How to Implement Network Access Control on Windows Server 2025

How to Configure Local Security Policy and Security Templates on Windows Server 2025

Local Security Policy and security templates are foundational tools for establishing a consistent, auditable security baseline on Windows Server 2025 systems. Whether you are hardening a standalone server or applying a standardized configuration across an entire Active Directory domain, these mechanisms give administrators granular control over account lockout behavior, user rights assignments, security options, and audit policy. The Local Security Policy editor (secpol.msc) provides a graphical interface for individual machines, while secedit.exe extends this capability to the command line for scripted analysis and configuration. Security templates — portable .inf files that capture a security configuration snapshot — can be imported into Group Policy for consistent domain-wide enforcement. This guide covers all three layers: the GUI, the command-line tool, and template-based deployment.

Prerequisites

• Windows Server 2025 with local administrator rights (for local policy changes)
• Domain Admin rights if applying templates via Group Policy
• PowerShell 5.1 or later
• Group Policy Management Console (GPMC) installed (for domain-wide deployment)
• A test server or VM to validate policy changes before production rollout
• Familiarity with Windows security concepts: SID, ACL, user rights, and audit categories

Step 1: Explore Local Security Policy with secpol.msc

Launch the Local Security Policy editor from an elevated command prompt or PowerShell session:

# Open Local Security Policy editor (GUI)
Start-Process secpol.msc

# Or launch via Run dialog
# Win+R → secpol.msc → Enter

The editor is organized into the following main nodes:

• Account Policies: Password Policy (minimum length, complexity, history, max age) and Account Lockout Policy (threshold, duration, observation window).
• Local Policies:
  • Audit Policy: Which events to log (logon, object access, privilege use, process tracking).
  • User Rights Assignment: Which accounts can log on locally, access the computer from the network, shut down the system, manage audit logs, etc.
  • Security Options: Hundreds of machine-level security behaviors including NTLM authentication level, anonymous access restrictions, interactive logon messages, and SMB signing requirements.
• Windows Firewall with Advanced Security: Firewall profiles and rules also appear here as a sub-node.
• Software Restriction Policies / Application Control Policies: Rule-based application whitelisting.
• IP Security Policies: IPsec policy (legacy interface).

Step 2: Configure Key Security Options via PowerShell

Several important Security Options can be configured directly via the registry or secedit without using the GUI. The following examples cover the most impactful settings for a Windows Server 2025 baseline:

# --- Interactive logon: Message title and text for users attempting to log on ---
# These settings display a legal notice before login
$lsaPath = "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"

Set-ItemProperty -Path $lsaPath -Name "LegalNoticeCaption" `
    -Value "AUTHORIZED USE ONLY"

Set-ItemProperty -Path $lsaPath -Name "LegalNoticeText" `
    -Value "This system is for authorized personnel only. All activities are monitored and logged. Unauthorized access is prohibited and may be prosecuted."

# --- Network access: Do not allow anonymous enumeration of SAM accounts ---
$lsaSecPath = "HKLM:SYSTEMCurrentControlSetControlLsa"
Set-ItemProperty -Path $lsaSecPath -Name "RestrictAnonymousSAM" -Value 1

# --- Network access: Do not allow anonymous enumeration of SAM accounts and shares ---
Set-ItemProperty -Path $lsaSecPath -Name "RestrictAnonymous" -Value 1

# --- LAN Manager authentication level: NTLMv2 only, refuse LM and NTLM ---
# Value 5 = Send NTLMv2 response only. Refuse LM & NTLM
Set-ItemProperty -Path $lsaSecPath -Name "LmCompatibilityLevel" -Value 5

# Verify the NTLM level
(Get-ItemProperty -Path $lsaSecPath -Name "LmCompatibilityLevel").LmCompatibilityLevel

# --- Rename the built-in Administrator account ---
# This is done via security policy; direct registry change isn't supported
# Use the net user command or security template

# Check current Administrator account name
Get-LocalUser | Where-Object { $_.SID -like "*-500" } | Select-Object Name, SID

# Rename via net user (requires elevation)
# This renames the built-in local Administrator (RID 500)
Rename-LocalUser -Name "Administrator" -NewName "ServerAdmin2025"
Write-Host "Built-in Administrator account renamed."

Step 3: Use secedit.exe for Command-Line Security Management

secedit.exe is a powerful command-line tool that enables you to analyze, configure, and export security settings without the GUI. It works against a security database (.sdb) and security templates (.inf files).

# Initialize a new security database for this server
# The database persists the current applied baseline for comparison
secedit /configure /db C:Windowssecuritydatabasesecedit.sdb /overwrite /quiet

# Analyze current security settings against the database
# This compares actual settings to the stored baseline and flags differences
secedit /analyze /db C:Windowssecuritydatabasesecedit.sdb `
    /log C:SecurityLogssecedit-analysis.log /quiet

# View the analysis log to find mismatches
Get-Content "C:SecurityLogssecedit-analysis.log" | Select-String "mismatch" -Context 2

# Export current security settings to an .inf template file
secedit /export /db C:Windowssecuritydatabasesecedit.sdb `
    /cfg C:SecurityTemplatescurrent-baseline.inf /quiet

# View the exported template
notepad C:SecurityTemplatescurrent-baseline.inf

Step 4: Create a Custom Security Template (.inf File)

A security template is a plain-text .inf file organized into sections that correspond to policy areas. You can create or edit templates in a text editor and apply them with secedit or import them into a GPO.

# Create the output directory
New-Item -ItemType Directory -Path "C:SecurityTemplates" -Force | Out-Null

# Write a custom security template
$templateContent = @"
[Unicode]
Unicode=yes

[Version]
signature="$CHICAGO$"
Revision=1

[System Access]
; Password Policy
MinimumPasswordLength = 14
PasswordComplexity = 1
MaximumPasswordAge = 60
MinimumPasswordAge = 1
PasswordHistorySize = 24

; Account Lockout Policy
LockoutBadCount = 5
LockoutDuration = 30
ResetLockoutCount = 30

; Guest account disabled
EnableGuestAccount = 0

[Event Audit]
; 1 = Success, 2 = Failure, 3 = Success and Failure
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 3
AuditPrivilegeUse = 3
AuditPolicyChange = 3
AuditAccountManage = 3
AuditProcessTracking = 2
AuditDSAccess = 3
AuditAccountLogon = 3

[Registry Values]
; LAN Manager Authentication Level: NTLMv2 only
MACHINESystemCurrentControlSetControlLsaLmCompatibilityLevel=4,5

; Do not allow anonymous enumeration of SAM accounts
MACHINESystemCurrentControlSetControlLsaRestrictAnonymousSAM=4,1

; Restrict anonymous access
MACHINESystemCurrentControlSetControlLsaRestrictAnonymous=4,1

; Require NTLMv2 session security
MACHINESystemCurrentControlSetControlLsaMSV1_0NTLMMinServerSec=4,537395200
MACHINESystemCurrentControlSetControlLsaMSV1_0NTLMMinClientSec=4,537395200

; Legal notice caption and text
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeCaption=1,"AUTHORIZED USE ONLY"
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeText=1,"This system is for authorized use only."

[Privilege Rights]
; Deny network logon to guests and local accounts
SeDenyNetworkLogonRight = *S-1-5-32-546,*S-1-5-113

; Deny RDP logon to guests
SeDenyRemoteInteractiveLogonRight = *S-1-5-32-546

; Only admins can shut down system remotely
SeRemoteShutdownPrivilege = *S-1-5-32-544
"@

$templateContent | Out-File -FilePath "C:SecurityTemplatesws2025-baseline.inf" `
    -Encoding Unicode -Force

Write-Host "Security template written to C:SecurityTemplatesws2025-baseline.inf"

Step 5: Apply a Security Template Using secedit

# Apply the custom template to the local machine
secedit /configure `
    /db C:Windowssecuritydatabasews2025-custom.sdb `
    /cfg C:SecurityTemplatesws2025-baseline.inf `
    /overwrite `
    /log C:SecurityLogssecedit-apply.log `
    /quiet

if ($LASTEXITCODE -eq 0) {
    Write-Host "Security template applied successfully." -ForegroundColor Green
} else {
    Write-Host "secedit returned exit code $LASTEXITCODE. Review log for details." -ForegroundColor Red
    Get-Content "C:SecurityLogssecedit-apply.log" | Select-String "Error" -Context 2
}

# Force a Group Policy refresh to propagate any domain settings
gpupdate /force

Step 6: Import a Security Template via Group Policy

To apply a security template to multiple servers through GPO, import the .inf file into a GPO’s Security Settings node. This is the recommended approach for domain environments.

# Create a new GPO for the baseline
$gpoName  = "WS2025-Security-Baseline"
$domain   = (Get-ADDomain).DNSRoot
$targetOU = "OU=Servers,DC=corp,DC=example,DC=com"

New-GPO -Name $gpoName -Domain $domain -Comment "Windows Server 2025 security baseline"
New-GPLink -Name $gpoName -Target $targetOU -LinkEnabled Yes

# The .inf file import is performed in the Group Policy Management Editor:
# Right-click Security Settings → Import Policy → select ws2025-baseline.inf
# This cannot be fully automated via PowerShell alone — use the GUI import step
# or use the Security Compliance Toolkit (SCT) for automated GPO baseline import

Write-Host "GPO '$gpoName' created and linked to $targetOU"
Write-Host "Import the .inf template via GPME: Computer Config > Security Settings > right-click > Import Policy"

Conclusion

Local Security Policy, secedit.exe, and security templates together form a comprehensive, scriptable framework for establishing and maintaining consistent security baselines on Windows Server 2025 systems. By combining the secpol.msc GUI for interactive exploration, secedit for automated analysis and configuration, and .inf template files for portable policy definitions, administrators can implement NIST, CIS Benchmark, or organization-specific security standards with confidence. Integrating these templates into Group Policy ensures that every server in the domain boots into a known-good security state, and periodic secedit /analyze runs can quickly identify configuration drift before it becomes a security incident. Always test templates in a non-production environment and review the analysis log carefully before applying changes to production servers.