Security templates gaining favor

Security professionals at last week’s InfoSec conference gathered to swap ideas on tools and practices that make their jobs easier. Among the most popular advice was to try Microsoft’s security templates.

ORLANDO – Security professionals at last week’s InfoSec conference gathered to swap ideas on tools and practices that make their jobs easier. Among the most popular advice was to try Microsoft’s security templates.

The templates are text-based .inf files that can be applied to Windows 2000 and XP desktops and servers via the Microsoft Management Console or Active Directory to enforce password requirements, access-control lists, file permissions and more. A network administrator can blast out template-based security settings to target hosts with a touch of a button rather than visiting each machine.

“We’re doing a major rollout of XP, and we’ll use the security templates to enforce policy,” said Kerry Anderson, information security officer for Fidelity Investments in Boston, during a presentation she gave on the dangers of Web mobile code.

Some Web plug-ins for online games have been discovered to contain Trojan horses, so they’re now off-limits to all Fidelity employees, Anderson said. Using Microsoft security templates, Fidelity easily can lock down every user’s desktop to keep prohibited applications from running.

Security templates have the federal government’s eye as well. Working with the National Security Agency and the National Institute of Standards and Technology, Microsoft just issued a set of security templates intended for the government under its Common Criteria guidelines. These templates are designed to make it easier to apply restrictions for sensitive data and groups.

But according to PricewaterhouseCoopers consultant Mark Lobel, who led an educational session at InfoSec on how to use Microsoft security templates, most companies probably are not taking advantage of them yet. While the technology simplifies the pushing out of rules to desktops and servers, a lot of upfront planning on corporate security policy needs to be done first, he said.

“You need to understand the business purpose of your server,” Lobel said. “To lock it down, you lock it down for a business use.”

Security templates can be customized and used for purposes such as auditing computers. Microsoft lacks a log-collection tool for this, but tools from IBM Tivoli and others can be used.

Gary Bahadur, CIO for security company Foundstone of Mission Viejo, Calif., spoke about his company’s experience using Microsoft’s group policy security templates, which allow for role-based administration.

“If you want to configure a human resources template, for instance, you can,” he said. “You can push these out to a group of users or a group of servers, all with one template.”

Bahadur said the software restriction policy, which is new to XP and Windows 2003 (now in beta), is the “most powerful means yet” that Microsoft has created for controlling software use. In addition, it lets companies define restrictions for 802.11-based wireless network use in Win 2003.

One of the toughest challenges is convincing employees that their computer use should be restricted, Bahadur added. “We’ve had trouble trying to enforce this with power users not accustomed to restrictions,” he said.