The first step in utilizing security templates to protected computers by functions is to conceive a template that concerns the baseline security for all servers on the network. The target of the baseline template is to squeeze every facet of computer security. It pursues the standard of decreasing the strike surface. This standard raises security by relying on the straightforward detail that the less a server is managing, the less promise vulnerabilities or strike exterior will be available. After the baseline security template is directed to a server, the server will still run, but it may not be adept to present the services for a exact mesh role.
The second step resolves this difficulty by conceiving incremental templates that encompass the alterations essential to support exact roles. These templates may, for demonstration, endow services that are needed by a exact server role. A DNS incremental template, for demonstration, endows and groups to self-acting start at boot the DNS Server service, a service that is handicapped in the baseline template.
2.
High Secure (Hisec*.inf)
The High Secure templates are supersets of the protected templates and enforce farther limits on the grades of encryption and marking needed for authentication and for the facts and numbers that flows over Secure Channels and between SMB purchasers and servers. For demonstration, while the protected templates origin servers to deny NTLM answers, the High Secure templates origin servers to deny both LanManager and NTLM responses. While the Secure templates endow server-side SMB package marking, the High Secure templates need it. Also, the High Secure templates need powerful (128-bit) encryption and marking for the Secure Channel facts and numbers that constitute domain-to-member and domain-to-domain believe relationships. Therefore, in alignment to request Hisecws.inf to a constituent computer:
* All of the domain controllers that comprise the anecdotes of all users that will log on to the purchaser should be running Windows NT 4.0 Service Pack 4 or higher.
* All of the domain controllers for the domain that the purchaser is connected to should be running Windows 2000 or later.
The next directions furthermore request to the High Secure template:
* In alignment to request Hisecdc.inf to a domain manager, all of the domain controllers in all trusted or believing domains should be running Windows 2000 or later.
* If a server is configured with Hisecws.inf, a purchaser with a localized account on that server will not be adept to attach to it from a purchaser that does not support NTLMv2.
* If a server is configured with Hisecws.inf, all purchasers that desire to use SMB to attach to that server should have client-side SMB package marking enabled. Client-side SMB packet-signing is endowed by default for all Windows XP Professional-based computers.
* If a domain manager is configured with Hisecdc.inf, a client with an account in that domain will not be adept to attach to any constituent server from a purchaser that does not support NTLMv2.
* If a domain manager is configured with Hisecdc.inf, Lightweight Directory Access Protocol (LDAP) purchasers will not ...