Baselining with Security Templates
by Derek Melber - - Monday, 4 October 2004.
1. Click the Start button.

2. Select the Run menu option.

3. Type MMC into the text box and click the OK button.

4. Select Console from the Toolbar to get the menu options.

5. Select the Add-Remove snap-in menu option.

6. Click the Add button.

7. Select Security Templates from the Snap-ins list, then click the Add button.

8. Click the Close button, then click the OK button.

9. Expand the Security Templates node, then expand the C:\Winnt\Security\Templates node to see the list of security templates, as shown in Figure 1.

Fig 1: Security templates snap-in provides access to the default templates, as well as the ability to create new templates

You can either start with one of the preconfigured security templates, or you can create your own. If one of the preconfigured templates has 90% of the settings that you prefer you can just copy it as a starting place.

If you want to create your own security template, just right-click on the security template folder (C:\Winnt\Security\Templates) and select New Template.

This will create a new template that has not configurations in it to begin with. As a suggestion, make sure you name the security template according to what it will be controlling, because they can be hard to track down when there are numerous templates created.

After you create the template, you will just delve into the different topical areas of the security template, making the settings that match the security baseline settings that you have established.

To make the process of creating all of your security template more efficient, you can create a matrix that includes all security baselines and their settings. Start by creating the security template that has the fewest baseline settings. Then, copy this template to create the additional templates, which will just need to be configured for the differences from the original security template.

Deploying the Security Templates

After the security template is created, you now need to deploy it. If you only need to deploy the security settings to a few computers, you might want to choose a manual method, which allows tighter control over establishing the security on the computers. If you are up against deploying the security templates to thousands of computers, you will want to choose an automated solution, which provides persistent affects. There are three primary methods to deploy security templates to establish the security baseline on your computers: manual, command line tool, using a GPO.


Of the three methods, you can probably guess that this is the least used method. The reason seems fairly obvious: you don’t want to manually configure thousands of computers to establish the security on them. However, manually deploying security templates is common. You will most likely see this when the computer is not part of a Windows Active Directory domain and when the administrator of the computer does not have Active Directory administrative rights, but does have administrative privilege over the computer.

This method includes using the Security Configuration and Analysis (SCA) snap-in. The snap-in is accessed just like we accessed the Security Templates snap-in from above.

SCA only works on the computer where the MMC is running. The tool can’t configure computers remotely, which is where the limitations are evident. To configure the computer with the security template, follow these steps within the SCA snap-in:

1. Right-click on the SCA node and select Open Database

2. Select a name for the database

3. Select the security template you want to use

4. After the database is created, right-click on the SCA node and select the Configure Computer Now option

Command line

If you have more than just a few computers that you need to configure, but you don’t have access or control over the GPOs in Active Directory, you can deploy security templates using a command line option. The command line tool is named SECEDIT.EXE and is the command line version of the SCA. Almost anything that you can do in the SCA you can also do with the SECEDIT tool.


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th