By default, when you install a clean version (not an upgrade) of Windows Server 2003, the Setup Security.inf security template is applied.This template sets up strong security for the computer on which it is installed, including setting appropriate Registry access permissions.This is also true for computers running Windows XP. However, this will not be the case on all computers, especially computers running Windows NT 4.0 or Windows 98.
Perhaps the easiest way to manage Registry settings is to use the settings provided in the predefined security templates in Windows Server 2003. Sections of the predefined templates can be imported and used to apply permissions to the Registry according to the computer's configuration. For example, suppose you want strong security on the Registry on DCs.The settings in securedc.inf, as they relate to the Registry, could be applied to all DCs in the domain even if you did not want to apply the entire securedc.inf template.The settings provided in the compatws.inf template loosen Registry permissions just a bit because legacy applications often require expanded access to the Registry to work properly. This setting could be propagated only to computers in an OU populated with computers using a legacy application to mitigate the risk of softening security on the Registry.
To import just a portion of a security template, you can use either the command-line tool, secedit.exe, or the Group Policy Object Editor snap-in or the Security Configuration and Analysis snap-in in the MMC.These were discussed in Chapter 2, but a brief review will help refresh your memory since this is an important concept for this exam.
Using the secedit.exe command, you can specify which database the settings will be imported into.You also specify the security template you want to import settings from, and you can specify which areas of the template to import. For example, you might only want to import the USER_RIGHTS area of the template. By default, if no area is specified, all areas are imported. By specifying the area or areas you want to import, you can select just a subset of settings to import and apply to the currently selected database (the security database into which you're importing settings).You can create a new database, import settings, and analyze them without applying them to
the computer on which you're working. This is useful for testing configurations before implementing them.
An alternative to using the secedit.exe command line is the Group Policy Object Editor snap-in in the MMC. Using this tool, you can also import the security settings of a security template to apply to a GPO. For example, select the Local Computer as the GPO and expand the nodes in this manner to get to the Security Settings: Local Computer Policy | Computer Configuration | Windows Settings | Security Settings. If you right-click Security Settings you can select Import Policy or Export Policy from the menu. If you select Import Policy, you will be prompted to select a template from which to import policy.
Finally, you can use the Security Configuration and Analysis snap-in, also in the MMC, to open or create a database for use on a single computer, in an OU or across a domain. Once you have opened or created a database, you can import settings from security templates.
In most cases, the default Registry settings in the predefined security templates will provide the appropriate level of permissions for the Registry. In addition, you should use GPOs to modify Registry settings across the enterprise to avoid errors and to minimize the time and effort involved. If you have particular software packages that require special Registry settings, this too can be propagated across the domain via group policy. As always, you want to provide the least possible permissions to computers, applications, and users to maintain the most secure environment, while still allowing adequate access to required resources. If you look for every opportunity you have to simplify settings and provide the least privileges possible, your job will be much easier, things will run more smoothly, and security will be enhanced.
Was this article helpful?