Baselining with Security Templates
by Derek Melber - - Monday, 4 October 2004.
The solution to creating and implementing security baselines on computers in your network is to “just do it.” Security baselines establish the foundation for the overall security of a computer. If a computer has no foundation, the chances of it being compromised are very high.

One of the most common complaints about creating and implementing security baselines is that they are hard to establish for the different computers on the network and they are almost impossible to implement. Couple this complaint with keeping the computers up to date with the security baselines causes computers to go without any baseline or security foundation.

What is a security baseline?

I am sure that you have all heard about security baselines or have a preconceived definition of them. However, I just want to make sure that my definition and your definition is the same for this article. The security baseline is a suite of security settings that are established for each type of computer in your organization. The security baseline is established in such a way that the computer performs it duties, but nothing else.

The reason for this “limited” approach is that if the computer can’t perform anything but its predetermined duties, the possibility for it being attacked successfully is much smaller.

Windows computers need security baselines more than about any other type of computer for a couple of reasons. First, Microsoft is notorious for allowing the default installation of their operating systems to be insecure. I don’t think I need to defend this statement much, considering the issues with Internet Information Services and Internet Explorer over the past couple of years.

The security baseline will consist of more than just securing services and applications; it will go to the core of the computer security settings. A typical security baseline will include control over services, permissions on files, Registry permissions, authentication protocols, and more. There will be a security baseline established for each type of computer in your organization. This will include domain controllers, file servers, print servers, application servers, clients, etc.

Security Templates for Baselining

In the last article I wrote, Understanding Security Templates (LINK!!!), you were introduced to the contents of a security template. There we saw that a security template included settings for the following areas:
  • Account Policies
  • User Rights
  • Event Log settings
  • Restricted Groups
  • System Services
  • File Permissions
  • Registry Permissions
As you can see from this list to the list we just unveiled in the baselining section above, they are virtually encompass the same security settings. Although a typical security baseline needs to include a few areas outside of a default security template, it includes so many of the settings it can’t be ignored as a solution for implementing your security baselines.

Configuring Security Templates

The first step to implementing the security baseline on your computers is to determine what the baselines will be for each type of computer. The next step is to create an environment that makes it easy and efficient to implement these settings. The solution to step two is to develop security templates for each type of computer.

To complete this security template creation you will use the Security Templates snap-in. The Security Templates snap-in is included in the Microsoft Management Console (MMC). To access the MMC and include the snap-in, follow these steps:


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th