Re: Basic Sec Template Design
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 6 Nov 2006 11:59:37 -0700
"Adrian" <Adrian@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A28302F7-DF67-4F31-941A-73B8249A074A@xxxxxxxxxxxxxxxx
Hey all,
Win 2000 Network moving to a Win 2003 Network. I would like to create a
I take it you mean upgrading of servers in place to W2k3, either with
upgrades
or (to me preferred) fresh builds, rather than moving domain to domain.
Baseline Security Template for all the Servers and then on top of which I
would like to add specific Security templates for the differenet types of
server, ISA, Applicaton, general.
Under the Baseline Security Template I would like to define Password
length,
Complexity, Auditing, lockout policy that kind of thing. Now because these
All that you mention is
1) not changed W2k to W2k3
2) defined in a GPO linked to the domain object to impact domain accounts
3) effective over machine local accounts if a GPO sets these for OUs that
hold machines
4) effective for all accounts equally
servers will be migrated 1 at a time to Win 2003 I cant create a domain
policy for the Win 2003 servers.
I do not see the reasoning for this. Why not?
Ive gone through a read the SCW guides and tool and while I can create a
Baseline Member server Template it doesnt incorporate what I want/need. I
think perhaps my logic is flawed in the way im going about this.
It is good you have familiarized yourself with the SCW.
Have you also reviewed the security guides ?
http://go.microsoft.com/fwlink/?linkid=14845
http://go.microsoft.com/fwlink/?linkid=15159
http://www.microsoft.com/technet/security/guidance
Could someone tell me please the best practice for applying security
templates to a server, in what order they are applied etc?
It is better to import templates into GPOs, and control there application
in the normal way via GPO hierarchy. Note that the templates in the
guides are suggested settings and should be fully evaluated relative to
specifics of a deployment.
Should I be creating a local Security policy first which outlines all the
basic's, passwords, audit, user rights etc and then apply this to all
servers? Can this be included in the Member Baseline Policy Template SCW
creates?
I prefer central control via AD base GPO.
Things are however situational. For example, will a server exist for some
time in config and test prior to being domain joined? Are there
administrative
delegations of machines to individuals without domain-level access to the
GPOs that impact their machines? And, if so, do you need to allow those
delegated admins to have flexibility for per-machine uniquenesses?
OTOH do you want to make sure that some settings cannot be changed
by the delegated admins? These answers may drive you toward splitting
the settings into multiple GPOs, some tightly held by domain admains and
others delegated to the server admins (or, leaving them to implement via
machine local policy). How much to you want to be able to assess from
a single viewpoint (i.e. AD-based GPOs and resultant policy
modeling/reporting).
Are firewall and/or IPsec settings necessarily unique per machine? etc.
.
- Prev by Date: Re: Fingerprint
- Next by Date: Re: Fingerprint
- Previous by thread: domain admin account impersontating
- Next by thread: Re: Basic Sec Template Design
- Index(es):
Relevant Pages
|
