Re: [ActiveDir] security templates
Have reviewed these templates seem to have addressed the issue of services that have been introduced by SP3 such as BITS .. my only point would be the relation of these templates to those issued as part of the security operations guidelines from Microsoft ie. 1. version control of these templates is not consistent. 2. more importantly - seem to have some other inconsistencies - for example in the time between issuance of the two sets of templates MS have decided that baseline security event log should be set to max size of 180 or so MB where before 10 MB was deemed adequate - seem to changed their minds over auditlogretentioneperiod not major i guess in the context of an entire w2k installation but am just reflecting on the inconsistencies from an initial comparison of the 2 sets of templates views would be gladly received for further discussion GT - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 6:00 PM Subject: RE: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg The new Securing Windows 2000 Server solution is now available and contains a number of new templates: MSS Baseline.inf MSS DCBaseline Role.inf MSS Domain.inf MSS FilePrint Role.inf MSS IIS Role.inf MSS Infrastructure Role.inf MSS Optional File System ACLs.inf Since the original question was about services included in SP3, I took a quick glance and, BITS, for example is accounted for in the template framework. Download- http://microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4 -7B4FDC0A25F6displaylang=en Guide- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ prodtech/windows/secwin2k/default.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail
RE: [ActiveDir] security templates
very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg The new Securing Windows 2000 Server solution is now available and contains a number of new templates: MSS Baseline.inf MSS DCBaseline Role.inf MSS Domain.inf MSS FilePrint Role.inf MSS IIS Role.inf MSS Infrastructure Role.inf MSS Optional File System ACLs.inf Since the original question was about services included in SP3, I took a quick glance and, BITS, for example is accounted for in the template framework. Download- http://microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4-7B4FDC0A25F6displaylang=en Guide- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/windows/secwin2k/default.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security templates
Thanks too from me !!! will review these tomorrow settling down to watch 2nd half of Juve / Man utd 3-0 to Man U if you can believe that ! GT - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 6:00 PM Subject: RE: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg The new Securing Windows 2000 Server solution is now available and contains a number of new templates: MSS Baseline.inf MSS DCBaseline Role.inf MSS Domain.inf MSS FilePrint Role.inf MSS IIS Role.inf MSS Infrastructure Role.inf MSS Optional File System ACLs.inf Since the original question was about services included in SP3, I took a quick glance and, BITS, for example is accounted for in the template framework. Download- http://microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4 -7B4FDC0A25F6displaylang=en Guide- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ prodtech/windows/secwin2k/default.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security templates
Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org
Re: [ActiveDir] security templates
Rick, Q243330 - thats' great - exactly what i look for. i have to admit that the issue of security templates is a little frustrating. i guess it is indicative of the ongoing development of w2k but nonetheless a little time consuming to be having to mod security templates, reload into GPOs each time a service pack introduces any number of services that do not fulfil the requirement of minimal (secure) configuration. for me i think to use the security operationd guide templates as the starting point, tweaks to get out the SP3 nasties !! ps how's the soccer going for you ?? GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 23, 2003 4:11 PM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail
RE: [ActiveDir] security templates
Hi Rick, The URL you posted is available to MVP accounts only. However, an open reference can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 Mike Thommes Argonne National Laboratory -Original Message- From: Rick Kingslan To: [EMAIL PROTECTED] Sent: 2/23/2003 10:11 AM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
Re: [ActiveDir] security templates
yeh, a blatant bit of oneupmanship to us mere mortals - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: 'Rick Kingslan ' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, February 23, 2003 5:42 PM Subject: RE: [ActiveDir] security templates Hi Rick, The URL you posted is available to MVP accounts only. However, an open reference can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 Mike Thommes Argonne National Laboratory -Original Message- From: Rick Kingslan To: [EMAIL PROTECTED] Sent: 2/23/2003 10:11 AM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List
RE: [ActiveDir] security templates
Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Templates
Yes that is what i was trying to do. Have I done anything wrong? I added folder paths in a new security template called folders, amd I set the permissions I wanted. And then I imported it in the Group poliy object that takes care of some of my users, and computers. But it seems not to be working. My users are still able to browse all of C: and even delete files from folders under C: that they have no privileges to do according to the Template I created. regards, Marija -- Original Message -- From: Leney, Justin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 24 Sep 2002 17:17:25 -0400 You have been trying to set file system permissions via a template? -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security Templates Thanks, I'll try that. Actually I have already been doing that but it seems not to be working. Regards marija -- Original Message -- From: Leney, Justin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 24 Sep 2002 13:42:38 -0400 Marija, http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning Templates and how to implement/administer them. Microsoft Recommends this: C:\... (and most everything underneath) Administrators - FC System - FC Authenticated Users - Read, Execute Users should not be denied access to most of the C:, as they'll need to execute dll's and whatnot. --- - -- C:\Documents and Settings\%username%\ (these will be set by the OS when the user logs into the local computer or domain) Administrators - FC System - FC %username% - FC (or Change, if you don't want them to delete their profile directory) -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Templates
Marija, http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning Templates and how to implement/administer them. Microsoft Recommends this: C:\... (and most everything underneath) Administrators - FC System - FC Authenticated Users - Read, Execute Users should not be denied access to most of the C:, as they'll need to execute dll's and whatnot. -- C:\Documents and Settings\%username%\ (these will be set by the OS when the user logs into the local computer or domain) Administrators - FC System - FC %username% - FC (or Change, if you don't want them to delete their profile directory) -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Templates
You have been trying to set file system permissions via a template? -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security Templates Thanks, I'll try that. Actually I have already been doing that but it seems not to be working. Regards marija -- Original Message -- From: Leney, Justin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 24 Sep 2002 13:42:38 -0400 Marija, http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning Templates and how to implement/administer them. Microsoft Recommends this: C:\... (and most everything underneath) Administrators - FC System - FC Authenticated Users - Read, Execute Users should not be denied access to most of the C:, as they'll need to execute dll's and whatnot. --- - -- C:\Documents and Settings\%username%\ (these will be set by the OS when the user logs into the local computer or domain) Administrators - FC System - FC %username% - FC (or Change, if you don't want them to delete their profile directory) -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
