Customizing Services in the Security Templates
by William R. Stanek, Derek Melber, Darren Mar-Elia, The Microsoft Group Policy Tea
Microsoft® Windows® Group Policy Guide
- Microsoft® Windows® Group Policy Guide
- A Note Regarding Supplemental Files
- About the Authors
- Foreword
- Introduction
- About This Book
- I. Getting Started with Group Policy
- 1. Overview of Group Policy
- 2. Working with Group Policy
- Navigating Group Policy Objects and Settings
- Managing Group Policy Objects
- Creating and Linking GPOs
- Delegating Privileges for Group Policy Management
- Removing Links and Deleting GPOs
- Summary
- 3. Advanced Group Policy Management
- Searching and Filtering Group Policy
- Managing Group Policy Inheritance
- Managing Group Policy Processing and Refresh
- Modeling and Maintaining Group Policy
- Determining the Effective Group Policy Settings and Last Refresh
- Summary
- II. Group Policy Implementation and Scenarios
- 4. Deploying Group Policy
- Group Policy Design Considerations
- Controlling GPO Processing Performance
- Best Practices for Deploying GPOs
- Choosing the Best Level to Link GPOs
- Resources Used by GPOs
- Software Installation
- Designing GPOs Based on GPO Categories
- Limit Enforced and Block Policy Inheritance Options
- When to Use Security Filtering
- When to Use WMI Filters
- Network Topology Considerations
- Limiting Administrative Privileges
- Naming GPOs
- Testing GPOs Before Deployment
- Summary
- 5. Hardening Clients and Servers
- Understanding Security Templates
- Deploying Security Templates
- General Hardening Techniques
- Server Hardening
- Client Hardening
- Troubleshooting
- Summary
- 6. Managing and Maintaining Essential Windows Components
- Configuring Application Compatibility Settings
- Configuring Attachment Manager Settings
- Configuring Event Viewer Information Requests
- Controlling IIS Installation
- Configuring Access to and Use of Microsoft Management Console
- Optimizing NetMeeting Security and Features
- Enabling Security Center for Use in Domains
- Managing Access to Scheduled Tasks and Task Scheduler
- Managing File System, Drive, and Windows Explorer Access Options
- Hiding Drives in Windows Explorer and Related Views
- Preventing Access to Drives in Windows Explorer and Related Views
- Removing CD-Burning and DVD-Burning Features in Windows Explorer and Related Views
- Removing the Security Tab in Windows Explorer and Related Views
- Limiting the Maximum Size of the Recycle Bin
- Optimizing the Windows Installer Configuration
- Controlling System Restore Checkpoints for Program Installations
- Configuring Baseline File Cache Usage
- Controlling Rollback File Creation
- Elevating User Privileges for Installation
- Controlling Per-User Installation and Program Operation
- Preventing Installation from Floppy Disk, CD, DVD, and Other Removable Media
- Configuring Windows Installer Logging
- Optimizing Automatic Updates with Windows Update
- Summary
- 7. Managing User Settings and Data
- Understanding User Profiles and Group Policy
- Configuring Roaming Profiles
- Optimizing User Profile Configurations
- Redirecting User Profile Folders and Data
- Managing Computer and User Scripts
- Summary
- 8. Maintaining Internet Explorer Configurations
- Customizing the Internet Explorer Interface
- Customizing URLs, Favorites, and Links
- Configuring Global Default Programs
- Optimizing Connection and Proxy Settings
- Enhancing Internet Explorer Security
- Configuring Additional Policies for Internet Options
- Summary
- 9. Deploying and Maintaining Software Through Group Policy
- Understanding Group Policy Software Installation
- Planning the Software Deployment
- Deploying Software Through Group Policy
- Configuring Advanced and Global Software Installation Options
- Viewing and Setting General Deployment Properties
- Changing the Deployment Type and Installation Options
- Defining Application Categories
- Adding, Modifying, and Removing Application Categories
- Adding an Application to a Category
- Performing Upgrades
- Customizing the Installation Package with Transforms
- Controlling Deployment by Security Group
- Setting Global Deployment Defaults
- Deploying Microsoft Office and Service Packs
- Maintaining Deployed Applications
- Removing Deployed Applications
- Redeploying Applications
- Configuring Software Restriction Policies
- Troubleshooting Software Installation Policy
- Summary
- 10. Managing Microsoft Office Configurations
- Introducing Office Configuration Management
- Customizing Office Configurations
- Managing Office-Related Policy
- Working with Office-Related Policy
- Examining Global and Application-Specific Settings
- Configuring Office-Related Policy Settings
- Preventing Users from Changing Office Configurations
- Controlling Default File and Folder Locations
- Configuring Outlook Security Options
- Controlling Office Language Settings
- Troubleshooting Office Administrative Template Policy
- Summary
- 11. Maintaining Secure Network Communications
- Understanding IPSec Policy
- Managing and Maintaining IPSec Policy
- Deploying Public Key Policies
- Understanding Windows Firewall Policy
- Managing Windows Firewall Policy
- Summary
- 12. Creating Custom Environments
- Loopback Processing
- Terminal Services
- Controlling Terminal Services Through Group Policy on an Individual Computer
- Controlling Terminal Services Through Group Policy in a Domain
- Configuring Order of Precedence
- Configuring Terminal Services User Properties
- Configuring License Server Using Group Policy Settings
- Configuring Terminal Services Connections
- Limit Number of Connections
- Set Client Connection Encryption Level
- Secure Server (Require Security)
- Start a Program on Connection
- Set Rules for Remote Control to Terminal Services User Sessions
- Set Time Limit for Disconnected Sessions
- Set Time Limit for Active Terminal Services Sessions
- Terminate Session When Time Limits Are Reached
- Allow Reconnection From Original Client Only
- Managing Drive, Printer, and Device Mappings for Clients
- Controlling Terminal Services Profiles
- Group Policy over Slow Links
- Summary
- 4. Deploying Group Policy
- III. Group Policy Customization
- 13. Group Policy Structure and Processing
- Navigating Group Policy Logical Structure
- Navigating Group Policy Physical Structure
- Navigating Group Policy Link Structure
- Understanding Group Policy Processing
- Examining Client-Side Extension Processing
- Examining Server-Side Extension Processing
- Setting Storage for Wireless Network Policy
- Setting Storage for Folder Redirection Policy
- Setting Storage for Administrative Templates Policy
- Setting Storage for Disk Quota Policy
- Setting Storage for QoS Packet Scheduler Policy
- Setting Storage for Scripts
- Setting Storage for Internet Explorer Maintenance Policy
- Setting Storage for Security Policy
- Setting Storage for Software Installation Policy
- Setting Storage for IP Security Policy
- Understanding Policy Processing Events
- Asynchronous vs. Synchronous Policy Processing
- Tracking Policy Application
- Tracking Slow Link Detection
- Modifying Security Policy Processing
- Group Policy History and State Data
- Navigating Local GPO Structure
- Summary
- 14. Customizing Administrative Templates
- What Is an Administrative Template?
- Creating Custom .adm Files
- A Simple .adm File
- Using .adm File Language
- Best Practices
- Summary
- 15. Security Templates
- 13. Group Policy Structure and Processing
- IV. Group Policy Troubleshooting
- 16. Troubleshooting Group Policy
- Group Policy Troubleshooting Essentials
- Essential Troubleshooting Tools
- Group Policy Logging
- Summary
- 17. Resolving Common Group Policy Problems
- Solving GPO Administration Problems
- Group Policy Settings Are Not Being Applied Due to Infrastructure Problems
- Solving Implementation Problems
- Summary
- 16. Troubleshooting Group Policy
- V. Appendixes
- A. Group Policy Reference
- B. New Features in Windows Server 2003 Service Pack 1
- C. GPMC Scripting
- GPMC Scripting Interface Essentials
- Using the GPMC’s Prebuilt Scripts
- Creating GPOs
- Deleting GPOs
- Finding Disabled GPOs
- Finding GPOs by Security Group
- Finding GPOs Without Active Links
- Setting GPO Creation Permissions
- Setting Other GPO Permissions
- Backing Up All GPOs
- Backing Up Individual GPOs
- Copying GPOs
- Importing GPOs
- Generating RSoP Reports
- Mirroring Your Production Environment
- GPMC Prebuilt Script Review
- D. Office 2003 Administrative Template Highlights
- Microsoft Access 2003
- Microsoft Excel 2003
- Microsoft FrontPage 2003
- Microsoft Clip Organizer 2003
- Microsoft InfoPath 2003
- Microsoft Office 2003
- Microsoft OneNote 2003
- Microsoft Outlook 2003
- Microsoft PowerPoint 2003
- Microsoft Project 2003
- Microsoft Publisher 2003
- Microsoft Visio 2003
- Microsoft Word 2003
- Index
- About the Authors
- Copyright
Earlier we described a pitfall with the System Services portion of the security template: the list of services that shows up in the security templates interface is driven by the computer that performs the administration. Because many of the computers used for administering security templates and GPOs are workstations, some server-related services will not be available when you attempt to edit them in the Security Templates snap-in.
One workaround for not having the correct service display when you edit the security templates is to administer the security templates from a computer that has the appropriate services already installed. However, this can be a problem, depending on the physical location of the server and the privileges that you have on that computer.
Another solution is to install as many services as possible on your workstation that you use for administration purposes. Of course, this will work only for a subset of all of the services that can run on a server.
Yet another solution is to install a dedicated server for administering security templates and GPOs. You can install all of the services on this computer, giving you access to all of the services you need for creating and modifying the security templates and GPOs with regard to services.
Another solution to consider is to manually control the services using the raw security template files. This approach requires you to get a listing of all of the services and the correct syntax stored in the security template file.
You will not always have a computer available to you that has every service required to make changes to the security templates or GPOs. In this case, you can manually update the security template files with the syntax that is associated with your service. To do this, you must have a list of all services your company uses and the syntax associated with each service as it is stored in the security template.
To get this list of service syntax, you must go at least once to a computer that has each service installed on it. This will allow you to get the syntax from the saved security template after configuring the service. Because the syntax used to modify the service is stored in the .inf files on the local computer, you can quickly acquire this list of services. You can then quickly compile the list into a single file that can be referenced from any computer and manually inserted into any security template file as needed.
Here is a list of some common services and the syntax used when they are configured in a security template.
DHCP | "DHCPServer",X,"" |
DNS | "DNS",X,"" |
HTTP SSL | "HTTPFilter",X,"" |
IIS Admin | "IISADMIN",X,"" |
Certificate Services | "CertSvc",X,"" |
World Wide Web Publishing Service | "W3SVC",X,"" |
The X in each syntax listing is a numeric variable that depends on the startup mode that you configure for the service. There are three startup modes: Automatic, Manual, and Disabled. Each has a numeric value associated with it, which you must insert in place of the X for each service and startup type. The numeric values for the startup types are as follows:
Startup Mode | Numeric Value |
Automatic | 2 |
Manual | 3 |
Disabled | 4 |
The double quotes ("") following the numeric value will include any permissions that you establish from within the security template for the service. This syntax is complex and can take a long time to configure. In most cases, the service permissions are not set.
Once you know the service syntax and you know which security template it needs to be added to, your work is almost finished. All you need to do is open up the security template file using Notepad and insert the correct code for the service you want to control.
When you open up the security template in Notepad, you must find the [Service General Setting] section. If this section does not exist, you can just add it to the bottom of the current file text. If you want to ensure that the DNS, DHCP, and Certificate Services start automatically but you wanted the IIS Admin Service to start disabled, you can add the following code to the appropriate security template file:
[Service General Setting] "DNS", 2, " " "DHCPServer", 2, " " "CertSvc", 2, " " "IISADMIN", 4, " "
-
No Comment