Re: [ActiveDir] security templates
Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
Re: [ActiveDir] security templates
Rick, Q243330 - thats' great - exactly what i look for. i have to admit that the issue of security templates is a little frustrating. i guess it is indicative of the ongoing development of w2k but nonetheless a little time consuming to be having to mod security templates, reload into GPOs each time a service pack introduces any number of services that do not fulfil the requirement of minimal (secure) configuration. for me i think to use the security operationd guide templates as the starting point, tweaks to get out the SP3 nasties !! ps how's the soccer going for you ?? GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 23, 2003 4:11 PM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] security templates
Hi Rick, The URL you posted is available to MVP accounts only. However, an open reference can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 Mike Thommes Argonne National Laboratory -Original Message- From: Rick Kingslan To: [EMAIL PROTECTED] Sent: 2/23/2003 10:11 AM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
Re: [ActiveDir] security templates
yeh, a blatant bit of oneupmanship to us mere mortals - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: 'Rick Kingslan ' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, February 23, 2003 5:42 PM Subject: RE: [ActiveDir] security templates Hi Rick, The URL you posted is available to MVP accounts only. However, an open reference can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 Mike Thommes Argonne National Laboratory -Original Message- From: Rick Kingslan To: [EMAIL PROTECTED] Sent: 2/23/2003 10:11 AM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List
[ActiveDir] 128 bit high encrpytion pack
seems a prerequisite for migration of NT4 source to a Windows 2000 target domain is the installation of 128 bit encryption on PES server (on source DC) and ADMT2 host (on target PDC emulator). quick question - how does one tell if this is the case on an NT4 domain controller ?? ditto - win2k - is this not default on an win2k / sp3 install ?? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/