The Windows XP operating system provides a powerful security mechanism, but it is very time-consuming and laborious to set up these security configurations one by one. So is there a way to quickly configure security options? ? The answer is yes, you can use security templates to quickly and batch set all security options.

1. Understand security templates

"Security template" is a file representation that can define security policies. It can configure accounts and local policies, event logs, restricted groups, Security settings for the file system, registry, and system services. Security templates all exist as text files in .inf format, and users can easily copy, paste, import or export certain templates. In addition, security templates do not introduce new security parameters, but simply organize all existing security attributes into one location to simplify security management and provide a method to quickly modify security options in batches.

The system has predefined several security templates to help strengthen system security. By default, these templates are stored in the "%Systemroot%\Security\Templates" directory. They are:

1.Compatws.inf

Provide basic security policies and execute an environment with lower levels of security but better compatibility. Relax the default file and registry permissions for user groups to be consistent with the requirements of most unauthenticated applications. The "Power Users" group is typically used to run applications without authentication.

2.Hisec*.inf

Provides high-security client policy templates to implement advanced security environments. It is an extended set of security templates that further restricts encryption and signatures. These encryptions and signatures are necessary to authenticate and guarantee the secure transmission of data over the secure channel and between the SMB client and server.

3.Rootsec.inf

To ensure the security of the system root, you can specify the new root directory permissions introduced by Windows XP Professional. By default, Rootsec.inf defines these permissions for the system drive root. If you accidentally change root permissions, you can use this template to reapply root permissions, or modify the template to apply the same root permissions to other volumes.

4.Secure*.inf

Defines enhanced security settings that may at least affect application compatibility and also restricts the use of LAN Manager and NTLM authentication protocols in a manner that Configure the client to send only NTLMv2 responses, and configure the server to reject the LAN Manager's response.

5.Setupsecurity.inf

Reapply the default settings. This is a computer-specific template that represents the default security settings that are applied during the installation of the operating system. The settings include file permissions for the root directory of the system drive and can be used for system disaster recovery.

The above are the security templates predefined by the system. Users can use one of the security templates or create a new security template they need.

2. Manage security templates

1. Install security templates

Security template files are text-based .inf files that can be opened for editing with text. However, this method of editing the security template is too complicated, so the security template needs to be loaded into the MMC console for easy use.

①Click the "Start" and "Run" buttons in turn, type "mmc" and click the "OK" button to open the console node;

②Click the "File" menu "Add/Remove Snap-in Unit", click the "Add" button in the "Independent" tab in the opened window;

③ Select "Security Template" in the "Available Independent Snap-in Unit" list , then click the "Add" button, and finally click "Close" so that the security template snap-in is added to the MMC console.

In order to avoid having to reload every time you run MMC after exiting, you can click the "Save" button on the "File" menu to save the current settings.

2. Create and delete security templates

After installing the security template into the MMC console, you will see the several security templates predefined by the system. You can also create your own New security template.

First open the "Security Template" in the "Console Root Node" list, right-click the folder where the security template file is stored, and select "New Template" in the pop-up shortcut menu, so A new template window will pop up. Type the name of the new template in "Template Name", type the description of the new template in "Description", and finally click the "OK" button. In this way, a new security template is successfully created.

Deleting a security template is very simple. Open "Security Templates", find the template you want to delete in the console tree, right-click on it and select "Delete".

3. Apply security templates

After the new security template is configured, it can be applied. You must apply the security template settings by using the "Security Configuration and Analysis" snap-in.

① First, add the "Security Configuration and Analysis" management unit, open the "File" menu of the MMC console, click "Add/Remove Management Unit", and select "Add Independent Management Unit" in the list Security Configuration and Analysis" and click the "Add" button so that the "Security Configuration and Analysis" management unit is added to the MMC console;

②"Security Configuration and Analysis" in the console tree "Right-click the mouse, select "Open Database", type the new database name in the pop-up window, and then click the "Open" button;

③Select the security template to be imported in the security template list window, Then click the "Open" button, so that the security template is successfully imported;

④ Right-click on "Security Configuration and Analysis" in the console tree, and then select "Configure Now" in the shortcut menu Computer", a window to confirm the error log file path will pop up, click the "OK" button.

In this way, the security template just imported is successfully applied.

3. Set security templates

1. Set account policies

Account policies include password policy, account lock policy and Kerberos policy security settings, password Policies provide a standard means for modifying password complexity and password rules to meet password requirements in high-security environments. Account lockout policies track failed login attempts and lock out accounts if necessary. Kerberos policies are used for domain user accounts and determine Kerberos-related settings such as ticket expiration and enforcement.

(1) Password policy

Here you can configure 5 settings related to password characteristics, namely "forced password history", "maximum password usage period", "password Minimum age", "Minimum password length" and "Password must meet complexity requirements".

① Forced password history: Determine the number of new passwords that are different from each other. The user must have used so many passwords before reusing the old password. This setting value can be between 0 and 24 ;

②Maximum password usage period: Determine the number of days the user can use the password before requiring the user to change the password. Its value is between 0 and 999; if the value is set to 0, the password will never expire;

③ Minimum password usage period: Determines the number of days that new passwords must be kept before users can change them . This setting is designed to be used with the "Enforce Password History" setting so that users cannot quickly reset a required password and change back to an old password. This setting can be between 0 and 999; if set to 0, the user can change their new password immediately. It is recommended to set this value to 2 days;

④ Minimum password length: Determine the minimum number of characters that the password can have. The setting value is between 0 and 14 characters. If set to 0, users are allowed to use blank passwords. It is recommended to set this value to 8 characters;

⑤ Password must meet complexity requirements: After this option is enabled, all new passwords will be checked to ensure that they meet the basic requirements for complex passwords. If this setting is enabled, user passwords must meet certain requirements, such as being at least 6 characters, passwords must not contain three or more characters from the user's account name, etc.

(2) Account lockout policy

Here you can set the number of login attempts allowed for a user account within a specified period of time, and the lockout time of the account after a failed login.

①Account lock time: The setting here determines the time that must pass before an account is unlocked and the user is allowed to log in again, that is, the time the locked user cannot log in. The unit of this time is minutes. If the time is set to 0, the account will be locked forever until the administrator unlocks the account;

②Account lock threshold: Determine how many failed login attempts before locking the user account. The account cannot be used again unless an administrator resets it or the account's lockout period expires. The number of failed login attempts can be set to a value between 1 and 999. If set to 0, the account will never be locked.

2. Set local policy

Local policy includes three security settings: audit policy, user rights assignment and security options. Among them, the audit policy determines whether security events will be recorded on the computer. in the security log; user rights assignments determine which users or groups have the right or privilege to log on to the computer; security options determine whether security settings for the computer are enabled or disabled.

(1) Audit policy

After auditing is enabled, the system will collect all events that occur to the audit object in the audit log, such as application, system and security-related information , so auditing is very important to ensure the security of the domain.

The values ??under the audit policy can be divided into three types: success, failure and no audit. The default is no audit. To enable audit, double-click an item and the "Properties" window will pop up. First select "In Template" Define these policy settings" and then select "Success" or "Failure" as required.

Audit strategies include auditing account login events, auditing policy changes, auditing account management, auditing login events, auditing system events, etc., which are introduced separately below.

①Audit policy changes: Mainly used to determine whether to audit every event in which changes are made to user rights assignment policies, audit policies or trust policies. It is recommended to set it to "success" and "failure";

②Audit login event: used to determine whether to audit each instance of the user logging in to the computer, logging off from the computer, or establishing a network connection with the computer . If it is set to audit success, it can be used to determine which user successfully logged in to which computer; if it is set to audit failure, it can be used to detect intrusions, but the huge login failure log generated by the attacker will cause a denial of service (DoS). )state. It is recommended to set it to "success";

③Audit object access: Determine whether to audit user access to a certain object, such as files, folders, registry keys, printers, etc., which all specify their own system access control List (SACL) events. It is recommended to set it to "Failure";

④Audit process tracking: Determine whether to audit detailed tracking information of events, such as program activation, process exit, indirect object access, etc. If you suspect that the system has been attacked, you can enable this item, but a large number of events will be generated after enabling it. Under normal circumstances, it is recommended to set it to "no audit";

⑤Audit directory service access: Determine whether to audit users Access events that specify Active Directory objects that have their own system access control list (SACL). When enabled, it generates a large number of audit entries in the domain controller's security log, so it should only be enabled if you really want to use the information created. It is recommended to set it to "no audit";

⑥Audit privilege usage: This item is used to determine whether to audit each instance of the user exercising user rights, except for skipping traversal checks, debugging programs, and creating tags. Objects, replace process-level tags, generate security audits, backup files and directories, restore files and directories, and other permissions. It is recommended to set it to "No audit";

⑦Audit system events: used to determine whether to audit when the user restarts or shuts down the computer, or when an event that affects system security or security logs occurs. These event information are very important, so it is recommended to set them to "success" and "failure";

⑧Audit account login events: This setting is used to determine when the user logs in to other computers (this computer is used for verification account on another computer) or log out from it. It is recommended to set it to "success" and "failure";

⑨Audit account management: used to determine whether each account management event on the computer, such as renaming, disabling or enabling user accounts, creation, modification or delete the user account or manage the incident for review. It is recommended to set it to "success" and "failure".

(2) User rights assignment

User rights assignment is mainly to determine which users or groups are allowed to do what. The specific setting method is:

① Double-click a policy, and in the pop-up "Properties" window, first select "Define these policy settings in the template";

② Click "Add User" or Group" button, the "Select User or Group" window will appear. First click "Object Type" to select the type of object, then click "Location" to select the location to search for, and finally in the blank column under "Enter the object name to select" Enter the name of the user or group. After inputting, you can click the "Check Name" button to check whether the name is correct;

③Finally, click the "OK" button to add the entered object to the user list.

(3) Security options

Here you can enable or disable computer security settings, such as digital signatures of data, names of Administrator and Guest accounts, floppy disk drives and CD-ROM drives access, driver installation behavior, login prompts, etc. Here are some settings suitable for general users.

①Prevent users from installing printer drivers. For a computer to print to a network printer, the network printer driver must be installed on the local printer. This security setting determines who is allowed to install printer drivers as part of adding a network printer. Use this setting to prevent unauthorized users from downloading and installing untrusted printer drivers.

Double-click "Device: Prevent users from installing printer drivers", a properties window will pop up. First select the "Define this policy setting in template" item, then select "Enabled", and finally click "OK" button. In this way, only administrators and super users can install printer drivers as part of adding a network printer;

② Install unsigned drivers silently.

When trying to install a device driver that has not been issued by Windows Hardware Quality Labs (WHQL), the system will pop up a warning window by default and then let the user choose whether to install it. This is very troublesome. You can set it to install it directly without prompting.

Double-click the "Device: Installation operation for unsigned driver" item, in the properties window that appears, select the "Define this policy setting in the template" item, then click the drop-down button behind and select "Default" Install" and finally click the "OK" button;

③Display the message text when logging in. Specifies the text message that displays when a user logs in. Use this warning message setting to better protect system data by warning users not to misuse company information in any way or that their actions may be subject to review.

Double-click "Interactive login: Message text when the user attempts to log in", enter the properties window, first select "Define this policy setting in the template", and then enter the message text in the blank input box below, You can enter up to 512 characters, and finally click the "OK" button. This way, the user will see this warning message dialog box before logging into the console.

3. Set up event logs

This security template defines properties related to application, security and system logs, such as maximum log size and access permissions for each log. As well as retaining settings and methods. Among them, the application log is responsible for recording events generated by the program; the security log records security events based on audit objects; and the system log records operating system events.

(1) Log retention days

This option can set how many days application, security and system logs can be retained. Note that this value should only be set if the logs are archived at a scheduled interval, and ensure that the maximum log size is large enough to accommodate this interval. This number of days can be any one from 1 to 365 days. The user can set it as needed. It is recommended to set it to 14 days.

(2) Log retention method

Here you can set the processing method to reach the set maximum log file. ***There are rewriting events according to the number of days, rewriting events as needed and not There are three ways to rewrite events (manually clear logs). If you want to archive the application log, you need to select "Overwrite events as needed"; if you want to archive the logs at scheduled intervals, select "Overwrite events by number of days"; if you need to retain all events in the log, select "Do not overwrite events (manually clear logs)", in which case new event logs will be discarded when the maximum log size is reached.

(3) Restrict local guest group access to logs

Here you can set whether to restrict guest access to application, security and system event logs. The default setting allows guest users and empty connections to view system logs, but disables access to security logs.

(4) Maximum log value

Here you can set the maximum and minimum values ??of the log file. The available values ??range from 64KB to 4194240KB. If the setting value is too small, the log will often fill up, which requires regular cleaning and saving of the log; if the setting value is too large, it will occupy a lot of hard disk space, so be sure to set it according to your own needs.

4. Set up restricted groups

Here you can allow administrators to define two attributes: "member" and "membership group" for security-sensitive groups, where "member" Defines which users belong to and which users do not belong to the restricted group; "Group affiliation" defines which other groups the restricted group belongs to. This policy allows you to control membership in a group, any members not specified in this policy will be removed, and users who are not currently members of the group will be added.

(1) Create a restricted group

First, right-click the "Restricted Group" in the console tree and select "Add Group". Then type the name of the restricted policy group in the "Add Group" window, or click "Browse" to find the group you want to operate in the "Select Group" window that opens, and finally click the "OK" button. At this time you will find that a new group has been created successfully.

If you want to copy all restricted group items from one template to another, you can right-click "Restricted Groups" in the console tree and select "Copy" in the pop-up shortcut menu ", then right-click "Restricted Group" in another template and select "Paste" in the pop-up shortcut menu.

(2) Add user

First, in the details pane, find the group to which you want to add the user, then right-click on it and select "Properties" in the pop-up shortcut menu. ", the properties window of the group will pop up. Click the "Add" button on the right side of the "Members of this group" list box, and then type in the members you want to add. Repeat this step to add more members.

Similarly, if you want to add this group as a member of any other group, please click the "Add" button on the right side of the "This group belongs to" list box, and then type the group in the pop-up window Name and finally click "OK".

5. Set system services

Here you can define the startup mode and access rights of all system services. The startup mode includes automatic, manual and disabled, where automatic means when the computer is restarted. Start automatically; manual means it will only start when someone starts it; disabled means the service cannot be started. Access rights refer to the user's operations such as reading, writing, deleting, starting, pausing and stopping the service. This security template makes it easy to set which user or group accounts have read, write, delete permissions, or permissions to perform inherited settings or auditing and ownership. It should be noted that disabling certain services may cause the system to fail to boot, so if you want to disable system services, please test it on a non-production system first.

So how to configure system service settings?

① Double-click the service to be configured, and the service properties dialog box will pop up;

② Select the "Define this policy configuration in the template" item. If this policy has never been configured before, Once configured, the security settings dialog box will automatically appear. If it does not appear automatically, you need to click the "Edit Security Settings" button to bring up the dialog box;

③Click the "Add" button and follow the steps to add users or groups to add the users you want to operate to the list

④Select a user or group in the list under "Group or User Name", and all editable permissions will be listed in the permission list below. Choose whether to allow or deny a certain permission according to actual needs. If you want to edit special permissions or advanced settings, click the "Advanced" button. After editing, click the "OK" button;

⑤ In the properties window Under Select service startup mode, select Automatic, Manual, or Disabled.

6. Set the registry

Here, the administrator is allowed to define the access permissions (about DACL) and audit settings (about SACL) of the registry keys.

DACL is an arbitrary access control list, which is a component of the object security descriptor that grants or denies specific users or groups access to an object. Only the owner of an object can change the permissions granted or denied in the DACL, so that the owner of the object can freely access the object. SACL is the system access control list, which represents a list of security descriptors for some objects. The security descriptor specifies which events for each user or group will be audited. Examples of audit events are file access, login attempts, and system shutdowns.

(1) Set registry security

① In the console tree, right-click the "Registry" node and select "Add Key" in the pop-up shortcut menu ";

②In the "Select Registry Key" dialog box, select the registry key to which you want to add the key, and then click the "OK" button;

③In the "Database In the "Security Settings" dialog box, select the appropriate permissions for the registry key, and then click the "OK" button;

④In the "Template Security Policy Settings" dialog box, select the required inheritance permissions method, Finally click the "OK" button.

(2) Permission to modify registry keys

①In the detailed list of registry keys, double-click the registry key to be modified;

②In In the pop-up "Template Security Policy Settings" window, select "Configure this key, then". There are two items below: The "Propagate inheritance rights to all subkeys" item means that all subkeys inherit the new settings from the set key. permissions; the "Replace existing permissions on all subkeys with inheritable permissions" item indicates that all subkeys will have the newly set permissions applied. Choose one according to your needs.

③Click the "Edit Security Settings" button, and then click the "Advanced" button in the pop-up dialog box to enter the advanced security settings window;

④In the "Advanced Security Settings" window , click the "Add" button to add or delete users to comply with the recommended setting standards;

⑤ Select the user or group to be operated, and then click the "Edit" button. The permission setting dialog box will pop up. First, Select the correct setting from the drop-down button after "Apply to", such as only this item, this item and sub-items, etc. Then select the permissions you want to use in the "Permissions" list, and finally click the "OK" button to complete the settings.

7. Set up the file system

A file system refers to the overall structure of file naming, storage and organization. Windows XP supports three file systems: FAT, FAT32, and NTFS. You can choose a file system when installing Windows, formatting an existing volume, or installing a new hard drive. Each file system has its own advantages and limitations. Among them, the NTFS file system can provide performance, security, and reliability that other file systems do not have. For example, NTFS can ensure volume consistency by using standard transaction recording and restoration techniques. If a system failure occurs, NTFS uses log files and checkpoint information to restore file system consistency. In the Windows XP operating system, NTFS can also provide advanced features such as file and folder permissions, encryption, disk quotas, and compression.

(1) Check the file system security settings

If you want to manually check the permissions of a specific file or folder, you can refer to the following operations:

First open Windows Explorer, right-click the file or folder you want to view, and select "Properties" in the pop-up shortcut menu. Then in the properties window, enter the "Security" tab, and finally click the "Advanced" button. In the window that opens, you can view the permission information related to the file or folder.

(2) Set file system security for files

① Right-click the "File System" node in the console, and click the "Add File" button in the pop-up shortcut menu ;

②In the "Add File or Folder" dialog box, find the file or folder you want to add security to, and then click the "OK" button;

③When the Configure appropriate permissions in the "Database Security Settings" dialog box, and then click the "OK" button;

④ Return to the "Template Security Policy Settings" dialog box, click the "OK" button to complete the settings .

(3) Modify file system security settings

Manually modifying the permission settings of each file and folder one by one is a waste of time and energy. Security templates can be used quickly and in batches Make settings.

① In the panel on the right side of the window, double-click the file or folder you want to change;

② In the "Template Security Policy Settings" window that appears, there are two options, among which "Propagate inherited permissions to all subfolders and files" means that the subfolders and files of the folder are reconfigured and all inherit the new permissions; "Replace existing permissions on all subfolders and files with inherited permissions" Indicates that regardless of whether those subfolders have permissions to allow inheritance, new permissions will be applied and new permissions will be inherited from the configured key. Select any item as needed, and then click the "Edit Security Settings" button.

③In the "Security Settings" window, click the "Advanced" button;

④In the Advanced Security Settings window, if the parent's permissions are not inherited, you need to ensure" Inherit those permission items that can be applied to child objects from the parent, including those explicitly defined here" item is not selected, then click the "Add" button to modify the users or groups that will be affected by the permissions, and finally select to configure group or user, and click the "Edit" button;

⑤ In the folder's permission item window, first click the drop-down button after "Apply to" and select a suitable application location, such as only sub folder, only this folder, etc., and then you can configure permissions in the "Permissions" list. Finally click the "OK" button to apply the configured permissions.

Borrowed: 呔吇じ☆ve东’s answer