Caution

The “Setup Security.inf” and “DC Security.inf” templates contain a large number
of settings, and in particular a long list of file system permission assignments. For this reason,
you should not apply these templates to a computer using group policies. Computers
running Microsoft Windows operating systems periodically refresh group policy settings by
accessing the GPOs on the network’s domain controllers, and a template of this size can generate
a great deal of Active Directory traffic on the network. Instead of using group policies,
you should apply the template using the Security Configuration And Analysis snap-in or the
Secedit.exe utility.

The Compatws.inf template is not intended for domain controllers, so you should
not apply it to the default domain GPO or the Domain Controllers container’s GPO.

Securedc.inf
This template contains policy settings that increase the security on a
domain controller to a level that remains compatible with most functions and
applications. The template includes more stringent account policies, enhanced
auditing policies and security options, and increased restrictions for anonymous
users and LanManager systems.
Securews.inf
This template contains policy settings that increase the security on a
workstation or member server to a level that remains compatible with most functions
and applications. The template includes many of the same account and local
policy settings as Securedc.inf, and implements digitally signed communications
and greater anonymous user restrictions.

Hisecdc.inf
This template contains policy settings that provide an even greater
degree of security for domain controllers than the Securedc.inf template. Applying
this template causes the computer to require digitally-signed communications and
encrypted secure channel communications, instead of just requesting it, as
Securedc.inf does.

Hisecws.inf
This template contains policy settings that provide higher security than
Securews.inf on a workstation or member server. In addition to many of the same
settings as Hisecdc.inf, the template remove all members from the Power Users
group and makes the Domain Admins group and the local Administrator account
the only members of the local Administrators group.

Tip
The Securedc.inf, Securews.inf, Hisecdc.inf, and Hisecws.inf templates are all
designed to build on the default Windows security settings, and do not themselves contain
those default settings. If you have modified the security configuration of a computer substantially,
you should first apply the “Setup Security.inf” template (and the “DC Security.inf” template
as well, for domain controllers) before applying one of the secure or highly secure
templates.

Rootsec.inf
This template contains only the default file system permissions for the
system drive on a computer running Windows Server 2003. You can use this template
to restore the default permissions to a system drive that you have changed,
or to apply the system drive permissions to the computer’s other drives.
Tip
If you want to make changes to any of the policies in the pre-defined templates, it is a
good idea to make a backup copy of the template file first, to preserve its original configuration.
You can copy a template by simply copying and pasting the file in the normal manner
using Microsoft Windows Explorer, or you can use the Security Templates snap-in by selecting
a template and, from the Action menu, choosing Save As and supplying a new file name.