how to apply w2k security to w2k member servers under w2k3 domain?

[Guest]

hi,

I have one w2k3 AD domain, all dcs are w2k3, 80% servers are w2k3 servers,
20% are w2k servers, I can apply w2k3 member server baseline security to all
w2k3 servers and then apply customized security templates to them according
to specific roles, but how to manage the security to w2k servers using GPO?
if put all w2k servers into one OU and apply baseline security, how to apply
the w2k security template to w2k servers under w2k3 domain? can I just
import the w2k security template into w2k3 GPO and link to w2k servers OU?


thanks!

 

[Roger Abell]

I am not sure what the issue is that you (feel you) are seeing.
Policies apply to a specific version or higher of Windows.
For example, there are some policies that apply to W2k and
above, some that apply to XP and above (i.e. W2k3) but not
to W2k, etc..
If one GPO sets W2k and XP era policies all will be applied
to W2k3 and XP machines that are under the influence of that
GPO while only the W2k policies will have effect on the W2k
machines under that GPO's influence.

 

[Steven L Umbach]

Yes you can do exactly what you propose and it makes good sense. Create
separate OU's for your Windows 2000 servers and use an OU with a Windows
2000 security template imported into it. Do not mix and match security
templates between Windows 2000 and Windows 2003 computers as you may have
unpredictable results. For domain controllers however do NOT move any out of
the default domain controllers container. You can however create separate
OU's inside of the domain controllers container if need be. Use the Security
Configuration and Analysis mmc snapin to verify the effective security
policy applied to your servers to make sure security settings are what you
expect. The biggest difference in security templates is security options as
Windows 2003 has several more than Windows 2000 and many have been
named. --- Steve

 

[Guest]

Thanks, roger.

My questions is actually can I use w2k3 security template to w2k servers?
because w2k3 security settings are different from w2k, so do I have to
separate w2k servers from w2k3 servers with different OU? I previously has
the thought that w2k3 security template can be applied to w2k servers
directly, now looks there are lot differences between them.

 

[Roger Abell]

The templates are groups of settings.
Each setting has a version level, that is, has a minimum
Windows version. If a setting for W2k3 is in a GPO that
is applied to W2k, the W2k will not know what to do with
the setting so it will have no effect upon it.

As with all templates MS has provided, these are guidelines
and examples. One is supposed to craft from them for ones
own environment and needs. Part of that should include
understanding what policy settings actually will have an
effect on each version of Windows so one does not expect
a lower version to be configured/protected in way that it
actually will not be.

However, applying a set of policies that apply to W2k3
onto a W2k server will not hurt the W2k, they just will
not do anything to it.

 

[Guest]

thanks, steven

Yes you can do exactly what you propose and it makes good sense. Create
separate OU's for your Windows 2000 servers and use an OU with a Windows
2000 security template imported into it. Do not mix and match security
templates between Windows 2000 and Windows 2003 computers as you may have
unpredictable results. For domain controllers however do NOT move any out of
the default domain controllers container. You can however create separate
OU's inside of the domain controllers container if need be. Use the Security
Configuration and Analysis mmc snapin to verify the effective security
policy applied to your servers to make sure security settings are what you
expect. The biggest difference in security templates is security options as
Windows 2003 has several more than Windows 2000 and many have been
named. --- Steve

 

[Steven L Umbach]

OK. You may be able to find that you can do what with Windows 2003
templates. It's just that the security options that do not exist in Windows
2000 will not be applied and that other security options have been renamed.
The one security option that may be confusing is the security option for
"additional restrictions for anonymous access" which has been split into a
couple different security options in Windows 2003. If you have the need to
configure "additional restrictions for anonymous access" to be "no access
without explicit anonymous permissions" I am not sure if that can be done
with a Windows 2003 security template. The Security Configuration and
Analysis mmc snapin is always the best way to see exactly what security
policy is being applied to any computer. Keep in mind that the disable
storage of lmhash security option will not apply to Windows 2000 computers -
it requires a registry change. --- Steve