One of the most common complaints about creating and implementing security baselines is that they are hard to establish for the different computers on the network and they are almost impossible to implement. Couple this complaint with keeping the computers up to date with the security baselines causes computers to go without any baseline or security foundation.
What is a security baseline?
I am sure that you have all heard about security baselines or have a preconceived definition of them. However, I just want to make sure that my definition and your definition is the same for this article. The security baseline is a suite of security settings that are established for each type of computer in your organization. The security baseline is established in such a way that the computer performs it duties, but nothing else.
The reason for this “limited” approach is that if the computer can’t perform anything but its predetermined duties, the possibility for it being attacked successfully is much smaller.
Windows computers need security baselines more than about any other type of computer for a couple of reasons. First, Microsoft is notorious for allowing the default installation of their operating systems to be insecure. I don’t think I need to defend this statement much, considering the issues with Internet Information Services and Internet Explorer over the past couple of years.
The security baseline will consist of more than just securing services and applications; it will go to the core of the computer security settings. A typical security baseline will include control over services, permissions on files, Registry permissions, authentication protocols, and more. There will be a security baseline established for each type of computer in your organization. This will include domain controllers, file servers, print servers, application servers, clients, etc.
Security Templates for Baselining
In the last article I wrote, Understanding Security Templates (LINK!!!), you were introduced to the contents of a security template. There we saw that a security template included settings for the following areas:
- Account Policies
- User Rights
- Event Log settings
- Restricted Groups
- System Services
- File Permissions
- Registry Permissions
Configuring Security Templates
The first step to implementing the security baseline on your computers is to determine what the baselines will be for each type of computer. The next step is to create an environment that makes it easy and efficient to implement these settings. The solution to step two is to develop security templates for each type of computer.
To complete this security template creation you will use the Security Templates snap-in. The Security Templates snap-in is included in the Microsoft Management Console (MMC). To access the MMC and include the snap-in, follow these steps: