how to apply w2k security to w2k member servers under w2k3..

Archived from groups: microsoft.public.win2000.security (More info?)

hi,

I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
20% are w2k servers, I can apply w2k3 member server baseline security to all
w2k3 servers and then apply customized security templates to them according
to specific roles, but how to manage the security to w2k servers using GPO?
if put all w2k servers into one OU and apply baseline security, how to apply
the w2k security template to w2k servers under w2k3 domain? can I just
import the w2k security template into w2k3 GPO and link to w2k servers OU?


thanks!
6 answers Last reply
More about apply security member servers w2k3
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I am not sure what the issue is that you (feel you) are seeing.
    Policies apply to a specific version or higher of Windows.
    For example, there are some policies that apply to W2k and
    above, some that apply to XP and above (i.e. W2k3) but not
    to W2k, etc..
    If one GPO sets W2k and XP era policies all will be applied
    to W2k3 and XP machines that are under the influence of that
    GPO while only the W2k policies will have effect on the W2k
    machines under that GPO's influence.


    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "ben" <ben@discussions.microsoft.com> wrote in message
    news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
    > hi,
    >
    > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
    > 20% are w2k servers, I can apply w2k3 member server baseline security to
    all
    > w2k3 servers and then apply customized security templates to them
    according
    > to specific roles, but how to manage the security to w2k servers using
    GPO?
    > if put all w2k servers into one OU and apply baseline security, how to
    apply
    > the w2k security template to w2k servers under w2k3 domain? can I just
    > import the w2k security template into w2k3 GPO and link to w2k servers OU?
    >
    >
    > thanks!
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes you can do exactly what you propose and it makes good sense. Create
    separate OU's for your Windows 2000 servers and use an OU with a Windows
    2000 security template imported into it. Do not mix and match security
    templates between Windows 2000 and Windows 2003 computers as you may have
    unpredictable results. For domain controllers however do NOT move any out of
    the default domain controllers container. You can however create separate
    OU's inside of the domain controllers container if need be. Use the Security
    Configuration and Analysis mmc snapin to verify the effective security
    policy applied to your servers to make sure security settings are what you
    expect. The biggest difference in security templates is security options as
    Windows 2003 has several more than Windows 2000 and many have been
    named. --- Steve


    "ben" <ben@discussions.microsoft.com> wrote in message
    news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
    > hi,
    >
    > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
    > 20% are w2k servers, I can apply w2k3 member server baseline security to
    > all
    > w2k3 servers and then apply customized security templates to them
    > according
    > to specific roles, but how to manage the security to w2k servers using
    > GPO?
    > if put all w2k servers into one OU and apply baseline security, how to
    > apply
    > the w2k security template to w2k servers under w2k3 domain? can I just
    > import the w2k security template into w2k3 GPO and link to w2k servers OU?
    >
    >
    > thanks!
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks, roger.

    My questions is actually can I use w2k3 security template to w2k servers?
    because w2k3 security settings are different from w2k, so do I have to
    separate w2k servers from w2k3 servers with different OU? I previously has
    the thought that w2k3 security template can be applied to w2k servers
    directly, now looks there are lot differences between them.

    "Roger Abell" wrote:

    > I am not sure what the issue is that you (feel you) are seeing.
    > Policies apply to a specific version or higher of Windows.
    > For example, there are some policies that apply to W2k and
    > above, some that apply to XP and above (i.e. W2k3) but not
    > to W2k, etc..
    > If one GPO sets W2k and XP era policies all will be applied
    > to W2k3 and XP machines that are under the influence of that
    > GPO while only the W2k policies will have effect on the W2k
    > machines under that GPO's influence.
    >
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "ben" <ben@discussions.microsoft.com> wrote in message
    > news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
    > > hi,
    > >
    > > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
    > > 20% are w2k servers, I can apply w2k3 member server baseline security to
    > all
    > > w2k3 servers and then apply customized security templates to them
    > according
    > > to specific roles, but how to manage the security to w2k servers using
    > GPO?
    > > if put all w2k servers into one OU and apply baseline security, how to
    > apply
    > > the w2k security template to w2k servers under w2k3 domain? can I just
    > > import the w2k security template into w2k3 GPO and link to w2k servers OU?
    > >
    > >
    > > thanks!
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    The templates are groups of settings.
    Each setting has a version level, that is, has a minimum
    Windows version. If a setting for W2k3 is in a GPO that
    is applied to W2k, the W2k will not know what to do with
    the setting so it will have no effect upon it.

    As with all templates MS has provided, these are guidelines
    and examples. One is supposed to craft from them for ones
    own environment and needs. Part of that should include
    understanding what policy settings actually will have an
    effect on each version of Windows so one does not expect
    a lower version to be configured/protected in way that it
    actually will not be.

    However, applying a set of policies that apply to W2k3
    onto a W2k server will not hurt the W2k, they just will
    not do anything to it.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "ben" <ben@discussions.microsoft.com> wrote in message
    news:75011D9B-EFBD-4D17-88F9-1A96625D3BE6@microsoft.com...
    > Thanks, roger.
    >
    > My questions is actually can I use w2k3 security template to w2k servers?
    > because w2k3 security settings are different from w2k, so do I have to
    > separate w2k servers from w2k3 servers with different OU? I previously has
    > the thought that w2k3 security template can be applied to w2k servers
    > directly, now looks there are lot differences between them.
    >
    > "Roger Abell" wrote:
    >
    > > I am not sure what the issue is that you (feel you) are seeing.
    > > Policies apply to a specific version or higher of Windows.
    > > For example, there are some policies that apply to W2k and
    > > above, some that apply to XP and above (i.e. W2k3) but not
    > > to W2k, etc..
    > > If one GPO sets W2k and XP era policies all will be applied
    > > to W2k3 and XP machines that are under the influence of that
    > > GPO while only the W2k policies will have effect on the W2k
    > > machines under that GPO's influence.
    > >
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > "ben" <ben@discussions.microsoft.com> wrote in message
    > > news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
    > > > hi,
    > > >
    > > > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3
    servers,
    > > > 20% are w2k servers, I can apply w2k3 member server baseline security
    to
    > > all
    > > > w2k3 servers and then apply customized security templates to them
    > > according
    > > > to specific roles, but how to manage the security to w2k servers using
    > > GPO?
    > > > if put all w2k servers into one OU and apply baseline security, how to
    > > apply
    > > > the w2k security template to w2k servers under w2k3 domain? can I
    just
    > > > import the w2k security template into w2k3 GPO and link to w2k servers
    OU?
    > > >
    > > >
    > > > thanks!
    > >
    > >
    > >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    thanks, steven

    "Steven L Umbach" wrote:

    > Yes you can do exactly what you propose and it makes good sense. Create
    > separate OU's for your Windows 2000 servers and use an OU with a Windows
    > 2000 security template imported into it. Do not mix and match security
    > templates between Windows 2000 and Windows 2003 computers as you may have
    > unpredictable results. For domain controllers however do NOT move any out of
    > the default domain controllers container. You can however create separate
    > OU's inside of the domain controllers container if need be. Use the Security
    > Configuration and Analysis mmc snapin to verify the effective security
    > policy applied to your servers to make sure security settings are what you
    > expect. The biggest difference in security templates is security options as
    > Windows 2003 has several more than Windows 2000 and many have been
    > named. --- Steve
    >
    >
    > "ben" <ben@discussions.microsoft.com> wrote in message
    > news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
    > > hi,
    > >
    > > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
    > > 20% are w2k servers, I can apply w2k3 member server baseline security to
    > > all
    > > w2k3 servers and then apply customized security templates to them
    > > according
    > > to specific roles, but how to manage the security to w2k servers using
    > > GPO?
    > > if put all w2k servers into one OU and apply baseline security, how to
    > > apply
    > > the w2k security template to w2k servers under w2k3 domain? can I just
    > > import the w2k security template into w2k3 GPO and link to w2k servers OU?
    > >
    > >
    > > thanks!
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    OK. You may be able to find that you can do what with Windows 2003
    templates. It's just that the security options that do not exist in Windows
    2000 will not be applied and that other security options have been renamed.
    The one security option that may be confusing is the security option for
    "additional restrictions for anonymous access" which has been split into a
    couple different security options in Windows 2003. If you have the need to
    configure "additional restrictions for anonymous access" to be "no access
    without explicit anonymous permissions" I am not sure if that can be done
    with a Windows 2003 security template. The Security Configuration and
    Analysis mmc snapin is always the best way to see exactly what security
    policy is being applied to any computer. Keep in mind that the disable
    storage of lmhash security option will not apply to Windows 2000 computers -
    it requires a registry change. --- Steve


    "ben" <ben@discussions.microsoft.com> wrote in message
    news:37E93A8A-BD2B-4458-B2B2-CA29423B6C0C@microsoft.com...
    > thanks, steven
    >
    > "Steven L Umbach" wrote:
    >
    >> Yes you can do exactly what you propose and it makes good sense. Create
    >> separate OU's for your Windows 2000 servers and use an OU with a Windows
    >> 2000 security template imported into it. Do not mix and match security
    >> templates between Windows 2000 and Windows 2003 computers as you may have
    >> unpredictable results. For domain controllers however do NOT move any out
    >> of
    >> the default domain controllers container. You can however create separate
    >> OU's inside of the domain controllers container if need be. Use the
    >> Security
    >> Configuration and Analysis mmc snapin to verify the effective security
    >> policy applied to your servers to make sure security settings are what
    >> you
    >> expect. The biggest difference in security templates is security options
    >> as
    >> Windows 2003 has several more than Windows 2000 and many have been
    >> named. --- Steve
    >>
    >>
    >> "ben" <ben@discussions.microsoft.com> wrote in message
    >> news:AF1F769B-D2AF-48AF-9A7C-E8D928C9EAC0@microsoft.com...
    >> > hi,
    >> >
    >> > I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3
    >> > servers,
    >> > 20% are w2k servers, I can apply w2k3 member server baseline security
    >> > to
    >> > all
    >> > w2k3 servers and then apply customized security templates to them
    >> > according
    >> > to specific roles, but how to manage the security to w2k servers using
    >> > GPO?
    >> > if put all w2k servers into one OU and apply baseline security, how to
    >> > apply
    >> > the w2k security template to w2k servers under w2k3 domain? can I just
    >> > import the w2k security template into w2k3 GPO and link to w2k servers
    >> > OU?
    >> >
    >> >
    >> > thanks!
    >>
    >>
    >>
Ask a new question

Read More

Security Servers Windows