The Database Setting section maps out the requirements of the template, while the Computer Setting section shows my current configuration. The green checkmarks indicate that my system meets or exceeds the requirements, while the red circles with the X indicate that my system does not meet the requirement. If neither icon is shown, it simply means that the imported template doesn’t have settings for that area configured. You should note that you can import multiple templates, with settings in each template imported overwriting the database settings where conflicts exist, in the order of import. Once you do import a number of templates (or actually make changes to the database settings) you can then export those changes as templates as well.
As I mentioned earlier, you can also use this tool to configure a system. For example, if you right-click the Security Configuration and Analysis icon as shown below, you have the option to Configure Computer Now. However, the settings that are exported to a template file can also be imported into the Security Settings section of Computer Configuration section of Group Policy, which would allow you to distribute a common configuration to client systems in a centralized manner. Templates can also be imported into the Local Security Configuration. In both cases, the tools refer to importing a template file as ‘Import Policy…’
Another MMC snap-in, Security Templates, allows you to view and configure template settings, as well create new templates. Templates files are in an .inf format, readable in any text editor. A small example of the password policy settings of a template file are shown below:
;Account Policies – Password Policy
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
Windows 2000 provides a number of templates by default. You should have an understanding on the provided template files and why you would use them. The names of templates provide an idea of when/how they are to be used. The last two letters in the template file name (before the .inf extension) usually tell you which type of system a template is meant for – WS for a workstation, DC for a domain controller, SV for a server. For example, the hisecws.inf identifies the template as applying highly secure settings to a workstation. Beyond this, there are five main security levels outlined in the default templates, with each outlined below:
Basic*.inf – Basic. These templates apply the default security configuration to a system. These would be useful if you set too high a level of security on a system and wanted to return settings back to the default.
Compat*.inf – Compatible. Windows 2000 gives members of the Users group more strict security settings than in NT 4.0. As such, some applications (such as those certified for NT 4 but not Windows 2000) may not function correctly (or potentially at all) on Windows 2000. When this template is applied, applications run under the Power Users level of privilege, even though the user may not have that level of access.
Secure*.inf – Secure. Contains settings recommended for securing a system except for those relating to files, folders, and registry keys, which are configured securely by default.
Hisec*.inf – Highly Secure. Provides settings to provide a much higher level of protection, including network security. In this configuration, a system can only communicate with other Windows 2000-based systems, for example.
Dedica*.inf – Dedicated Domain Controller. Contains recommended security settings for a domain controller that is not also acting as an application server.
Template files are stored in %systemroot%securitytemplates by default.