Professional Documents
Culture Documents
Policy
C H A P T E R 4
Administrators who deploy enterprise networks must design and implement many aspects of security. As part of
your security strategy to manage servers and workstations, you can deploy Group Policy with the Active
Directory® directory service to specify options for Internet Protocol security (IPSec), security settings, software
restrictions policies, and wireless network policies.
In This Chapter
Overview of Security Policy Deployment.............................................................158
Designing Security Policy....................................................................................162
Configuring Security Policy.................................................................................181
Additional Resources...........................................................................................194
Related Information
• For more information about security in the Microsoft® Windows® Server 2003 operating
systems, see the security chapters in Designing and Deploying Directory and Security
Services of this kit.
• For more information about Internet Authentication Service (IAS) and wireless
networks, see “Deploying IAS” and “Deploying a Wireless LAN” in Deploying
Network Services of this kit.
• For more information about IPSec, see “Deploying IPSec” in Deploying Network
Services of this kit and the Networking Guide of the Microsoft® Windows® Server 2003
Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit).
158 Chapter 4 Deploying Security Policy
Starting GPMC
To start GPMC, click Start, click Programs, click Administrative Tools, and then click Group Policy
Management. GPMC can be used on computers that are running Windows XP Professional and Windows
Server 2003. The procedures in this chapter use GPMC.
For more information about using GPMC, see Group Policy Management Console Help. To view GPMC Help,
open GPMC, right-click Group Policy Management, and then click Help.
Important
As with all Group Policy settings, you must fully test your implementation
before you deploy your security settings to your production environment.
For more information about Group Policy staging and testing, see
“Staging Group Policy Deployments” in this book and “Designing a Test
Environment” in Planning, Testing, and Piloting Deployment Projects of
this kit.
Important
The IPSec filter lists, actions, and default policies included with Windows
Server 2003 are not appropriate to use under any circumstances. They
are intended only as examples to demonstrate behavior. Administrators
must design and build their own policies, and customize the policies for
their particular situation and security requirements.
For more information about IPSec policy, see “Deploying IPSec” in Deploying Network Services of this kit, and
the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit). For more information about how to use IPSec and Group Policy, see “Assign
or unassign IPSec policy in Group Policy” and “Creating, modifying, and assigning IPSec policies” in Help and
Support Center for Windows Server 2003.
Assigning an IPSec policy to a GPO records a pointer to the IPSec policy that is inside the GPO attribute
ipsecOwnersReference. The GPO itself contains only a Lightweight Directory Access Protocol (LDAP)
distinguished name (DN) reference to the IPSec policy. Group Policy is used only to deliver the policy
assignment to the computer’s IPSec service. The computer’s IPSec service then retrieves the IPSec policy from
Active Directory, maintains a current cache of the policy locally, and keeps it current by using a polling interval
that is specified in the IPSec policy itself. Because the IPSec policy itself is not stored inside the GPO, its
settings can be assigned to and shared by many GPOs. Consider the following characteristics when you plan for
the behavior and management of Group Policy for IPSec.
164 Chapter 4 Deploying Security Policy
Note
Netsh is a command-line tool for configuring networking components on
the local computer or on remote computers running Windows 2000,
Windows XP Professional, or Windows Server 2003. The Netsh IPSec
context is only available on Windows Server 2003. For more information
about using the Netsh IPSec context, see “Netsh commands for Internet
Protocol security (IPSec)” in Help and Support Center for Windows
Server 2003.
Group Policy inheritance in Active Directory cannot be blocked for a specific GPO without affecting other
settings in the GPO. If you must control IPSec policy inheritance, create a new GPO that is dedicated
exclusively to deploying and assigning IPSec policy.
For recommendations on the uses of IPSec, see “Special IPSec considerations” in Help and Support Center for
Windows Server 2003.
Note
Additional IPSec design and deployment information is not included in
this chapter. For more information about deploying IPSec, see
“Deploying IPSec” in Deploying Network Services of this kit. For more
information about how to create IPSec policies, see “Creating, modifying,
and assigning IPSec policies” in Help and Support Center for Windows
Server 2003.
For nested OUs, the GPO that is linked closest to the OU takes precedence. The precedence rules that apply to
restricted groups also apply to other Group Policy settings when there is a conflict. For example, if a computer
is a member of OU A, which is nested in OU B, and both OUs define Power Users as a restricted group, then
the definition of Power Users according to OU A takes precedence on the computer.
To find out which policies are currently applied to a specific computer, use the Group Policy Results node in
the GPMC snap-in.
Plan Event log size and wrapping according to business and security
requirements
Define Event log size and overwrite of events logs (also known as log wrapping) to match the business and
security requirements of your organization’s security plan. Implement these Event log settings at the site,
domain, or OU level to take advantage of Group Policy settings.
Understand the use of Restricted Groups
If you create a Restricted Groups policy for a group, any users and groups that are not specified as members of
the group within the policy are removed from the group. For example, if you create a Restricted Groups policy
for the local Administrators group, and the newly created policy specifies only the Domain Admins group as
members, all other members of the local Administrators group (including any local accounts) are removed from
the local Administrators group when the policy is applied. Note that if the Restricted Groups members are
defined in more than one GPO, only the members that are defined in the GPO with the highest precedence are
applied. This also applies to the groups that the group can be a member of.
Be aware that security settings can persist
For Windows Server 2003 and Windows XP, security settings might persist even if the setting is no longer
defined in the GPO that originally applied it. This occurs under the following conditions:
• The setting was not defined for the local computer at the time that the policy setting was
applied.
• The setting is for a registry object.
• The setting is for a file system object.
Windows 2000 security settings may persist even if the setting is no longer defined in the GPO that originally
applied it. This occurs under the following conditions:
• The setting has not been defined for the local computer at the time that the policy setting
was applied.
• The setting is for a registry object.
• The setting is for a file system object.
• The setting is for a service.
• The setting is for a Restricted Groups policy.
• The setting is an Event log setting.
Additional Resources 169
All settings that are applied through local policy or a GPO are stored in a local database on your computer.
Whenever a security setting is modified, the computer saves the security setting value to the local database. The
database retains a history of all the settings that have been applied to the computer. If a policy defines a security
setting and then no longer defines that setting, the setting reverts to the previous value in the database. If a
previous value does not exist in the database, the setting remains defined as is. This behavior is sometimes
called tattooing.
Any other settings that persist maintain the values that are applied through the policy until that setting is set to a
different value.
The default storage location of the predefined security templates is %systemroot%\Security\Templates. Only
administrators have permissions to modify the templates in this folder; users without administrative permissions
can save their templates to another folder. This folder includes the following templates.
Setup Security.inf
Setup security.inf is a computer-specific template that represents the default security settings that are applied
when the operating system is installed, including the file permissions for the root of the system drive.
The Setup security.inf template is created for each computer during installation. It can vary from computer to
computer and is based on whether the installation was a clean installation or an upgrade. This template can be
used on servers and client computers; it cannot be applied to domain controllers. You can apply portions of this
template for disaster recovery purposes.
Do not apply Setup security.inf using Group Policy. It contains a large amount of data and can seriously degrade
performance if it is applied by using Group Policy. Degraded performance can occur because policy is
periodically refreshed, and a large amount of data then moves through the domain.
It is recommended that you apply the Setup security.inf template in parts by using the Secedit command-line
tool. For more information about Secedit, see “Secedit” in Help and Support Center for Windows Server 2003.
DC Security.inf
This template is created when Active Directory is installed onto a server. It reflects file, registry, and system
service default security settings. Reapplying this template resets these settings to default values. Note that this
template might overwrite permissions on new files, registry keys, and system services that are created by other
applications. It can be applied by using the Security Configuration and Analysis snap-in or the Secedit
command-line tool.
Compatws.inf
Default permissions for workstations and servers are primarily granted to three local groups: Administrators,
Power Users, and Users. Of the three, the Administrators group has the most permissions, while the Users group
has the least. Because of this, you can significantly improve security, reliability, and the total cost of system
ownership by:
• Making sure that end users are members of the Users group.
• Deploying applications that can be run successfully by members of the Users group.
Members of the Users group can successfully run applications that are a part of the Windows Logo Program.
However, members of the Users group might not be able to run applications that do not meet the requirements
of the program. If other applications must be supported, there are two options:
• Permit members of the Users group to be members of the Power Users group.
• Relax the default permissions that are granted to the Users group.
Additional Resources 171
Because Power Users have additional permissions such as creating users, groups, printers, and shares, some
administrators prefer to relax the default User permissions instead of permitting members of the Users group to
be members of the Power Users group. This is precisely what the Compatible template is for. The Compatible
template changes the default file and registry permissions that are granted to the Users group in a way that is
consistent with the requirements of most applications that do not belong to the Windows Logo Program.
Additionally, because it is assumed that the administrator who is applying the Compatible template does not
want members of the Users group to be Power Users, the Compatible template also removes all members of the
Power Users group. For more information, see “Default security settings for groups” in Help and Support
Center for Windows Server 2003.
For more information about the Windows Logo Program for Software, see the Windows Logo Program for
Software link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Do not apply the Compatible template to domain controllers. For example, do not import the Compatible
template to the Default Domain GPO or the Default Domain Controllers GPO.
Secure*.inf
The Secure templates define enhanced security settings that are least likely to impact application compatibility.
For example, the Secure templates define stronger password, lockout, and audit settings.
The Secure templates prevent anonymous users, such as users from untrusted domains, from:
• Enumerating account names and shares.
• Performing SID-to-name or name-to-SID translations. If this is allowed, anonymous
users can request user names (such as the administrator’s user name) based on the user’s
security ID (SID) as well as requesting the SID for a user based on the user name.
The Secure templates enable server-side server message block (SMB) packet signing. By default, SMB packet
signing is disabled for member servers. Because client-side SMB packet signing is enabled by default, SMB
packet signing is always negotiated when workstations and servers are operating at the Secure level.
Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by
configuring clients to send only NTLM version 2 (NTLMv2) responses and by configuring servers to refuse
LAN Manager responses.
Considerations for applying Securews.inf to a member computer include:
• All domain controllers that contain the accounts of all users that log on to the client must
run Windows NT 4.0 Service Pack 4 (SP4) or later, Windows 2000, or Windows
Server 2003.
• If the member computer is joined to a domain that contains domain controllers that are
running Windows NT 4.0, the clocks on both the domain controllers and the member
computers must be set within 30 minutes of each other.
172 Chapter 4 Deploying Security Policy
Caution
Do not edit the registry unless you have no alternative. The registry
editor bypasses standard safeguards, allowing settings that can damage
your system, or even require you to reinstall Windows. If you must edit
the registry, back it up first and see the Registry Reference on the
Windows Server 2003 Deployment Kit companion CD or at
http://www.microsoft.com/reskit.
Computers that run LAN Manager include Windows for Workgroups and Microsoft® Windows® 95 and
Microsoft® Windows® 98 platforms that do not have the Active Directory Client Extensions Pack installed. If
the Active Directory Client Extensions Pack is installed on Windows 95 or Windows 98, those clients can use
NTLMv2. Microsoft® Windows® Millennium Edition supports NTLMv2 without additional modification.
Additional Resources 173
Hisec*.inf
The Highly Secure templates are supersets of the Secure templates that require greater levels of encryption and
signing for authentication and for the data that flows over secure channels and between SMB clients and
servers. For example, the Secure templates cause servers to refuse LAN Manager responses; the Highly Secure
templates cause servers to refuse both LAN Manager and NTLM responses. The Secure template enables
server-side SMB packet signing; the Highly Secure template requires it.
The Highly Secure templates limit the use of cached logon data, such as data stored by Winlogon and Stored
User Names and Passwords.
Hisecws.inf uses Restricted Group settings to:
• Remove all members of the Power Users group.
• Make sure that only the Domain Admins group and the local Administrator account are
members of the local Administrators group.
Hisecws.inf defines these group restrictions under the assumption that users only use applications that belong to
the Windows Logo Program. When using those applications, neither the Compatible template nor the Power
Users group is needed. Instead, users can run those applications successfully under the secure context of a
member of the Users group. The Users group is defined by the default security settings of the file system and
registry. Members of the Administrators group can still use any application.
Additionally, the Highly Secure templates require strong encryption and signing for the secure channel data that
constitutes domain-to-member and domain-to-domain trust relationships. Thus, consideration for applying
Hisecws.inf to a member computer include:
• All of the domain controllers that contain the accounts of all users that can log on to the
client must be running Windows NT 4.0 SP4 or later, Windows 2000, or Windows
Server 2003.
• All of the domain controllers for the domain that the client is joined to must run
Windows 2000 or Windows Server 2003.
Clients that are configured with Hisecws.inf cannot connect to:
• Computers that only run LAN Manager or computers running Windows NT 4.0 SP3 or
earlier using a local account defined on the target server.
• Servers running Windows 2000 SP3 and earlier or Windows NT 4.0 SP4 using a local
account that is defined on the target server unless the clock on the target server is set
within 30 minutes of the clock on the client.
• Computers running Windows XP using a local account that is defined on the target
computer unless the clock on the target computer is set within 36 hours of the clock on
the client.
• LAN Manager servers that are operating in share-level security mode.
To apply Hisecdc.inf to a domain controller, all of the domain controllers in all trusted or trusting domains must
run Windows 2000 or Windows Server 2003 operating systems.
174 Chapter 4 Deploying Security Policy
Rootsec.inf
Rootsec.inf specifies the root permissions. By default, Rootsec.inf defines these permissions for the root of the
system drive. This template can be used to reapply the root directory permissions if they are inadvertently
changed, or the template can be modified to apply the same root permissions to other volumes. As specified, the
template does not overwrite explicit permissions that are defined on child objects; it propagates only the
permissions that are inherited by child objects.
Notssid.inf
The default file system and registry ACLs on servers assign permissions to a Terminal Server security identifier
(SID). The Terminal Server SID is used only when Terminal Server is running in application compatibility
mode. If Terminal Server is not being used, this template can be applied to remove the Terminal Server SIDs
that are not necessary from the file system and registry locations. However, removing the access control entry
(ACE) for the Terminal Server SID from these default file system and registry locations does not increase the
security of the system. Instead of removing the Terminal Server SID, run Terminal Server in Full Security
mode. When you run Terminal Server in Full Security mode, the Terminal Server SID is not used.
Additional Resources 175
• Decide what the default security level of the policies will be. The default security level
can either be Disallowed, which does not permit software to run, or Unrestricted,
which permits software to run with the full permissions of the user who is logged on.
After you have decided what the default security level will be, you can begin creating
rules. The Rules types are:
• Hash rules. Software is identified by its hash.
• Certificate rules. Software is identified by its signing certificate.
• Path rules. Software is identified by its file path or registry path.
• Internet zone rules. Software is identified by using a zone that is specified by
Microsoft® Internet Explorer. Zone rules apply only to Windows Installer packages.
For more information about deploying software restriction policies, see:
• “Deploying a Managed Software Environment” in this book.
• The Software Restriction Policies link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
• “Software restriction policies” in Help and Support Center for Windows Server 2003.
When the GPO is applied to that client, the resulting list of preferred networks is merged in the following order:
Ip1, Ip2, Iu3, Ap1, Ap2, and Au3. This occurs because infrastructure networks take precedence over ad hoc
networks and because settings in the OU take precedence over local settings. For example, Ip1 and Iu1 are the
same network with different configurations; Ip1 is configured by a Group Policy, and Iu1 is configured locally.
For more information, see “Define wireless network policies on a client computer” and “Define Active
Directory–based wireless network policies” in Help and Support Center for Windows Server 2003.
Multiple GPOs
If a computer is subject to multiple GPOs that contain wireless network policies, the wireless settings that are
defined in the GPO associated with the Active Directory container closest to the computer object takes
precedence. Those settings will override the settings that are assigned to a higher level Active Directory
container. In this case, the settings are not merged. For example, a client is a member of OU1 in the Redmond
domain, and the following GPOs are being used:
• GPOA. This GPO defines wireless network policies and is assigned to the Redmond
domain.
• GPO1. This GPO contains wireless policy settings and is assigned to OU1. The client is
a member of this OU.
When the GPO list for this client is processed, the GPO1 wireless network settings take precedence and are in
effect for this computer. The settings are not merged.
If you want to modify the account policies at the domain level, it is recommended that you modify the default
domain GPO. The account policies for domains include:
• Password policy settings for domains. The most common way to authenticate a user’s
identity is by using passwords. After a user has been identified and authenticated, the
user can perform any tasks or access any resource for which he or she is authorized.
Strong passwords generally enhance security for users. Using strong passwords helps
avoid the threat of an unauthorized user guessing a weak password (also known as
cracking) and acquiring the credentials of the compromised user account (also known as
spoofing). This is especially true for administrative accounts because an unauthorized
user might obtain administrative credentials and gain elevated privileges. For more
information, see “Strong passwords” in Help and Support Center for Windows
Server 2003.
• Account lockout policy settings for domains. More than a few unsuccessful password
tries during logon might represent an attacker’s attempt to determine an account
password by trial and error. Windows Server 2003 and Windows 2000 tracks the
number of logon attempts, and it can be configured to respond to this type of attack by
disabling the account for a preset period of time. This is known as an account lockout.
• Kerberos policy settings for domains. Kerberos V5 authentication protocol provides
the default mechanism for authentication services and the authorization data that is
necessary for a user to gain access and perform a task on a resource. By reducing the
lifetime of Kerberos authentication tickets, you reduce the risk of having a legitimate
user’s credentials stolen and successfully used by an attacker. However, authorization
overhead is increased.
In addition, there are five Security Option settings that behave in the same way as account policies. These are:
• Network Security: Force logoff when logon hours expire
• Accounts: Administrator account status
• Accounts: Guest account status
• Accounts: Rename administrator account
• Accounts: Rename guest account
For more information about the individual account policies, see “Account policies” in Help and Support Center
for Windows Server 2003.
Additional Resources 185
Important
Make changes to the user rights assignment policy settings directly in the
Default Domain Controllers GPO for application compatibility reasons.
Not doing so can cause unexpected behavior if server applications are
later installed on the domain controller.
• Audit policy settings. When you enable auditing on your domain controllers, the
number of events that is recorded in the security event log increases. As a result, the
maximum size of the security event log must be increased. As a part of your typical
operations tasks, archive the security and system event logs regularly and frequently
before they fill up. If the logs fill up, you might miss events.
Important
Make changes to the audit policy settings directly in the Default Domain
Controllers GPO for application compatibility reasons. Not doing so can
cause unexpected behavior if server applications are later installed on
the domain controller.
• Security options policy settings. The domain controller security options policy settings
affect Active Directory–related security configuration settings and network, file system,
and user logon security configuration settings.
For more information about securing domain controllers, see the Securing Active Directory Installations link on
the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
186 Chapter 4 Deploying Security Policy
Rule Precedence
Rules are evaluated in a specific order. The rules that more specifically match a program take precedence over
rules that more generally match a program. From highest to lowest, rule precedence is as follows:
• Hash rule
• Certificate rule
• Path rule
• Internet zone rule
• Default security level
Table 4.3 shows examples of how the software restriction policy rules in Table 4.2 determine which programs
users can run.
Additional Resources 187
DLL Checking
Most programs require multiple .dll files to run. By default, software restriction policy rules are not enforced
against .dll files. This is the recommended option for most users for the following reasons:
• Setting a program’s main executable file as Disallowed in the Software Restriction
Policies snap-in prevents the program from running. Therefore, it is typically not
necessary to set all of the related .dll files to Disallowed.
• Checking .dll files results in performance degradation on the system. If a user runs 10
programs during his or her logon session, the software restriction policy is evaluated 10
times. If .dll checking is turned on, the software restriction policy is evaluated for
each .dll file that is loaded with each program. For example, if each program uses 20 .dll
files, 10 .exe files are checked, and then 200 .dll files are checked. The software
restriction policy is evaluated 210 times.
• If the default security level is set to Disallowed, the main executable file has to be
identified so that it can run, and all of the executable file’s .dll files must be identified.
To activate .dll checking, in the Enforcement Properties policy, set Apply software restriction policies to the
following to All software files. For more information about .dll checking, see “Apply software restriction
policies to DLLs” in Help and Support Center for Windows Server 2003.
Exclude Administrators
You might want to prevent most users from running certain programs by setting them as Disallowed but permit
administrators to run any programs. For example, a user might have a shared computer that multiple users
connect to by using Terminal Server. You might want the users to run specific applications on the computer,
while permitting members of the Local Administrators group to run any programs. To exclude local
administrators, you can set the option to apply software restriction policies to All users except local
administrators.
Note
Setting the software restriction policies to exclude local administrators is
only valid for Group Policy objects that are applied to computers.
For more information about software restriction policies, see “Prevent software restriction policies from
applying to local administrators” and “Software restriction policies” in Help and Support Center for Windows
Server 2003, and “Deploying a Managed Software Environment” in this book.
Additional Resources 189
Network keys
When you enable WEP, you can require that a network key be used for encryption. You can specify a key (by
typing a key in the Network key text box when you configure the wireless connection). If you specify a key,
you can also provide its location in the Key index text box (on the Properties page for Wireless Network
Connections). Table 4.5 includes descriptions of the configuration settings for requiring network keys.
Table 4.5 Configuration Settings for Preferred Networks
Options Comments
Networks Lists the IEEE 802.11 wireless networks to which
clients can try to connect. Use the Move Up and
Move Down buttons to prioritize the list. Use the
Add button to add a new wireless network. You
can also edit properties of a network by using
the Edit button, or use the Remove option to
remove an entry from the list.
Network name (SSID) Specifies the name for the specified wireless
network. Under the IEEE 802.11 standard, the
network name is also known as the Service Set
Identifier (SSID).
Description Provides a description for the specified wireless
network. Use a unique description of up to 255
characters.
Wireless network key (WEP) Data Encryption (WEP enabled) specifies that a
• Data encryption (WEP network key is used to encrypt the data that is
enabled) sent over the network.
• Network authentication Network authentication (Shared mode) specifies
(Shared mode) that a network key be used for authentication to the
wireless network.
• The key is provided
automatically The key is provided automatically specifies that
a network key is automatically provided for
clients.
This is a computer-to- Specifies whether this preferred network is a
computer (ad hoc) network; computer-to-computer ad hoc network. If this
wireless access points are check box is not selected, this network is an
not used access point (infrastructure) network.
9. To specify that the network is a computer-to-computer (ad hoc) network, click to select
the This is a computer-to-computer (ad hoc) network; wireless access points are not
used check box.
To define 802.1X authentication
1. Open GPMC.
2. In the console tree, expand the domain or OU that you want to manage, right-click the
Group Policy object that you want to edit, and then click Edit.
3. In the Group Policy Object Editor console tree, click Computer Configuration, click
Windows Settings, and then click Security Settings.
4. Click Wireless Network (IEEE 802.11) Policies, right-click the wireless network
policy that you want to modify, and then click Properties.
5. On the Preferred Networks tab, under Networks, click the wireless network for which
you want to define IEEE 802.1X authentication.
6. On the IEEE 802.1X tab, check the Enable network access control using IEEE
802.1X check box to enable IEEE 802.1X authentication for this wireless network. This
is the default setting. To disable IEEE 802.1X authentication for this wireless network,
clear the Enable network access control using IEEE 802.1X check box.
7. Specify whether to transmit EAPOL-start message packets and how to transmit them.
8. Specify EAPOL-Start message packet parameters.
9. In the EAP type box, click the EAP type that you want to use with this wireless
network.
10. In the Certificate type box, select one of the following options:
• Smart card. Permits clients to use the certificate that resides on their smart card for
authentication.
• Certificate on this computer. Permits clients to use the certificate that resides in
the certificate store on their computer for authentication.
11. To verify that the server certificates that are presented to client computers are still valid,
select the Validate server certificate check box.
12. To specify whether client computers must try authentication to the network, select one
of the following check boxes:
• Authenticate as guest when user or computer information is unavailable.
Specifies that the computer must attempt authentication to the network if user
information or computer information is not available.
• Authenticate as computer when computer information is available. Specifies
that the computer attempts authentication to the network if a user is not logged on.
After you select this check box, specify how the computer attempts authentication.
For detailed information about using the wireless network policies, see “Define wireless network policies on a
client computer” in Help and Support Center for Windows Server 2003.
194 Chapter 4 Deploying Security Policy
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• Designing and Deploying Directory and Security Services of this kit for more
information about distributed security.
• “Deploying IPSec” in Deploying Network Services of this kit for more information
about Internet Protocol security (IPSec).
• “Designing a Wireless LAN” in Deploying Network Services of this kit for more
information about wireless networks.
• The Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking
Guide on the Web at http://www.microsoft.com/reskit).
Additional Resources 195
• The Distributed Services Guide of the Windows Server 2003 Resource Kit (or see the
Distributed Services Guide on the Web at http://www.microsoft.com/reskit) for more
information about Group Policy.
• “Deploying IAS” in Deploying Network Services of this kit for more information about
Internet Authentication Service (IAS).
• The TechNet Security link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
Windows Server 2003 security.
Related Job Aids
• “Worksheet A.27 Using Custom Security Templates” (DMEUSE_27.doc) on the
Windows Server 2003 Deployment Kit companion CD (or see “Worksheet A.27 Using
Custom Security Templates” on the Web at http://www.microsoft.com/reskit).
• “Worksheet A.28 Selecting Predefined Security Templates” (DMEUSE_28.doc) on the
Windows Server 2003 Deployment Kit companion CD (or see “Worksheet A.28
Selecting Predefined Security Templates” on the Web at
http://www.microsoft.com/reskit).
• “Worksheet A.29 Designing Security Policy” (DMEUSE_29.doc) on the Windows
Server 2003 Deployment Kit companion CD (or see “Worksheet A.29 Designing
Security Policy” on the Web at http://www.microsoft.com/reskit).
Related Tools
• Group Policy Management Console
To download the GPMC tool, see the Group Policy Management Console link on the Web
Resources page at http://www.microsoft.com/windows/reskits/webresources.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set
search options. Under Help Topics, select the Search in title only checkbox.
• “Security Settings” in Help and Support Center for Windows Server 2003 for more
information about using the security settings and security templates.
• “Internet Protocol security (IPSec)” in Help and Support Center for Windows
Server 2003 for more information about using IPSec.
• “Internet Authentication Service” in Help and Support Center for Windows Server 2003
for more information about using IAS.
196 Chapter 4 Deploying Security Policy
• “Software restriction policies” in Help and Support Center for Windows Server 2003 for
more information about using software restriction policies.
• “Applying security settings through Group Policy” in Help and Support Center for
Windows Server 2003 for more information about using Group Policy.
• “Creating, modifying, and assigning Active Directory-based wireless network policies”
in Help and Support Center for Windows Server 2003 for more information about how
to set up security policies for wireless networking.
• “Assign or unassign IPSec policy in Group Policy” in Help and Support Center for
Windows Server 2003 for more information about using IPSec with Group Policy.
• “Gpupdate” in Help and Support Center for Windows Server 2003 for more information
about the gpupdate command including full syntax.
• “Security Templates” in Help and Support Center for Windows Server 2003.
• “Security Configuration and Analysis” in Help and Support Center for Windows
Server 2003.
• “Security Settings” in Help and Support Center for Windows Server 2003.
• “Local security policy” in Help and Support Center for Windows Server 2003.
• “Secedit” in Help and Support Center for Windows Server 2003.
• “Creating, modifying, and assigning IPSec policies” in Help and Support Center for
Windows Server 2003.
• “Customize a predefined security template” in Help and Support Center for Windows
Server 2003.
• “Predefined security templates” in Help and Support Center for Windows Server 2003.
• “Import a security template to a Group Policy object” in Help and Support Center for
Windows Server 2003.
• “Define wireless network policies on a client computer” Help and Support Center for
Windows Server 2003.
• “Configure how a service is started” in Help and Support Center for Windows
Server 2003.