Security Templates in XP

Before you start

Objectives: learn how to use security templates to apply security settings in XP.

Prerequisites: no prerequisites.

Key terms: setting, group, password, policy, local, analysis, database, import, compare, member


Naming Convention

When we open the ‘templates’ folder, we will see several files with .inf extension. Before the ‘.inf’ extension we can see ‘ws’ or ‘dc’ added to the name of the template. ‘ws’ indicate that that template is intended for a workstation. ‘dc’ indicate settings for the domain controller. Settings for servers will have ‘srv’ at the end of the template name.

Templates

We start off with a basic set of templates. Those are basic security settings that are applied by default during the installation of the system. In addition to that we also have, the Secure Templates. We also have High Security Settings in which we start to manipulate with user rights. We also have a temple called Compatibility Templates. The common one we will see here is Compatible Workstation or comptws.inf which allows us to apply a security template that is consistent with the previous versions of Windows. Since previous versions are not able to use all of the security settings that we have in Windows XP, we can set those back so that we can still maintain compatibility.

Tools

The first tool that we can use is the Security Analysis and Configuration in Microsoft Management Console or MMC. This tool gives us two components which allows us to analyze our security based on our templates. We can select a template, open up a database using that template and then analyse our computer. After the analysis it will show us everything that meets and exceeds the requirements of the template. Anything that doesn’t meet the requirements of the template will be illustrated with the red X. If we want to apply that template we can go to the configuration portion of the Security Analysis and Configuration tool which will allow us to apply all that settings to the computer. When applying settings, if existing setting meets or exceeds particular setting, then it does not make any changes.
Another tool that we can use is ‘secedit‘ command line tool which basically allows us to do same thing as with Security Analysis and Configuration tool. We can use secedit command with the /analyse switch to analyse our settings or we can use the/configure switch when we want to make changes to our settings. We can use secedit /export to export database settings to a template.

Issues

When applying high security templates, the Administrators group is reset. Administrators and Power Users group are reset to default members, so if we have a lot of members in that groups it can be an issue. After applying the template we should check those groups and add members back as necessary. Another issue comes up when we move between various templates. If we have applied a high security setting, and after that we want to go back to the basic settings, we have to clear the existing template first. Remember, when we apply our templates, if particular setting meets or exceeds template setting, it will not make any changes.

Compare Settings

We will compare the security settings in Local Group Policy on our computer to the settings in a predefined template. In that way we can see what custom settings are modified on the local computer. To do that we need to perform three general tasks. First we need to configure MMC to work with security settings, second we have to import the template database, and third we need to compare the template with the local settings and view the results. Let’s start by creating the MMC. We’ll go to the Start Menu, in the Run command type in ‘mcc’ and hit enter. On the File menu, select Add/Remove Snap-in, select and add the Security Configuration and Analysis Snap-in.

 Security Configuration and Analysis

Image 271.1 – Security Configuration and Analysis

Now that we have our snap-in set, we can compare the security settings on the local system with those in the template. Now we need to create a new database and import the template settings. Let’s right-click Security Configuration and Analysis and select Open Database. We will name it CompareSettings and click Open.

 Database

Image 271.2 – Database

Next, we have to import our template, that is, we need to select the template that we are going to compare to the local computer.

 Templates

Image 271.3 – Templates

All those files are actually stored in ‘c:\windows\security\templates‘ folder. In our case we will select ‘securews.inf‘ and click Open. At this point we need to compare the settings in the template with the settings on the local computer. To do that we will right-click ‘Security Configuration and Analysis’ and select Analyze Computer Now. Click OK to accept the path to the error log file. The following window will appear.

 Analysis

Image 271.4 – Analysis

If we browse the the Account Policies and then Password Policy, we can see the settings from our database and the current computer settings. Notice the red X and the green check mark. A red X tells us that the setting on the local computer does not match the setting in the template, while the green check mark tells us that the settings do match. Notice that we have two columns for details. Those columns are the Database Setting (template setting) and Computer Setting (current setting applied on the computer). For example in our case, notice that the minimum password length in the template is 8 characters while current setting is 0 characters, which basically means ‘no restriction’.

Edit Settings

To apply all those settings we can right-click ‘Security Configuration and Analysis’ and select ‘Configure Computer Now’ option. All settings will then be applied. To check our new settings we can go to our Group Policy Editor and navigate to the, for example, Password Policy.

 Password Policy

Image 271.5 – Password Policy

Notice that our settings now include minimum password length of 8 characters. While we can manually edit group policy settings to achieve the desired configuration, we can simplify the process by importing a predefined template. Windows XP ships with several predefined templates. We can also import our template while we are in Group Policy Editor. Let’s say that we want to revert our changes to the original settings set during installation. To import a policy, we will right-click Security Settings and then select Import Policy in Group Policy Editor.

 Import Policy Form

Image 271.6 – Import Policy

Compatws.inf provides Windows NT 4 compatible settings. Templates starting with ‘secure‘ like securedc.inf and securews.infare used to increase the security for workstation or domain controller. Securedc.inf is used for domain controllers andsecurews.inf is used for workstations. Hisecdc.inf and hisecws.inf increase security even further. The ‘setup security.inf‘ is the default security that was created when we installed Windows XP. Let’s import ‘setup security’ to revert to the defaults. We will select it and click Open.

 Setup Settings

Image 271.7 – Setup Settings

Notice how our password policy has changed. Now they’ve reverted to the default security settings. Our password history is zero and our maximum password age is 42 days instead of 30. Also our minimum password length is zero characters instead of eight. To edit existing templates we can use the Security Templates MMC snap-in.

Remember

‘Setup security.inf’ configures the system with the original settings applied during installation. ‘Securews.inf’ enhances security settings that typically do not affect application compatibility. It defines strong password, lockout, and auditing settings. It also restricts rights granted to anonymous users. ‘Hisecws.inf’ secures a workstation as much as possible. It forces NTLM v2 between server and client, and removes all members of the Power Users group. It also removes all members of the local Administrators group except for the Domain Administrators group and the local Administrator account. ‘Compatws.inf’ relaxes the security privileges of the Users group to allow them to run non-user certified applications (applications that are common in previous Windows versions). It also Removes all members of the Power Users group.

Paths that are mentioned in this article
  • c:\windows\security\templates – folder where we can find some predefined security templates