Lesson 4: Security Configuration Tools

Windows 2000 provides a set of security configuration tools that are designed to reduce the costs associated with security configuration and analysis of Windows 2000 networks. These tools are the Microsoft Management Console (MMC) snap-ins that allow you to configure Windows 2000 security settings and perform periodic analyses of the system to ensure that the configuration remains intact or to make necessary changes over time. Security settings include security policies (account and local policies), access control (services, files, and the registry), event logs, group membership (restricted groups), IPSec security policies, and public key policies. The security configuration tools include three snap-ins: the Security Configuration And Analysis snap-in, the Security Templates snap-in, and the Group Policy snap-in.

After this lesson, you will be able to

• Understand how the security configuration tools are used to configure security settings and analyze system security in your Windows 2000 network

Estimated lesson time: 30 minutes

Security Configuration And Analysis Snap-In

The Security Configuration And Analysis snap-in allows you to configure and analyze local system security.

Security Configuration

The Security Configuration And Analysis snap-in can also be used to directly configure local system security. You can import security templates created with the Security Templates snap-in and apply these templates to the group policy object (GPO) for the local computer. This immediately configures the system security with the levels specified in the template.

Security Analysis

The state of the operating system and applications on a computer is dynamic. For example, security levels may be required to change temporarily to enable immediate resolution of an administration or network issue; this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security.

Regular analysis enables an administrator to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. Analysis is highly specified; information about all system aspects related to security is provided in the results. This enables an administrator to tune the security levels and, most important, to detect any security flaws that may occur in the system over time.

The Security Configuration And Analysis snap-in enables quick review of security analysis results. Recommendations are presented along with current system settings, and icons or remarks are used to highlight any areas where current settings do not match the proposed level of security. The Security Configuration And Analysis snap-in also allows you to resolve any discrepancies revealed by analysis.

If frequent analysis of a large number of computers is required, as in a domain-based infrastructure, the Secedit command-line tool may be used as a method of batch analysis. However, analysis results still must be viewed by using the Security Configuration And Analysis snap-in. For more information about the Secedit utility, see Windows 2000 Help.

Using the Security Configuration And Analysis Snap-In

The Security Configuration And Analysis snap-in (Figure 27.16) reviews and analyzes your system security settings and recommends modifications to the current system settings. Administrators can use the snap-in to adjust the security policy and detect security flaws that arise in the system.

Figure 27.16 Security Configuration And Analysis snap-in

The Security Configuration And Analysis snap-in allows you to perform a variety of tasks. They are:

• Set a working database
• Import a security template
• Analyze system security
• Review security analysis results
• Configure system security
• Edit the base security configuration
• Export a security template

For details about how to perform each of these tasks, see Windows 2000 Help.

Security Templates Snap-In

A security template is a physical representation of a security configuration; it is a file where a group of security settings may be stored. Windows 2000 includes a set of security templates. Each template is based on the role of a computer. The templates range from security settings for low security domain clients to highly secure domain controllers. They can be used as provided, be modified, or serve as a basis for creating custom security templates.

Using the Security Templates Snap-In

The Security Templates snap-in (Figure 27.17) is a tool for creating and assigning security templates for one or more computers.

Figure 27.17 Security Templates snap-in

A security template is a physical file representation of a security configuration, and can be applied to a local computer or imported to a GPO in the Active Directory service. When you import a security template to a GPO, Group Policy processes the template and makes the corresponding changes to the members of that GPO, which may be users or computers.

The Security Templates snap-in allows you to perform a variety of tasks:

• Customize a predefined security template
• Define a security template
• Delete a security template
• Refresh the security template list
• Set a description for a security template

Practice: Creating and Using the Security Analysis And Configuration Snap-In

In this practice you create a custom snap-in containing the Security Analysis And Configuration snap-in and the Security Templates snap-in. Next, you customize a template and open a new database using the custom template. You then analyze the security settings of Server01 against the template and apply the template's configuration to the security settings of Server01. Complete this practice on Server01.

Exercise 1: Creating a Security Analysis And Configuration Snap-in

You run the MMC and add the Security Analysis And Configuration snap-in. MMC version 1.2, which is included with Windows 2000, allows you to add multiple snap-ins to an existing console. For the purpose of clarity, in this practice you create a new console rather than adding to an existing console running other snap-ins.

1. Log on to Server01 as administrator with a password of password.
2. Click Start and then click Run.

   The Run dialog box appears.

3. In the Open text box, type mmc and then click OK.

   An empty MMC console named Console1 opens.

4. Click the Console menu and then click Add/Remove Snap-in.

   The Add/Remove Snap-in dialog box appears.

5. Click the Add button.

   The Add Standalone snap-in window appears.

6. Scroll down and click Security Configuration And Analysis and then click the Add button.
7. Click Close.

   The Add/Remove Snap-in dialog box appears.

8. Click OK.
9. Click the Console menu and then click Save.

   The Save As dialog box appears.

10. In the File Name text box, type Security and then click Save.

Exercise 2: Adding and Configuring Security using the Security Template Snap-in to the Security Console

Before analyzing Server01 and applying new security settings, you install the Security Template snap-in to the Security console.

1. Click the Console menu, and then choose Add/Remove Snap-in.

   The Add/Remove Snap-in dialog box appears.

2. Click the Add button.

   The Add Standalone Snap-in window appears.

3. Scroll down and click Security Templates, and then click the Add button.
4. Click Close.

   The Add/Remove Snap-in dialog box appears.

5. Click OK.
6. Click the Console menu and then click Save.
7. Expand the Security Templates node then expand the C:\WINNT\Security\Templates folder.

   All of the defined templates appear in the console tree and in the details pane.

8. Expand the securedc.

   This is an incremental security template usually used after a basic security template is applied. For the purpose of this exercise, this template is sufficient.

9. Expand the Account Policies node, and then click Password Policy.

   Password policy settings appear in the details pane.

10. In the details pane, double-click Minimum Password Length.

    The Template Security Policy Setting dialog box appears.

11. In the Password Must Be At Least box, change the value to 5 characters and then click OK.
12. In the console tree, click securedc.
13. Click the Action menu, and then click Save As.

    The Save As window appears.

14. In the File Name text box, type customdc and then click Save.
15. In the console tree, click customdc.
16. Click the Action menu and click Set Description.

    The Security Template Description box appears.

17. In the Description box, type Custom Security Template for Training and click OK.
18. In the console tree, click the C:\WINNT\Security\Templates folder.

    Notice in the details pane that customdc now has a description associated with it.

19. Read the other template descriptions to familiarize yourself with the templates included with Windows 2000 Server.

Exercise 3: Creating a New Security Database

In this exercise you create a new security database.

1. In the console tree, click Security Configuration And Analysis and read the text in the details pane.
2. Click the Action menu, and then click Open Database.

   The Open Database dialog box appears.

3. In the File Name text box, type training and then click Open.

   The Import Template dialog box appears.

4. Click customdc.inf, and then click Open.

   This is the custom template you created in the Exercise 2.

Exercise 4: Analyzing current security settings

In this exercise you analyze the current settings of Server01 against the custom template you created in Exercise 2.

1. In the console tree, verify that the Security Configuration And Analysis node is selected.
2. Click the Action menu and then click Analyze Computer Now.

   The Perform Analysis dialog box appears an it is shows the path and name of the error log as C:\Documents and Settings\Administrator\Local Settings\Temp\training.log.

3. Click OK.

   The Analyzing System Security status box appears as various aspect of Server01's security configuration are checked against the template.

4. When the analysis is complete, expand the Security Configuration And Analysis node.
5. Expand the Account Policies node, and then click the Password Policy node.

   In the details pane, both template settings and the computer's settings are displayed for each policy. Discrepancies appear with a red circle with a white "X" in the center. Consistencies appear with a white circle and a green check mark in the center. If there is no flag or check mark, the security setting is not specified in the template.

6. In the console tree, click the Security Configuration And Analysis node.
7. Click the Action menu and then click Configure Computer Now.

   The Configure System dialog box appears.

8. Click OK.
9. Click the Action menu and then click Analyze Computer Now.

   The Perform Analysis dialog box appears.

10. Click OK.
11. Review the policy settings to verify that the Database Settings column is equivalent to the Computer Setting column.
12. Close the Security snap-in.

    The Microsoft Management Console message box appears.

13. Click Yes.
14. If a Save Security Templates window appears, click Yes.

Group Policy Snap-In

Security settings define the security-relevant behavior of the system. Through the use of GPOs in Active Directory services, administrators can centrally apply the security levels required to protect enterprise systems.

When determining settings for a GPO that contains multiple computers, the organizational and functional character of that given site, domain, or organizational unit (OU) must be considered. For example, the security levels necessary for an OU containing computers in a sales department would be very different from that for an OU containing finance department computers.

The Group Policy snap-in allows you to configure security centrally in the Active Directory store. A Security Settings folder is located on the Computer Configuration node and the User Configuration node. The security settings allow Group Policy administrators to set policies that can restrict user access to files and folders, set how many incorrect passwords a user can enter before the user is locked out, and control user rights, such as which users are able to log on at a domain server.

Lesson Summary

Windows 2000 provides a set of security configuration tools that allow you to configure Windows 2000 security settings and perform periodic analyses of the system to ensure that the configuration remains intact or to make necessary changes over time. The Security Configuration And Analysis snap-in allows you to configure and analyze local system security. It reviews and analyzes your system security settings and recommends modifications to the current system settings. The Security Templates snap-in allows you to create and assign security templates for one or more computers. The Group Policy snap-in allows you to configure security centrally in the Active Directory store.