Baselining with Security Templates
by Derek Melber - - Monday, 4 October 2004.
SECEDIT can either be run on each computer, or it can be scripted to run automatically on many computers. The command that would deploy a security template on a computer is:

SECEDIT /configure /db db1.sdb cfg sectemplatename.inf /log logname.log

This will configure the local computer using a database name of db1.sdb, a security template name of sectplatename.inf, and a log file of logname.log. These names can be anything that you want. If you are scripting the command, you will want to place the security template file on a network share and use a network path to point the computer to the file.


The most efficient and easy way to deploy security templates is by using GPOs. The GPO provides a scalable and persistent solution. The solution does require and Active Directory domain and access to the GPOs. Using GPOs to implement your security templates are more efficient than the other two solutions because the other two solutions just don’t scale to an entire domain of computers. GPOs provide a method to implement the security templates within the Active Directory structure where the computer accounts are located and organized within organizational units (OUs).

GPOs are easier to implement security templates because the templates can be imported directly into a GPO. Since the GPOs are linked to the OUs which typically are created to house computer object types, it is a perfect solution.

The first step to using GPOs for security template implementation is to have an OU structure in place, which is the case in most Active Directory domains. Next, there needs to be a unique GPO linked to each of the OUs which contain different computer types, for example file servers, print servers, application servers, and clients. In essence, there should be at least one OU and GPO for each security baseline.

To get the security templates into the GPOs, you will need to edit the GPOs using either the ADUC interface or the GPMC. Once the GPO is being edited, you will expand the Computer Configuration node, as shown in Figure 2.

Fig 2: Typical GPO opened to import a security template

After right-clicking on the Security Settings node, you can select the option to Import Policy. This will open up a browse window, allowing you to select the security template for each GPO that you should contain a security template. Then, just close the GPO and the settings are in place.

Once the security template is imported and the GPO saved, the computers within the OU will automatically have the security template settings configured on them within about 90 minutes. This provides an easy way to deploy the security templates, affect all of the computes in the domain easily, and persistent.


Security baselines will help both IT and auditors if they are correctly designed and implemented. The baseline should include all security settings that are essential to locking down the computers, but still allowing them to perform their function. There should be security templates created for each type of client and server that requires different security settings. Once the security templates are created for each type of computer, there are three different options to implement them on the computers. The most efficient and easiest option to deploy the security templates is to use GPOs. The GPOs will be linked to OUs containing the computer accounts. The GPOs will apply the security template settings automatically to the computers within the domain.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th