Security Basics mailing list archives
Automating Administrative Template Configuration In AD
From: "Rob McComber" <rmccomber () gmail com>
Date: Thu, 1 Jun 2006 10:58:32 -0600
During the installation of our product, we deploy a full AD domain (or in some cases, integrate with an existing company domain). We are in the process of automating the application of strict security controls to ensure that our clients receive a system which can meet all of their regulatory obligations. In an effort to minimize human error and cut down on deployment time, we've been automating most of the Active Directory config through the use of security templates, registry scripting, etc. Almost everything has gone smoothly, save for setting the values for the administrative templates to a significantly more secure configuration. According to MS, the Admin Templates in AD provide access to write the settings to the registry, which will in turn affect the appropriate software when it reads the keys. That works as advertised, and through some windiff work, it's possible to isolate the key associated with each function I'm trying to restrict, if it's not in the base list. Unfortunately, it's proving to be a nightmare to automate. I'm looking at upwards of 400 config items, and there's no MS interface I can find that will allow me to script the configuration of the values for the Admin Templates. I've also tried to write directly to the registry but AD doesn't read up from it, so we then end up with gpedit listing one value and the registry listing another. Has anyone managed to successfully automate the configuration of the AD Administrative Template values? It'll make things significantly easier when it comes to securing our installed product but it's looking like a tough battle at this point. Regards, Rob -- Rob McComber, GSEC, MCSE Security Architect
Current thread:
- Automating Administrative Template Configuration In AD Rob McComber (Jun 01)
- Re: Automating Administrative Template Configuration In AD Saqib Ali (Jun 01)