Download (direct link):
To run the new console, choose Start?All Programs?Administrative Tools?Local Group Policy. (I suggest creating a shortcut to the MSC file in the Administrative Tools folder in the Control Panel, too. Unfortunately, Windows doesn't automatically synchronize these two locations.)
Instant Answer As you expand the nodes in the left window pane, notice that the top-level categories pertain to the machine and to the user, respectively. Windows XP applies machine-specific policies before the network user even logs on; the user-specific policies apply after logon. This setup is a primary reason that computers in a Windows XP/2000 network have their own unique account IDs - Windows must have some way of assigning machine-specific policies to each computer as it connects to the network. This requirement for each computer to have a unique computer account ID is the rationale behind utilities like SysPrep (see Chapter 4).
Note that in each of the two main categories exists a subcategory called 'Administrative Templates.' These are settings contained in *.ADM files that modify the local Registry. You find a variety of miscellaneous settings under Administrative Templates, and more nodes appear here as you add applications that come with their own *.ADM files.
Just for fun, expand the node Local Computer Policy\Computer Configuration\ Windows Settings\Security Settings. Look familiar? If not, open up the Local Security Policy console in your Administrative Tools folder.
Working with Security Templates
Policies aren't the only way to apply security settings in a Windows XP environment. Consider, for example, a small organization with a dozen or so standalone PCs. You don't have a domain-based network, so the advantage that the Group Policy tools confer in terms of easing administration chores doesn't apply to your situation. You need to apply security to the workstations, but you don't look forward to going around from one computer to the next, firing up the Local Group Policy or Local Security Policy consoles, and making a lot of settings one by one.
Security templates are convenient just for such a situation. They're files with the suffix INF that contain a whole slew of security settings which you can apply to a computer in one fell swoop. These settings include account policies, local policies, group membership, registry key security, file system access controls, and configuration of operating system services. Microsoft supplies a number of pre-assembled templates that live in C:\WINDOWS\ SECURITY\TEMPLATES.
Tip Although security templates come in handy when you don't have a domain-based network, you can certainly use them in a network environment, too. For example, you can apply a security template to a Group Policy object (GPO), thereby applying all the individual security settings in the template to a domain or organizational unit. (The command is Import Policy on the context menu of the policy object's Security Settings node.)
Security template snap-ins
Microsoft figures that most Windows XP Professional users won't need to muck around with security templates, so if you want to use them, you have a bit of customizing to do. Lab 11-2 takes you through the process of creating a custom management console containing the two snap-ins that are relevant to security templates: Security Templates and Security Configuration and Analysis.
Lab 11-2: Building a Security Templates Console
1. Choose Start?Run, type MMC in the dialog box, and click OK.
2. Choose File?Add/Remove Snap-In.
3. Click the Add button.
4. Click Security Templates and then click Add.
5. Click Security Configuration and Analysis and then click Add.
6. In the Select Group Policy Object dialog box, click Finish.
7. Click Close and OK to close the two dialog boxes.
8. Choose File?Save and give your new custom console a name ('Security Templates' is a good choice).
The default save location is the Administrative Tools folder.
The Security Templates snap-in
The job of the Security Templates snap-in is to add and edit INF security templates (see Figure 11-9). This is a great place to view the settings in an organized, hierarchical structure.
Figure 11-9: Divine the meaning of inscrutable INF files here.
Remember You should memorize the meaning of the various predefined templates:
* SETUP SECURITY is the default template containing security settings applied during setup. It's for disaster recovery purposes only and shouldn't be applied via Group Policy.
* COMPATWS relaxes access controls for the Users group and is therefore well suited for workstations that need compatibility with older applications, such as those written for Windows NT 4.0. Don't apply this template to a domain controller. (Make sure you understand this one for the exam!)
* HISECDC is for a maximum-security domain controller.
* HISECWS is for a maximum-security workstation. Power Users have more restrictions than usual.
* SECUREDC is for a high-security domain controller.