Now, let's set up the security template so that any system with a folder named C:\adminstuff will make that folder accessible only to the local administrators. Back in the left pane of Console Root, right-click File System and choose Add File. In the dialog box that appears, you can either browse to a particular directory or simply type the directory name. Typing the directory name will work even if the computer on which you're creating the template doesn't have a folder by that name. Type
C:\adminstuff
You'll see the standard NTFS permissions dialog box. Delete the existing permissions, and add Full Control permissions for the local Administrators group. Notice that you can also perform advanced NTFS adjustments, such as setting auditing ACLs and granting ownership. The program asks whether you want these permissions to apply only to this folder or to all child folders. Set this option as you want, then click OK.
Ever since CodeRed and Nimda, the Indexing Service gives me the willies, so I like to disable it on systems that don't need it. In the Console Root's left pane, click the System Services folder. In the right pane, right-click Indexing Service and choose Properties (if you're working from an XP system) or Security (from a Win2K system). Select Define this policy setting in the template, which brings up the Security for Indexing Service dialog box. You don't need that dialog box, so click Cancel to return to Indexing Service Properties (in XP) or Template Security Policy Setting (in Win2K). In that dialog box, choose Disabled, then click OK.
To save the template, right-click it in the Console Root's left pane and click Save. You now have a file named simple.inf in your \winnt\security\templates or \windows\security\templates folder. Use the Secedit command to activate the template (be sure to type the command on one line):
secedit /configure /cfg
<templatefilename>
/db <databasefilename>
/overwrite /log <logfilename>
where templatefilename is the name of the ASCII security template (C:\windows\security\templates\simple.inf, in our case) and databasefilename is the name of a security database file.
A security template is like a bit of computer source code: human-readable but not immediately useful to the computer. Just as source code must be compiled into an executable, so must a security template be reduced to a binary form called a security database. Secedit can both compile the template and apply the binary database, but you must supply a path and filename for the database—let's call ours C:\security\simple.db.
Finally, Secedit wants to report on the process, so it needs the name of a file to which to write an ASCII log—C:\security\simple.log works fine. The /overwrite option tells Secedit to overwrite any existing file with the same name. The fully assembled command is
secedit /configure /cfg
C:\windows\security\templates simple.inf /db C:\security\simple.db
/overwrite /log C:\security\simple.log
That's a lot of command lining, but its effects make it worthwhile. Try out a few templates, and I think you'll be hooked on these powerful tools.
End of Article
Prev. page
1
2
[3]
next page -->
