Customizing Local Security Policiesby Mitch Tulloch, author of Windows Server Hacks
One way to extend the power of Group Policy is to customize the Security Options policies. These policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options as shown in Figure 1.
Figure 1. Security Options policies available in Windows Server 2003
The particular policy settings available under Security Options are determined by the security template file that has been imported into your Group Policy object (GPO). These security templates are .inf files stored in your computer's %windir%\security\templates folder, and by default Windows Server 2003 includes a number of standard templates you can use to lock your computer down to various degrees. For example, the securedc.inf template can be used to harden the security settings on your Windows Server 2003 domain controller, while hisecdc.inf can be used to harden these settings to an even greater degree. Full details of these default templates can be found here on Microsoft's web site.
You can also create new security templates from scratch using the Security Templates snap-in. Figure 2 shows the Security Options policies for a blank new template called My New Template, and if you compare this with Figure 1 you'll see that the policy settings available are the same in both cases.
Figure 2. Security Options policies available in a security template
The policy settings available under Security Options can help you lock down various aspects of your computers. To do this you can either:
- Customize the policies under Security Options from scratch within an existing GPO using the Group Policy Object Editor
- Import a default security template into an existing GPO to automatically configure the policies specified in the template
- Create a custom security template and configure it using the Security Templates snap-in, then import the template into an existing GPO to configure the policies specified
If you need even greater flexibility, however, you can also add entirely new policies under Security Options by editing the Sceregvl.inf file. This file specifies which Registry-based policy settings are configurable under Security Options; the file is found in the %windir%\inf folder and is a plain-text file you can edit using Notepad as shown in Figure 3.
Figure 3. Contents of the Sceregvl.inf file in the %windir%\inf folder
For example, let's say you want to add a policy under Security Options that lets you harden the TCP/IP stack on your computer against a Syn attack, a type of denial of service attack in which an attacker sends a large number of spoofed Syn requests that new TCP connections be opened. The resulting proliferation of half-open TCP connections can fill up the internal TCP transmission control block (TCB) table, at which point legitimate clients won't be able to open TCP connections with your computer.
If your computer experiences this kind of attack frequently, you can harden the TCP/IP stack by setting the following
REG_DWORD Registry value to
1 to enable Syn attack protection:
Rather than configuring this Registry setting manually, however, you can add a new policy under Security Options to allow you to enable (value =
1) or disable (value =
0) this setting using Group Policy. To do this, first add the following line of text anywhere within your Sceregvl.inf file:
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect,4, "Syn Attack Protection against DoS",3,0|"No additional protection", 1|"Time out sooner if Syn Attack is detected"
Now save the changes to your Sceregvl.inf file, open a command prompt, and type the following command to register the changes on your computer:
A dialog box should appear verifying that the registration has succeeded (Figure 4).
Figure 4. Changes to Sceregvl.inf have been registered
A new policy setting will now be available in all security templates on your computer (Figure 5).
Figure 5. A new policy setting for Syn attack protection is available in security templates.
You can now configure this setting as desired for each standard and custom template, after which you can import templates into GPOs to enable or disable the new setting in each GPO. In fact, if the computer on which you performed this procedure is a domain controller, the new policy will be immediately available for configuration in all GPOs as well (Figure 6).
Figure 6. A new policy setting for Syn attack protection within a GPO
Opening the properties for this policy shows you the configuration options available (Figure 7).
Figure 7. Enabling Syn attack protection in a GPO
Additional information about the syntax of Sceregvl.inf can be found in Knowledge Base article 214752 on Microsoft TechNet.
Final tip: On Windows Server 2003 Service Pack 1, the
SynAttackProtect Registry setting is now set to
1 by default.
Return to the Windows DevCenter.