Background: I am an I&C Engineer, not an IT guy. That being said, I am working on a large project dealing with meeting NERC CIP compliance on 11 power plants. We have to be compliant by 12/31/09. Each plant has about 100+ computers/servers, yet there is no domain controller at any site and virtually zero IT type infrastructure. I am not allowed to purchase new equiupment this year. We have to do stuff similar to the DoD in terms of lock and key, classification of critical assets, security settings, user management, IDS, etc, etc, etc, etc, etc, etc,......................The first thing that needs to be done is to apply a security template manually and locally to each device inorder to ensure consistent and correct policies. Again, there are no domain controllers. It's an administrative nightmare, but this is just temporary and we have to have it in place this year. This is the first time I have designed a security template. I am almost done, but need the following questions answered before I move on.Question 1: Services listingIn the security template there is a section called services; I am well familiar with service hardening in general from the service.msc interface. My question is this, in the services section of the hisecws template, where is this list populated from? Is it populated when you open the template based on what services I have on this developement machine or is it part of the template? If I am going to apply this template to 120 computers at each site, then it would not be appropriate to use the services that are installed on this development computer; however, if the services listing in the templates is consistent, as viewed on any computer, and represents a typical services listing for any freshly installed WinXP OS, then this would seem to be perfect. So, where is this services list coming from? Is it based on my computer, or is it hardcoded into the template?Question 2: Groups vs. Restricted GroupsIn the user rights section of the security template, I have assigned any number of 4 custom groups to each setting. I do not want to use any of the default groups. Again, no domain controller so everything will be local policies. Now I have reached the section called restricted groups. Is this where I assign usernames to each group and actually define the groups for this device? Are usernames automatically created using this method, or do I have to do this somewhere else? I have read tons of documentation on the "user rights" and "restricted groups" sections, buit nothing ties these two sections together in a logical way.Is it correct that, for the above condition and my desire to keep it simple I should:1. Restricted groups section: delete all groups listed by default.2. Restricted groups section: add my four custom groups.3. Restricted groups section: create/assign usernames by entering them in the "members" list of each group.4. Restricted groups section: make sure the members of list is empty for each group.5. User rights section: assign the users rights for each group.

Gunslinger;The list of services is based on what's present on the computer where you've opened the editor. Modifying the startup type of services can cause all sorts of problems, there are only a small number of services that you should consider disabling such as Messenger. See the XP Security Guide linked below.Restricted groups and user rights aren't really related except by the fact that they both involve user and group accounts. Based on what you've stated I strongly recommend against using the restricted groups feature, its complex and its easy to cause problems if you don't understand the feature completely. Modifying user rights is also very risky, be certain that you understand what you are doingI have another concern, you are using security templates and specifically mentiion hisecws. DO NOT USE THIS TEMPLATE. The hisecws template includes settings that are not supported by Microsoft. Instead, please use our security guidance as a starting point for your work. The Security Compliance Management Toolkit Series includes guidance for Office 2007 and all current versions of Windows: http://technet.microsoft.com/en-us/library/cc677002.aspx. You want to start with the Windows XP Security Guide, look at the Enterprise Client settings: http://technet.microsoft.com/en-us/library/cc163061.aspx. Note that there are many group policy settings that you can't apply with security templates, you should experiment with the GPOAccelerator for deploying the settings locally. I've pasted a passage from the user guide below. I hope that you take my advice to heart. I have helped scores of organizations to harden their systems over the years. I have been involved in developing hardening guidance for the entire federal government. I know firsthand the problems people typically run into: using hisecws, modifying services, using restricted groups, and reconfiguring user rights are 4 of the most challenging areas. I know government agencies that made mistakes in these areas and faced reimaging thousands of computers. And whatever you do, be sure that you thoroughly test before applying your changes to production computers. Modifying Local Group Policy You can also use the GPOAccelerator to modify the local Group Policy of a computer by applying the security settings included in the GPOs described earlier. The GPOAccelerator will apply the Security Template INF files and the Administrative Template POL filessupplied with this guide to modify the local policyon client computers running WindowsXP. To modify local Group Policyon a client computer running Windows XP 1. Log on as an administrator to a computer running WindowsXP. 2. On the computer, click Start, click All Programs, and then click GPOAccelerator. 3. Click the Command-line Here.cmd file. 4. At the command prompt, type cscript GPOAccelerator.wsf/Enterprise /Desktop or cscript GPOAccelerator.wsf /Enterprise /Laptop and then press ENTER. Completing this procedure modifies the local security policysettings using the values prescribed for the EC environment. You can use GPEdit.msc to review the configuration of the local Group Policy on your computer. Kurt Dillard http://www.kurtdillard.com

Thanks for the reply. I will read your sources. Before I do though, your response has triggered the following questions in my head:1. I agree, there are only a small number of services that will be disabled, however, the standards we have to comply with state the following: "the responsible entity shall ensure that only those ports and services required for normal and emergency operations are enabled." I see no way to get around this; it states very clearly that we are supposed to disable ALL services that are not being used. Though, I already know that itis very very difficult to determine what is currently being used by the system not to mention what could possibly needed if conditions change. Comments?2. "The list of services is based on what's present on the computer where you've opened the editor." Okay, this was my concern. Just to verify, are you sure this is the case in the security template; I want to make sure your not talking about the services.msc interface. Here is the situation. I need to develop these templates on a corporate computer, then apply the to industrial control system (ICS) computers. My corporate computer has tons of software and services that will not be on ICS networks. How can I apply very basic service disabling (such as messenger) using a quick and dirty method to expedite the implementation on these 120 device? I thought the security template was the answer. If I develope the template and open it on a different computer, how will this affect the settings I have modified on the other computer?3. "Based on what you've stated I strongly recommend against using the restricted groups feature, its complex and its easy to cause problems if you don't understand the feature completely." Okay, so where do I actually define the groups and who is a member of which group? User rights section is self explainitory in how to assign groups to each right, but where do I define the groups and the membersof each group? We don't want to spend a full day on each of the 120 computers defining these settings. We want to implement the same settings across the 120 computers; I thought the security templates was the best way to accomplish this. Am I wrong?4. "DO NOT USE THIS TEMPLATE. The hisecws template includes settings that are not supported by Microsoft. " What I am currently doing is exporting the settings and putting them in a word document. Later after approvals, IT will take this word document and create a real template from it using the built-in templates as a guide. Do you still see any problems? What happens if I load the template, but the template contains settings not applicable to a particular device? I assumed they would be ignored?5. I'll research the GPOAccelorater, however, is this really for local policies? Again, we have no domain controllers.Thanks.

1. Your quote could be interpreted differently, but I'm not qualified or authorized to do so. Instead, I'll respond to the impact of disabling everything you don't think you need: its very risky and you must test thoroughly. From a security perspective, it makes sense, and you can see how in each subsequent version of Windows, IIS, and other Microsoft products the default installation has more and more features disabled or not installed. You can easily shoot yourself in the foot though. You could turn off a service that you'll actually need on some systems, or you could foul up the permissions on the service objects as described below. So be certain you understand what you are disabling and test, test, and test. 2. You can safely define a short list of services in the way you propose, only services for which you specify a startup type will be written to the security template. But there's another problem inherent in the security configuration editor (SCE). SCE in Windows XP will force you to specify ACLs on the services, it will not allow you to skip this step, (this is fixed in Windows Server 2003 and later versions). This means that the ACLs will be modified on the registry key for that service when the template is applied. Its a known bug in SCE, a very annoying one for anyone who's had to deal with it. My team and I dealt with it by manually editing the template in Notepad, we stripped out the ACL and left the value null, its what appears between the double-quotes below:[Service General Setting]Alerter,4,""MSFtpsvc,4,""mnmsrvc,4,""RemoteAccess,4,""TlntSvr,4,""IISADMIN,4,""W3SVC,4,""ClipSrv,4,""Messenger,4,""SSDPSRV,4,""SNMPTRAP,4,""SNMP,4,""So that's the list of services we disabled in a previous version of the XPsecurity guide. 3. What are you trying to accomplish with the groups? It sounds like you want to create some groups and add some users to them. Restricted groups can't create groups, it only enforces membership. Restricted groups will remove any members added manually when group policy is refreshed. People normally use it to prevent adding accounts to powerful groups like Administrators and Backup Operators, not to simply populate groups. The fact that it will remove accounts that are added manually can be confusing and frustrating when other admins are trying to maintain the systems. Use the command prompt utility net.exe to create and populate the groups. Type 'net help localgroup' for details on how to use the utility. You can write a shell script that you run on each system.4. Don't use that template as a starting point. Use the security guidance I listed to get started.5. You can use GPOAccelerator to apply group policy locally, but you'd have to spend some time figuring out how to customize the group policies it has. Another option are some utilities created by a friend of mine in MCS, Aaron Margosis put together some tools for managing local group policy: http://blogs.technet.com/fdcc/archive/2009/09/15/new-and-updated-local-group-policy-utilities.aspx. You'd have to do some customization to use it too, you should investigate both to figure out which one would be easier for you to adopt. If you don't want to invest the time to customize either of these you can do what you originally planned and only apply settings via security templates. This would be quicker but note that security templates include about 150 settings, there are 2 or 3 hundred other securitysettings available in group policy that cannot be applied with them.Kurt Dillard http://www.kurtdillard.com

1. I agree completely, and understand the sensitive nature of disabling services. You mention testing, how can I test configuration changes in a non-production environment? Simply letting it run seems a little insufficient; are there any testing tools out there? Perhaps something that can monitor the I/O before the change and then generate inputs and comparer the outputs? I realize this is probably way to low of a design level to be testing with, but I'm an electronics engineer by heart. Any recommendations on testing? We have to have somekind of proof of the successful test; all we can think of at the moment is a signature, which I don't think is sufficient. Plus we have no idea how to test yet. 2. Thanks for letting me know of this. I need to figure out how to define these ACLs and use them in the security templates. I thought the security templates-restricted groups-members was effectively the ACLs. 3. hmm... thanks for that tool, I will research. To clarify what I am trying to use groups for:Again, this is the first time I have worked on templates. All I am trying to do here is to group my users by job function (e.g. mechanical engineers, unit operators, contractors, IT, admin). The only reason I am doing this is so that when I define user rights, I don't have to list every single user who should have those permissions on each right. For example, mechanical engineering group might have 50 users, all who should have the exact same rights. I don't want to have to list all 50 users in each applicable users right. In addition, if a new mechanical engineer is highered, I would like to be able to just add him/her to the group (rather than adding them to each relevant setting which is time consuming and prone to errors). The way I have been approaching the security settings is simply by starting at the top and working my way down. The only snap ins I am using are the security template snapins and the "security and configuration analysis snap in. I think you have a pretty good idea now of what I am trying to do. Can I implement the user and group definitions/creations in another snap in, or does it have to be net.exe? I would prefer to use an interface because I will not be the only onimplementing this. I would like to make implementation as simple as possible since testing will need to be in-depth. I had thought I could just load this one thing called the security template on the computer and everything would be done; I guess I'm wrong? What other Windows OS interfaces deal security anduser rights? What do you mean by "only enforces membership"? Does this only apply to the global group policies (we have none)? I would have thought that defining the groups and the users within each group takes care of this? If you don't use restricted groups as you recommend, what enforces the group policies if the group definitions do not? 4. Well, I don't think I should start over, but I will definetly study that stuff in detail and ensure all principles are applied. Haven't had time to review yet. 5. 2-3 hundred additional setting somewhere else? SH1T! Why would MS do that to me? I guess the security templates aren't as powerful as I had thought. I will research your references. Okay, thank you very much for all the information. I got a week or two worth of study. I will come back to this post and ask more questions if and when I come to them, which I probably will. First stop, security guidance.

FYI-my entire goal on this effort is to ensure consistent and accurate policies on each of the 120 computers, to implement user management, and to lock down all 120 computers as best as possible (in such a way that the same policy can be applied to all devices). It should be noted that these computers generally have little to no user interaction.Once this effort is over, we may go into further detail by hardening ports, programs and services specific to each device. But this is a first step to make sure we have user managment and baseline security.

I am ready all this data. Everything I am reading (the files that came with the tool kit) is writen from the viewpoint of a domain being present. Do you know of any guides that assume there is no domain?

None that I can recommendKurt Dillard http://www.kurtdillard.com

1. What happens if I apply a security template or GPO designed on WinXP SP3 to a WinXP SP1 or earlier computer? Specifically, if a setting is not applicable to a device but I set and apply that setting anyway, what is the effect? Also, what is the effect of applying a security template that has service settings defined in it that the computer does not have. For example, in my custome security template, if I define the startup type of the Alerter service as disabled but the computer I am applying the template to does not have the alerter service installed, what happens? Alerter is just an example, I realize it is a standard service.2. Is it possible to define additional settings? I imagin there would be a way to do this for developers.3. The "Local Computer Policy" snap-in (via the group policy snapin). Does this snap-in contain all the builtin windows security settings or are there more somewhere else?4. You mention that the group policy snapin has about an additional 150 security settings that the security templates do not have. Can you clarify where these are and what they are.5. Is there a way to define my groups and users using the MMC in such a way that, during implementation, I can just open the saved MMC consol and just apply the settings, groups, users, etc with one click and just the MMC.6. Can you explain the section called "administrative templates"? These look like security settings for specific applications. How is this list generated? What happens if I apply these to another computer that does not have all the applications installed? Is there a way add software settings to the administrative template for software not installed on this development computer?

1. the setting is ignored.2. Yes.3. No, it does not.4. Open gpedit.msc.5. No.6. You can completely customize them, but you're asking for an in-depth briefing on group policy architecture and how to customize the group policy editor user interface. You can find tons of documentation here: http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.Kurt Dillard http://www.kurtdillard.com

Thanks

1. GPO sections are split by "computer configuration" and "user configuration". Are the settings in each completely unique to the other? I.e. does the same setting appear in both sections? If so what is the order of presidence?2. Any recommended documentation on implementing GPOs in a non-domain non-active directory environment? I now know how to apply them in an active directory. However, without active directory, all the documentation I read is telling me to edit the LGPOs on each computer individually. But this would be repetative and extremely massively time consuming and rediculous. How do I apply an LGPO created on one computer to another.Thanks again, you have been a life saver so far. I am really learning a ton.

1. The computer settings take precedence.2. I linked to Aaron's LGPO tools earlier: http://blogs.technet.com/fdcc/archive/2009/09/15/new-and-updated-local-group-policy-utilities.aspx. I don't know of a better method.Kurt Dillard http://www.kurtdillard.com

I am trying to figure out how to manage users and groups. Specifically, how I can define my users, my groups, my passwords, and which users belong to which groups, but to do it in an equivalently easy way as running a batch file since I have to do it on hundreds of computers. 1. I have identified the following interfaces that seem to deal with this: User accounts (control panel), Computer Management - local users and groups (admin tools in control panel), and I have heard rumors of a cmd line interface for doing this. What is the difence between these interfaces? Which should I use? Why does group policy not have a section for user/group management.2. Is there a way to include the computer management snap in, the group policy snapin and possibly others in a custom console such that I can edit all the settings in the console, save the console without implementing these changes on this computer, port the custom console to all the various computers and implement the settings previously defined? Ie if I make a change in the custom console, how do I ensure it is not going to go into effect on this computer? I don't want it to. I just want to create an LGPO and my users and groups in a sort of planning LGPO, but not to implement it until it is ported to another computer.3. Why does the "security templates" snap-in under "account policies" have a section called "Kerberos Policy" while the "local computer policy" snap in does not? Should it not be identical? The exact same situation seems to be present in the sections titled "event log", "system services", and more. I suppose that each of these snap-ins operates on different parts of the same data set, overlapping at times. Is this accurate? If so, the question 2above becomes very important.

FYI: The GPOAccelerator is no longer available. It has been replaced with Microsoft Security Compliance Manager and the Local Policy Tool, see http://social.technet.microsoft.com/wiki/contents/articles/what-happened-to-the-gpo-accelerator.aspx for more details. You can download SCM at http://technet.microsoft.com/en-us/library/cc677002.aspx. If you have more questions feel free to contact me directly our our team's address, secwish@microsoft.com.Kurt Dillard http://www.kurtdillard.com