Re: security template file import

From: Graham Turner (gturner_at_ipcomputers.demon.co.uk)
Date: 09/19/03

• Next message: Jeff Cochran: "Re: Students are using hacking tools to compromise school computers"
• Previous message: Oleg Ogurok: "Re: ADMINISTRATORS ACCOUNT DELETED"
• In reply to: Nick Finco [MSFT]: "Re: security template file import"
• Next in thread: Nick Finco [MSFT]: "Re: security template file import"
• Reply: Nick Finco [MSFT]: "Re: security template file import"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 19 Sep 2003 16:38:17 +0100

Nick, glad you have got back this.

First up are you happy to keep this online ??

this starts to make some sense - the "tattooing" of security settings is not
one of the more "well documented" features of the GPO based security policy.
I thought we had got away from all that rubbish which plagued NT4 !!

as a bit more info on the sequence of events is that the security templates
(as distributed with the security operations guide) were agreed as the point
of reference for DC security

they were imported into a GPO linked to the DC's container.

this GPO was "lost" but it was thought not a major deal as we could just
recreate based on logged changes to the orginal templates - a new GPO was
added and linked to the Dc's container

since then a number of mods to the service startup have been agreed, and we
have attempted to apply across the board by the following change control
process;

1. modify the security template (notepad as text editor seems to suffice) -
we have found the security configuration editor "messes" up the format of
the security template file

2. edit the GPO, then import the modifed security template file (leave the
clear database before importing unchecked).

this has the results as has been discussed in this rather lengthy email

the ideal way forward it seems is to effectively start again - but given
your response of "you have to change the value in the policy to match the
original value" this seems not practically unacheivable ?

then we can reapply all the settings again from the security template

ps - where is this documented ??!!

GT

"Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
news:uBBpzehfDHA.128@tk2msftngp13.phx.gbl...
> "Graham Turner" <gturner@ipcomputers.demon.co.uk> wrote in message
> news:%23z8vBtTfDHA.908@tk2msftngp13.phx.gbl...
> > Nick, sorry for not getting back to you earlier on this one and thanks
for
> > your ongoing help in this.
>
> No problem. :)
>
> > 2. what are all these files in c:\winnt\security\templates\policies ???
>
> These templates don't have anything to do with creating the GPOs or
> importing templates into them. These templates are copied down from the
> DC's sysvol whenever policy propagation occurs on the client. SCE then
> merges the templates together and applies the merged settings onto the
> client. On Win2k, looking at these can be a helpful way to see exactly
what
> settings are coming to a client from a DC.
>
> One of these templates will have the issue you said you were seeing
before,
> where there is a duplicate service in the template. By the number in the
> template filename, you can look at the "Make a local copy of XYZ" part of
> winlogon.log, count down that many file copies, and you know the GUID of
the
> GPO where the template is coming from.
>
> > have noticed that it "processes these GP templates *.inf" -
>
> That message is displayed when SCE merges that template into the database.
> "Make a local copy of XYZ" is displayed when the template is copied down
to
> the client (%windir%\security\templates\policies) from the GPO's store in
> the sysvol. XYZ is the location of that particular template in the sysvol
> on the DC.
>
> > i thought winlogon.log logged the processing of the group policy object
or
> > are these entries merely some sort of pointer to the inf template that
was
> > imported into the GPO ?
>
> Winlogon.log records what the security policy extension to the group
policy
> engine is doing. Userenv.log located in %windir%\Debug\UserMode (if
logging
> has been turned on) will describe what the group policy engine is doing
> during policy propagations.
>
> > you reference the GPO's current security template - is this one of these
> > files in the above folder ?
>
> No, those files are just copies of what's stored in the sysvol for that
GPO.
> The real templates for the GPO will be located in somewhere like
>
\\Domain.com\Sysvol\Domain.com\Policies\{GPO-GUID}\Machine\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf.
>
> > this might be better answered by say a direct scenario based question
> based
> > on testing;
> >
> > 1. i create a new GPO linked to the Domain controllers container
> >
> > 2. import a security template file into the GPO
> >
> > 3. secedit /refresh etc .. demonstrates the values in the security
> template
> >
> > 4. i then remove the link from the DC's container to the GPO
> >
> > 5. the imported values still remain - why ??
>
> Ahhh, jackpot! I can see what you're doing now. Those values will
'tattoo'
> onto the system. This was an issue in win2k. All security policy values
> will remain on the clients even if you undefine them in policy. What you
> have to do is change the value in the policy to match what the original
> value was for the setting, let that propagate to the clients, and then
> undefine it in the policy or unlink the GPO.
>
> Basically, in Win2k the security extension doesn't store the original
value
> for the setting. When you subsequently undefine that setting from group
> policy, security policy doesn't know or even have a built-in mechanism to
> revert the values to their original values. This is fixed for most of the
> security policy sections starting in WinXP. The only sections that still
> tattoo are the file system and registry security sections.
>
> N
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>

---

• Next message: Jeff Cochran: "Re: Students are using hacking tools to compromise school computers"
• Previous message: Oleg Ogurok: "Re: ADMINISTRATORS ACCOUNT DELETED"
• In reply to: Nick Finco [MSFT]: "Re: security template file import"
• Next in thread: Nick Finco [MSFT]: "Re: security template file import"
• Reply: Nick Finco [MSFT]: "Re: security template file import"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: GPO Update Problem (SYSVOL access via UNC) ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ... (microsoft.public.win2000.group_policy) Re: GPO Update Problem (SYSVOL access via UNC) ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ... (microsoft.public.win2000.group_policy) Re: Group Policy is now inhibiting the Administrator account ... under Group Policy Objects - those are the individual GPOs. ... You can apply any given GPO to one or more OUs, ... I use all of the default security in SBS, ... log on to the server with your own account. ... (microsoft.public.windows.server.sbs) Re: Question for Roger Abell ... may have been one about how to imprint the same local policy ... Notice that "local security ... I notice that my Local Security Policy contains Account Policies, ... The security template only contains Account Policies (which ... (microsoft.public.windows.group_policy) Re: [fw-wiz] How to Secure Windows? was How to Save the World ... If you want a cheat sheet - or a template on which to baseline what ... visit the Center for Internet Security, ... Basically, using Active Directory and group policy object definition, ... If you want the 1000-word abstract versions, visit my Windows 2000 ... (Firewall-Wizards)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)