4. Press and hold or right-click the Security Configuration And Analysis node, and then tap or click Configure Computer Now. Tap or click OK.
The only settings that cannot be restored are for access control lists on file system and registry paths. After the permissions on file system and registry paths have been applied, you cannot reverse the process automatically and must instead manually reverse the changes one at a time.
Deploying security templates to multiple computers
Rather than applying security templates to one computer at a time, you can deploy your security configurations to multiple computers through Group Policy. To do this, you need to import the security template into a GPO processed by the computers to which the template settings should apply. Then, when policy is refreshed, all computers within the scope of the GPO receive the security configuration.
Security templates apply only to the Computer Configuration portion of Group Policy. Before you deploy security configurations in this way, you should take a close look at the domain and organizational unit (OU) structure of your organization and make changes as necessary to ensure that the security configuration is applied only to relevant types of computers. Essentially, this means that you need to create OUs for the different types of computers in your organization, and then move the computer accounts for these computers into the appropriate OUs. Afterward, you need to create and link a GPO for each of the computer OUs. For example, you could create the following computer OUs:
■ Domain Controllers An OU for your organization’s domain controllers. This OU is created automatically in a domain.
■ High-Security Member Servers An OU for servers that require higher than usual security configurations.
■ Member Servers An OU for servers that require standard server security configurations.
■ Laptop and Mobile Devices An OU for laptops and mobile devices, which are inherently less secure and might require enhanced security configurations.
■ High-Security User Workstations An OU for workstations that require higher than usual security configurations.
■ User Workstations An OU for workstations that require standard workstation security configurations.
■ Remote Access Computers An OU for computers that remotely access the organization’s network.
■ Restricted Computers An OU for computers that require restrictive security configurations, such as computers that are used in labs or kiosks.
REAL WORLD You need to be extra careful when you deploy security templates through GPOs. If you haven’t done this before, practice in a test environment first, and be sure to also practice recovering computers to their original security settings. If you create a GPO and link the GPO to the appropriate level in the Active Directory structure, you can recover the computers to their original state by removing the link to the GPO. This is why it’s extremely important to create and link a new GPO rather than use an existing GPO.
To deploy a security template to a computer GPO, follow these steps:
1. After you configure a security template and have tested it to ensure that it is appropriate, open the GPO you previously created and linked to the appropriate level of your Active Directory structure. In the Group Policy Management editor, open Computer Configuration\Windows Settings\Security Settings.
2. Press and hold or right-click Security Settings, and then tap or click Import Policy.
3. In the Import Policy From dialog box, select the security template to import, and then tap or click Open. Security templates end with the.inf file extension.
4. Check the configuration state of the security settings to verify that the settings were imported as expected, and then close the policy editor. Repeat this process for each security template and computer GPO you’ve configured. In the default configuration of Group Policy, it will take 90 to 120 minutes for the settings to be pushed out to computers in the organization.
Using the Security Configuration Wizard
The Security Configuration Wizard can help you create and apply a comprehensive security policy. A security policy is an XML file you can use to configure services, network security, registry values, and audit policies. Because security policies are role-based and feature-based, you generally need to create a separate policy for each of your standard server configurations. For example, if your organization uses domain controllers, file servers, and print servers, you might want to create a separate policy for each of these server types. If your organization has mail servers, database servers, and combined file/print servers in addition to domain controllers, you should create separate policies tailored to these server types.
You can use the Security Configuration Wizard to do the following:
■ Create a security policy
■ Edit a security policy
■ Apply a security policy
■ Roll back the last-applied security policy
Security policies can incorporate one or more security templates. Much like you can with security templates, you can apply a security policy to the currently loggedon computer by using the Security Configuration Wizard. Through Group Policy, you can also apply a security policy to multiple computers. By default, security policies created with the Security Configuration Wizard are saved in the %SystemRoot%\security\msscw\Policies folder.
The command-line counterpart to the graphical wizard is the Scwcmd (Scwcmd.exe) utility. At an elevated administrator prompt, you can use Scwcmd Analyze to determine whether a computer is in compliance with a security policy and Scwcmd Configure to apply a security policy.
Creating security policies
The Security Configuration Wizard allows you to configure policies only for roles and features that are installed on a computer when you run the wizard. The precise step-by-step process for creating security policies depends on the server roles and features available on the computer that is currently logged on. That said, the general configuration sections presented in the wizard are the same regardless of the computer configuration.
The Security Configuration Wizard has the following configuration sections:
■ Role-Based Service Confi uration Configures the startup mode of system services based on a server’s installed roles, installed features, installed options, and required services.
■ Network Security Configures inbound and outbound security rules for Windows Firewall With Advanced Security based on installed roles and installed options.
■ Registry Settings Configures protocols used to communicate with other computers based on installed roles and installed options.
■ Audit Policy Configures auditing on the selected server based on your preferences.
■ Save Security Policy Allows you to save and view the security policy. You can also include one or more security templates.
With the fact that the step-by-step process can vary in mind, you can create a security policy by following these steps: