After the security template is created, you now need to deploy it. If you only need to deploy the security settings to a few computers, you might want to choose a manual method, which allows tighter control over establishing the security on the computers. If you are up against deploying the security templates to thousands of computers, you will want to choose an automated solution, which provides persistent affects. There are three primary methods to deploy security templates to establish the security baseline on your computers: manual, command line tool, using a GPO.

Manual

Of the three methods, you can probably guess that this is the least used method. The reason seems fairly obvious: you don’t want to manually configure thousands of computers to establish the security on them. However, manually deploying security templates is common. You will most likely see this when the computer is not part of a Windows Active Directory domain and when the administrator of the computer does not have Active Directory administrative rights, but does have administrative privilege over the computer.

This method includes using the Security Configuration and Analysis (SCA) snap-in. The snap-in is accessed just like we accessed the Security Templates snap-in from above.

SCA only works on the computer where the MMC is running. The tool can’t configure computers remotely, which is where the limitations are evident. To configure the computer with the security template, follow these steps within the SCA snap-in:

1. Right-click on the SCA node and select Open Database

2. Select a name for the database

3. Select the security template you want to use

4. After the database is created, right-click on the SCA node and select the Configure Computer Now option


Command line

If you have more than just a few computers that you need to configure, but you don’t have access or control over the GPOs in Active Directory, you can deploy security templates using a command line option. The command line tool is named SECEDIT.EXE and is the command line version of the SCA. Almost anything that you can do in the SCA you can also do with the SECEDIT tool.

SECEDIT can either be run on each computer, or it can be scripted to run automatically on many computers. The command that would deploy a security template on a computer is:

SECEDIT /configure /db db1.sdb cfg sectemplatename.inf /log logname.log

This will configure the local computer using a database name of db1.sdb, a security template name of sectplatename.inf, and a log file of logname.log. These names can be anything that you want. If you are scripting the command, you will want to place the security template file on a network share and use a network path to point the computer to the file.

GPOs