Windows Security: Make SCAT Sing - Page 2
Creating and Applying a Baseline Security Template
Having looked at how you use the SCA tool to analyze a system, and configure a system, we can put this knowledge together to create and apply a baseline security template.
There are two ways to create a new template. You can either start from scratch or copy an existing template. To create a new template, in the Security Templates MMC snap-in, right click the %SystemRoot%\Security\Template object and choose New Template. You are prompted for a template name and description. After the template is created, you can go through and change the settings as appropriate.
Copying an existing template can often be easier, as the template you copy may have many of the settings you are looking for already configured. Refer to the Part One for a description for each of the default templates. It should be noted, though, that some templates only contain a small number of settings, and are intended for application as an addition to other templates. For example, the Hisecdc template is ideally intended to be applied after the Securedc template. This is because the Hisecdc template only contains a small number of settings. It relies on the bulk of the settings from the existing configuration or from another template such as Securedc.
To make a copy of a template, highlight it in the Security Templates snap-in and choose Save As from the File menu. After naming the new template, you can go through and make changes to the settings. You should also amend the description of the template, as by default it takes the description of the template you copied.
Once you have finished configuring your baseline template, go into the SCA tool and create a new database. During the creation process, choose the baseline security template you just created. It is a good idea to first perform an analysis to see what changes would be made if the template were applied to the system. Alternatively, if you are very confident of your settings, you can simply choose the Configure Computer Now option from the File menu. This will cause all of your changes to be applied, and your server will be in the ‘baseline’ configuration.
To apply the same settings to other servers, you have a number of options. For a small number of servers, you may just want to copy the baseline template to the other systems, and then use the SCA tool to configure the settings. If you have a large number of servers, you can apply the security template via Group Policy, or through script/batch files using Secedit.exe. The advantage of the Group Policy approach is that the security settings will be refreshed periodically. Secedit on the other hand, would only refresh the settings when you run the command.
Whichever way you decide to use it, the SCA tool is a valuable addition to any Windows Server 2003 administrator’s toolkit. Even if you only use it to review the settings currently in place on your server, it still provides the benefit of placing a large number of commonly configured settings into one, easy to use interface.