ITT: Using Security Templates and the SCW in Windows Server 2003

I finally got my nerve together and recorded an Admin-to-Admin segment for the In The Trenches podcast

Article here:
Listen to the episode here:

Here are the notes for my segment:

Using Security Templates


  • Enforcing security policy onto a Workstation or Server
  • Setting software restriction policy (name, hash, path)
  • Setting secured groups
  • Enforcing NTFS permissions
  • Enforcing Registry Permissions
  • Enforcing the status of Services

Pre-defined Security Templates:


  • Compatws.inf – This is required by older applications that need to have weaker security to access the Registry and the file system.
  • DC security.inf – This is used to configure security of the Registry and File system of a computer that was upgraded from Windows NT to Windows 2000/2003.
  • Hisecdc.inf – This is used to increase the security and communications with the domain controllers.
  • Hisecws.inf – This is used to increase security and communications for the client computers and member servers.
  • Notssid.inf – This is used to weaken security to allow older applications to run on Windows Terminal Services.
  • Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.
  • Securedc.inf – This is used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template.
  • Securews.inf – This is used to increase security and communications for the client computers and member servers.
  • Setup security.inf – This is used to reapply the default security settings of a freshly installed computer.

More security templates can be downloaded with the Windows Serverv2003 Security Guide:

Add your own registry settings:

All security settings are in fact just registry settings. Add your own by editing the Sceregvl.inf file.

See the link to the MS article in show notes.

Group Policy:

Import into GPO’s Remember when modeling security settings, that Domain controller have their own local security settings set, like SMB signing.

MMC Snap ins:

  • Security Templates

Always make copies of the predefined templates to a different location

  • Security Configuration and Analysis

The Security “Database” , importing security Templates, and analyzing against the local system

Other usefull snapins for working on security templates with Group Policy:

  • Group Policy Management Console
  • Resultant Set of Policy
  • Local Policy

Service Pack 1 Security Configuration Wizard

Why did we need it?

Before we had Seperate management interfaces for:

  • Security settings and all the things the Templates covered
  • IIS Security
  • Windows Firewall Settings
  • Registry settings (required you to make your own ADM files and security template)
  • IP Security policy (GPO-centric)

SCW combined all these things, and adds advantages:

  • Everything combined into a single XML file ( easy to read and edit )
  • Can export to GPO or apply directly locally and remotely.
  • Import Security Templates
  • Can scan current system comfig and create baseline

Overlap in functionality:

  • CWS doesnt support NTFS and registry security
  • Templates dont cover IIS, IP Sec? or Firewall.

Neither SCW nor Security Templates cover the other features of Group or Local policy: Administrative Templates

You will need them BOTH to create a secure enviroment… use GPO’s as the end-result. Inport Security Templates into CWS files during creation, CWS settings take presedence. If used seperately, then you have to keep an eye on GPO presedence.


How to apply predefined security templates in Windows Server 2003;en-us;816585

HOW TO: Analyze System Security in Windows Server 2003

HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

How to Add Custom Registry Settings to Security Configuration Editor

Group Policy Home

Security Configuration Wizard for Windows Server 2003

Windows Server 2003 Security Guide

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.