Re: Customzing Security Template Files
- From: "Shawn Hansen" <junk@xxxxxxxx>
- Date: Thu, 8 Dec 2005 13:25:29 -0600
Some follow-up questions:
When configuring a service using the Security Template snapin, what are the
ramifications of configuring specific permissions on a service versus not
configuring any permissions? Where are those permissions applied? There is
not a Security tab on the properties of a service, so where are those
permissions getting applied?
The sample security templates from the Win2003 Security Guide configure the
permissions on services extensively. However, when reading the Windows
Group Policy Guide (from MSPress), they only mention that "in most cases,
the service permissions are not set." (p. 573)
I want to be sure I'm not leaving a gaping hole somewhere if I choose to not
configure permissions on services within my security templates.
Thanks,
Shawn
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eNiwYg1%23FHA.504@xxxxxxxxxxxxxxxxxxxxxxx
>I have only seen lines with three fields.
> The service name, the state, and the ACLing
> I assume you are not having issue with the first two of these.
> The last is a standard SDDL syntax statement of DACL+SACL
> http://msdn.microsoft.com/library/en-us/security/security/security_descriptor_string_format.asp
> You may find getsid.exe from support tools of use if you are not
> granting/denying well-knows principals.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Shawn Hansen" <junk@xxxxxxxx> wrote in message
> news:uBfDLr0%23FHA.1676@xxxxxxxxxxxxxxxxxxxxxxx
>>I am working with a client who is setting up a new AD forest/domain and
>> we're working on putting together some baseline group policy objects to
>> help
>> lock down member server configurations.
>>
>> I've been using the Windows Server 2003 Security Guide as a reference and
>> tested some of the included security templates, but there are some things
>> I'd like to customize in the templates. The biggest concern is
>> adding/removing services to the "System Services" section of a particular
>> security template.
>>
>> Removing services from a template appears to be simple enough--just
>> comment
>> out the service you don't want from the INF file before you import it.
>> However, adding a new service seems a bit complicated. I can't seem to
>> find
>> any reference for the syntax of the lines in the "Service General
>> Setting"
>> section that define what services are included in the INF file.
>>
>> Where can I find some definitive reference information about the syntax
>> and
>> how to customize the services section of security template INF files?
>>
>> Thanks,
>>
>> Shawn Hansen
>>
>>
>>
>
>
.
- Follow-Ups:
- Re: Customzing Security Template Files
- From: Roger Abell [MVP]
- Re: Customzing Security Template Files
- From: Roger Abell [MVP]
- Re: Customzing Security Template Files
- References:
- Customzing Security Template Files
- From: Shawn Hansen
- Re: Customzing Security Template Files
- From: Roger Abell [MVP]
- Customzing Security Template Files
- Prev by Date: Re: Password Complexity
- Next by Date: Re: Odd happenings to IE Temporary internet files: Thanks
- Previous by thread: Re: Customzing Security Template Files
- Next by thread: Re: Customzing Security Template Files
- Index(es):
Relevant Pages
|
