William Stanek - Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

With account, local, and event log policies, you can change template settings by following these steps:

1.In the Security Templates snap-in, expand the Account Policies or Local Policies node as necessary, and then select a related subnode, such as Password Policy or Account Lockout Policy.

2.In the right pane, policy settings are listed alphabetically. The value in the Computer Setting column shows the current setting. If the template changes the setting so that it is no longer defined, the value is listed as Not Defined.

3.Double-tap or double-click a setting to display its Properties dialog box, as shown in Figure 5–2. To determine the purpose of the setting, tap or click the Explain tab. To define and apply the policy setting, select the Define This Policy Setting In The Template check box. To clear this policy and not apply it, clear this check box.

FIGURE 5–2Change template settings for account and local policies in the Security Templates snap-in.

4.If you enable the policy setting, specify how the policy setting is to be used by configuring any additional options.

5.Tap or click OK to save your changes. You might get the Suggested Value Changes dialog box, shown in Figure 5–3. This dialog box informs you of other values that are changed to suggested values based on your setting change. For example, when you change the Account Lockout Threshold setting, Windows might also change the Account Lockout Duration and Reset Account Lockout Counter After settings, as shown in the figure.

FIGURE 5–3Review the suggested value changes.

Restricted groups policy settings control the list of members of groups and the groups to which the configured group belongs. You can restrict a group by following these steps:

1.In the Security Templates snap-in, select the Restricted Groups node. In the right pane, any currently restricted groups are listed by name. Members of the group are listed as well, and so are groups of which the restricted group is a member.

2.You can add a restricted group by pressing and holding or right-clicking the Restricted Groups node in the left pane, and then tapping or clicking Add Group. In the Add Group dialog box, tap or click Browse.

3.In the Select Groups dialog box, enter the name of a group you want to restrict, and then tap or click Check Names. If multiple matches are found, select the account you want to use, and then tap or click OK. If no matches are found, update the name you entered and try searching again. Repeat this step as necessary, and then tap or click OK.

4.In the Properties dialog box, shown in Figure 5–4, you can use the Add Members option to add members to the group. Tap or click Add Members, and then specify the members of the group. If the group should not have any members, remove all members by tapping or clicking Remove. Any members who are not specified in the policy setting for the restricted group are removed when the security template is applied.

5.In the Properties dialog box, tap or click Add Groups to specify the groups to which this group belongs. If you specify membership in groups, the groups to which this group belongs are listed exactly as you’ve applied them (if the groups are valid in the applicable workgroup or domain). If you do not specify membership in groups, the groups to which this group belongs are not modified when the template is applied.

6.Tap or click OK to save your settings.

FIGURE 5–4Configure membership for the selected group.

You can remove a restriction on a group by following these steps:

1.In the Security Templates snap-in, select the Restricted Groups node. In the right pane, any currently restricted groups are listed by name. Members of the group are listed along with the groups of which the restricted group is a member.

2.Press and hold or right-click the group that should not be restricted, and then tap or click Delete. When prompted to confirm the action, tap or click Yes.

Policy settings for system services control the general security and startup mode for local services. You can enable, disable, and configure system services by following these steps:

1.In the Security Templates snap-in, select the System Services node. In the right pane, all currently installed services on the computer with which you are working are listed by name, startup setting, and permission configuration. Keep the following in mind when working with system services:

■If the template does not change the startup configuration of the service, the value for the Startup column is listed as Not Defined. Otherwise, the startup configuration is listed as one of the following values: Automatic, Manual, or Disabled.

■If the template does not change the security configuration of the service, the value for the Permission column is listed as Not Defined. Otherwise, the security configuration is listed as Configured.

2.Double-tap or double-click the entry for a system service to display its Properties dialog box, shown in Figure 5–5. To define and apply the policy setting, select the Define This Policy Setting In The Template check box. To clear this policy and not apply it, clear this check box.

FIGURE 5–5Change template settings for system services.

3.If you enable the policy setting, specify the service startup mode by selecting Automatic, Manual, or Disabled. Keep the following in mind:

■Automatic ensures that the service starts automatically when the operating system starts. Choose this setting for essential services that you know are secure and that you want to be sure are run if they are installed on the computer to which the template is being applied.

■Manual prevents the service from starting automatically and allows the service only to be started manually, either by a user, application, or other service. Choose this setting when you want to restrict unnecessary or unused services or when you want to restrict services that you know are not entirely secure.

■Disabled prevents the service from starting automatically or manually. Choose this setting only with unnecessary or unused services that you want to prevent from running.

4.If you know the security configuration that the service should use, tap or click Edit Security, and then set the service permissions in the Security For dialog box. You can set permissions to allow specific users and groups to start, stop, and pause the service on the computer.

5.Tap or click OK.

Policy settings for the file system control security for file and folder paths in the local file system. Policy settings for the registry control the values of security-related registry keys. You can view or change security settings for currently defined registry and file system paths by following these steps: