply w2k3 member server baseline security to
> > all
> > w2k3 servers and then apply customized security templates to them
> > according
> > to specific roles, but how to manage the security to w2k servers using
> > GPO?
> > if put all w2k servers into one OU and apply baseline security, how to
> > apply
> > the w2k security template to w2k servers under w2k3 domain? can I just
> > import the w2k security template into w2k3 GPO and link to w2k servers OU?
> >
> >
> > thanks!
>
>
>
Anonymous
a b 8 Security
April 7, 2005 12:31:57 AM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. You may be able to find that you can do what with Windows 2003
templates. It's just that the security options that do not exist in Windows
2000 will not be applied and that other security options have been renamed.
The one security option that may be confusing is the security option for
"additional restrictions for anonymous access" which has been split into a
couple different security options in Windows 2003. If you have the need to
configure "additional restrictions for anonymous access" to be "no access
without explicit anonymous permissions" I am not sure if that can be done
with a Windows 2003 security template. The Security Configuration and
Analysis mmc snapin is always the best way to see exactly what security
policy is being applied to any computer. Keep in mind that the disable
storage of lmhash security option will not apply to Windows 2000 computers -
it requires a registry change. --- Steve


"ben" <ben@discussions.microsoft.com> wrote in message
news:37E93A8A-BD2B-4458-B2B2-CA29423B6C0C@microsoft.com...
> thanks, steven
>
> "Steven L Umbach" wrote:
>
>> Yes you can do exactly what you propose and it makes good sense. Create
>> separate OU's for your Windows 2000 servers and use an OU with a Windows
>> 2000 security template imported into it. Do not mix and match security
>> templates between Windows 2000 and Windows 2003 computers as you may have
>> unpredictable results. For domain controllers however do NOT move any out
>> of
>> the default domain controllers container. You can however create separate
>> OU's inside of the domain controllers container if need be. Use the
>> Security
>> Configuration and Analysis mmc snapin to verify the effective security
>> policy applied to your servers to make sure security settings are what
>> you
>> expect. The biggest difference in security templates is security options
>> as
>> Windows 2003 has several more than Windows 2000 and many have been
>> named. --- Steve
>>
>>
>> "ben" <ben@discussions.microsoft.com> wrote in message
>> news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
>> > hi,
>> >
>> > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3
>> > servers,
>> > 20% are w2k servers, I can apply w2k3 member server baseline security
>> > to
>> > all
>> > w2k3 servers and then apply customized security templates to them
>> > according
>> > to specific roles, but how to manage the security to w2k servers using
>> > GPO?
>> > if put all w2k servers into one OU and apply baseline security, how to
>> > apply
>> > the w2k security template to w2k servers under w2k3 domain? can I just
>> > import the w2k security template into w2k3 GPO and link to w2k servers
>> > OU?
>> >
>> >
>> > thanks!
>>
>>
>>
Related resources
!