Now let’s examine the two different types of GP, starting with local GP and moving to domain-based GP. Although local policies don’t have the flexibility of domain-based GPs, as you will see, they still are a valuable tool for creating a deployable set of standards for computers in your organization. Local policies are most useful for creating a security configuration for either clients or servers that is appropriate for your company. With the Security Templates snap-in, you can create role-based templates that configure most security-related settings on your machines. And with the Security Configuration and Analysis Tool snap-in (covered in detail in Chapter 7), you can create a database of roles and policies for your organization’s machines.
In this section, I’ll look at local security policy and using the security templates features to create a consistent security configuration.
Microsoft wisely decided to ship Windows with a few predefined security settings files, hereafter referred to as “security templates.” These files contain what essentially are recipes for configuring a machine’s security policy based on its daily role. These templates, designed to be applied to new Windows installations that already have had a basic template applied, must be used on systems formatted with NTFS, at least on the boot partition (the one containing the operating system files). The incremental security templates are as follows:
For workstations or servers ...