XP security template quick configuration of Security Options

Windows XP provides powerful security mechanisms, but it is time-consuming and laborious to configure these security configurations one by one, is there a way to quickly configure Security Options? The answer is yes. You can use Security templates to quickly and batch set all security options.

1. Understand Security templates

"Security template" is a file representation that defines security policies, it can configure security settings for accounts and local policies, Event Logs, restricted groups, file systems, registries, system services, and other projects. Security templates all exist in text files in. inf format. You can easily copy, paste, import, or export some templates. In addition, the security template does not introduce new security parameters, but only organizes all existing security attributes to one location to simplify security management, it also provides a method to quickly modify Security Options in batches.

The system has predefined several security templates to help enhance system security. By default, these templates are stored in the "% SystemRoot % securitytemplates" directory. They are:

1. compatws. inf

Provides basic security policies and executes environments with lower-level security but better compatibility. Relax the default file and registry permissions of the user group to meet the requirements of most unverified applications. A "Power Users" group is typically used to run applications without verification.

2. hisec *. inf

Provides a highly secure client policy template and executes an advanced security environment. It is an extension set of a security template that further limits encryption and signature, these encryption and signatures are required for identity authentication and secure data transmission between SMB clients and servers through secure channels.

3. rootsec. inf

To ensure the security of the system root, you can specify the new root directory permissions introduced by Windows XP Professional. By default, rootsec. inf defines these permissions for the root directory of the system drive. If you accidentally change the root directory permission, you can use this template to re-apply the root directory permission, or by modifying the template to apply the same root directory permissions to other volumes.

4. Secure *. inf

Defines enhanced security settings that may at least affect application compatibility, and limits the use of LAN Manager and NTLM identity authentication protocols by configuring the client to send only NTLMv2 responses, the server is configured to reject the response from the LAN Manager.

5. setupsecurity. inf

Apply the default settings again. This is a template for a specific computer. It represents the default security settings applied during the installation of the operating system. It sets file permissions including the root directory of the system drive, it can be used for system disaster recovery.

The preceding is a predefined security template. You can use one of these security templates or create new security templates that you need.

2. Manage Security templates

1. Install the security template

Security template files are all text-based. INF file, which can be opened in text for editing. However, this method is too complicated to edit the security template. Therefore, you need to load the security template to the MMC console for ease of use.

① Click Start and run, type MMC, and click OK to open the console node;

② Click "Add/delete Management Unit" in the "file" menu, and click "add" in the "independent" tab in the window that opens;

③ Select "security template" in the "available independent management units" list, click "add", and then click "close ", in this way, the security template Management Unit is added to the MMC console.

To avoid re-loading MMC after exit, you can click "save" on the "file" menu to save the current settings.

2. Create and delete security templates

After installing the security template on the MMC console, you will see the predefined Security templates. You can also create new security templates by yourself.

First, open "security template" in the "Console Root Node" list, right-click the folder that stores the security template file, and choose "Add new template" from the shortcut menu ", in this case, the new template window is displayed. In "Template Name", type the name of the new template, in "Description", enter the description of the new template, and click "OK. A new security template is successfully created.

It is very easy to delete a security template. Open "security template", find the template to be deleted in the console tree, right-click it, and select "delete.

3. Application Security Template

After the new security template is configured, you can apply it. You must use the "Security Configuration and analysis" Management Unit to apply security template settings.

① Add the "Security Configuration and analysis" Management Unit, open the "file" menu on the MMC console, and click "Add/delete Management Unit ", in the "add independent management unit" list, select "Security Configuration and analysis" and click "add, the "Security Configuration and analysis" Management Unit is added to the MMC console;

② In the console tree, right-click "Security Configuration and analysis", select "Open Database", type a new database name in the pop-up window, and click "open;

③ Select the security template to be imported in the security template List window, and click "open" to import the security template;

④ In the console tree, right-click "Security Configuration and analysis" and select "Configure computer now" in the shortcut menu. The confirm Error Log File Path window is displayed, click OK.

In this way, the imported security template is successfully applied.

3. Set security templates

1. Set Account Policies

The account policy includes the password policy, account lock policy, and Kerberos policy security settings. The password policy provides a standard means for Password Complexity and password rule modification, in order to meet the password requirements in a high security environment. The account locking policy can track failed login attempts and lock the corresponding account if necessary. Kerberos policies are used for accounts of domain users. They determine Kerberos-related settings, such as the validity period and enforcement of tickets.

(1) password policy

Five password-related settings can be configured here, they are "Force Password History", "Maximum Password Use Period", "Minimum Password Use Period", "Minimum Password Length", and "Password Must Meet Complexity Requirements ".

① Force password history: determine the number of new passwords that are different from each other. before using the old password again, you must have used so many passwords. The value can be between 0 and 24;

② Maximum Password validity period: determine the number of days that the user can use the password before requesting the user to change the password. The value range is between 0 and 999. If the value is set to 0, the password never expires;

③ Minimum Password validity period: determine the number of days before a user can change the new password. This setting is designed to be used with the "force password history" setting, so that the user cannot reset the required password quickly and change it back to the old password. The value can be between 0 and 999. If it is set to 0, you can change the new password immediately. We recommend that you set this value to 2 days;

④ Minimum Password Length: determines the minimum number of characters a password can contain. The value must be between 0 and 14 characters. If it is set to 0, a blank password is allowed. We recommend that you set this value to 8 characters;

⑤ The Password Must Meet the Complexity Requirement: After this option is enabled, all new passwords will be checked to ensure that they meet the basic requirements of the complex password. If this setting is enabled, the user password must meet the specific requirements. For example, the password must contain at least six characters and cannot contain three or more characters from the user account name.

(2) account lock Policy

Here, you can set the number of logon attempts allowed by a user account within the specified time, and the account lock time after the logon fails.

① Account lock time: the settings here determine the time required for an account to be unlocked and allow the user to log on again, that is, the time when the locked user cannot log on, the unit of the time is minute. If the time is set to 0, the account will be locked forever until the administrator unlocks the account;

② Account locking threshold: determine the number of failed attempts to lock the user account. The account can be used again unless the Administrator resets the account or the account lock period is full. The number of failed logon attempts can be set to a value ranging from 1 to 999. If it is set to 0, the account is never locked.
2. Set Local Policies

The local policy includes three Security Settings: Audit Policy, user permission allocation, and security options. The audit policy determines whether to record security events to the security logs on the computer; user Rights Assignment determines which users or groups have the right or privilege to log on to the computer; Security Options determine to enable or disable computer security settings.

(1) Audit Policy

After the audit is enabled, the system collects all events of the Audit object in the audit log, such as application, system, and security information, therefore, review is very important to ensure domain security. The values under the audit policy can be divided into three types: Success, failure, and not review. The default value is not review. To enable the audit, you can double-click an item, the "properties" window is displayed. First, select "define these policy settings in the template", and then select "successful" or "failed" as needed.

Audit policies include reviewing account logon events, reviewing policy changes, reviewing account management, reviewing logon events, and reviewing system events.

① Audit Policy Change: it is mainly used to determine whether to review every event in which the user permission allocation policy, audit policy or trust policy is changed. We recommend that you set it to "successful" and "failed ";

② Audit Logon Events: used to determine whether a user logs on to the computer, logs off from the computer, or establishes a network connection with the computer. If it is set to audit successful, it can be used to determine which user successfully logs on to which computer; if it is set to audit failed, it can be used to detect intrusion, however, a large log of Logon failures generated by attackers may cause DoS Status. We recommend that you set it to "successful ";

③ Audit Object Access: Determine whether to audit the user's access to an object, such as files, folders, registry items, printers, and so on. They all specify their own system access control list (SACL) events. We recommend that you set it to "failed ";

④ Audit Process Tracking: determines whether to audit detailed tracking information of an event, such as program activation, process exit, and indirect object access. If you suspect that the system is under attack, you can enable this option, but a large number of events will be generated after it is enabled. Under normal circumstances, we recommend that you set it to "no review ";

⑤ Audit Directory Service Access: Determine whether to audit events that allow users to access ActiveDirectory objects with their own system access control list (SACL. When enabled, a large number of audit items are generated in the security log of the domain controller. Therefore, the audit item should be enabled only when the created information is used. We recommend that you set it to "no review ";

⑥ Audit privilege usage: This option is used to determine whether to audit each instance where the user is exercising user permissions, however, in addition to skipping traversal checks, debugging programs, creating tag objects, replacing process-level tags, generating security reviews, backing up files and directories, restoring files and directories, and other permissions. We recommend that you set it to "not review ";

7. Audit System Events: used to determine whether to review system events when a user restarts or shuts down the computer, or when an event that has an impact on system security or security logs occurs. These event information is very important, so we recommend that you set it to "successful" and "failed ";

Audit Account Logon Events: this setting is used to determine whether a user is audited when logging on to another computer (the computer is used to verify the account in another computer) or logging off from it. We recommend that you set it to "successful" and "failed ";

Audit Account Management: used to determine whether to audit each account management event on the computer, such as renaming, disabling or enabling a user account, creating, modifying, or deleting a user account or management event. We recommend that you set it to "successful" and "failed ".

(2) User Rights Assignment

User Rights Assignment mainly determines which users or groups are allowed to do what. The specific setting method is as follows:

① Double-click a policy. In the displayed "properties" window, select "define these policy settings in the template ";

② Click "add user or group" to display the "select user or group" window. Click "Object Type" to select the object type, click "location" to select the desired location, and enter the user or group name in the blank column under "Enter object name to select, after entering the information, click "Check name" to check whether the name is correct;

③ Click "OK" to add the input object to the user list.

(3) Security Options

Here you can enable or disable computer security settings such as digital signatures of data, names of administrator and guest accounts, access to Floppy and CD-ROM drives, driver installation behavior, and logon prompts. The following describes some settings suitable for general users.

① Prevent Users From Installing Printer Drivers. For computers that want to print to a network printer, the driver of the network printer must be installed on the local printer. This security setting determines who are allowed to install the printer driver as part of adding a network printer. This setting prevents unauthorized users from downloading and installing untrusted printer drivers.

Double-click "device: Prevent Users From Installing Printer Drivers". The Properties window is displayed. Select "define policy settings in template" and select "enabled, click OK. In this way, Only Administrators and Super Users can install the printer driver as part of the network printer;

② No prompt to install the unsigned driver. When you try to install a device driver that is not issued by the Windows Hardware Quality Lab (WHQL), a warning window is displayed by default, asking the user to choose whether to install the driver. This is very troublesome, you can set it to install without prompt.

Double-click the "install device: Unsigned Driver" option. In the displayed Properties window, select the "define policy settings in template" option and click the drop-down button next to it, select "default installation" and click "OK;

③ Message text is displayed upon logon. Specifies the text message displayed when a user logs on. With this warning message setting, you can warn users not to abuse company information in any way or warn users that their operations may be reviewed to better protect system data.

Double-click "Interactive logon: Message text when a user attempts to log on". In the Properties window, select "define policy settings in template, then, enter the message text in the blank input box below. A maximum of 512 characters can be entered, and then click "OK. In this way, the user will see this warning message dialog box before logging on to the console.

3. Set Event Logs

This security template defines attributes related to applications, security, and system logs, such as the maximum log size, access permissions for each log, and retention settings and methods. Application logs record events generated by programs, security logs record security events based on audit objects, and system logs record operating system events.

(1) Log Retention days

This option allows you to set how many days the application, security, and system logs can be retained. Note that this value should be set only when logs are archived at a predetermined interval, and make sure that the maximum log size is large enough to meet this interval. The number of days can be any one from 1 to 365 days. You can set the number as needed. We recommend that you set the number to 14 days.

(2) log retention method

Here, you can set the processing method to reach the set maximum log file. There are three ways to rewrite events by day, rewrite events as needed, and do not rewrite events (manually clear logs. If you want to archive application logs, select "Overwrite Events as needed". If you want to archive logs at a predetermined interval, select "Overwrite Events by days "; if you want to retain all events in the log, select "Do not rewrite events (manually clear logs)". In this case, when the maximum log size is reached, new event logs are discarded.

(3) Restrict access logs of Local Guests

You can set whether to restrict access to applications, security, and System Event Logs by guests. The default setting is to allow guest users and empty connections to view system logs, but prohibit access to security logs.

(4) Maximum log size

Here, you can set the maximum and minimum values of log files and the available values.