Security Configuration and Analysis is a tool that enables you to configure security, analyze security, view results, and resolve any discrepancies revealed by analysis. This tool is located on the Security Configuration and Analysis console. This lesson shows you how to use the Security Configuration and Analysis console.
After this lesson, you will be able to
Estimated lesson time: 25 minutes
The Security Configuration and Analysis console uses a database to perform configuration and analysis functions. The security configuration and analysis database is a computer-specific data store. The database architecture allows the use of personal databases, security template import and export, and the combination of multiple security templates into one composite security template that can be used for analysis or configuration. New security templates can be incrementally added to the database to create a composite security template; overwriting a template is also an option. You can also create personal databases for storing your own customized security templates.
The Security Configuration and Analysis console can be used to configure local system security. By using personal databases, you can import security templates created with the Security Templates console and apply these templates to the GPO for the local computer. This immediately configures the system security with the levels specified in the template.
The state of the operating system and applications on a computer is dynamic. For example, security levels may occasionally be required to change temporarily in order to enable immediate resolution of an administration or network issue. After this security requirement is finished, the temporary change may not be reversed. This means that a computer may no longer meet the requirements for enterprise security.
The Security Configuration and Analysis console allows administrators to perform a quick security analysis. In the analysis, recommendations are presented alongside current system settings, and icons or remarks are used to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies revealed by analysis.
Regular analysis enables an administrator to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. Analysis is highly specified and information about all system aspects related to security is provided in the results. This enables an administrator to tune the security levels, and most important, to detect any security flaws that may occur in the system over time.
The following is the sequence of tasks required to use Security Configuration and Analysis:
The Security Configuration and Analysis console is the main tool for using the security configuration and analysis tool.
Follow these steps to access the Security Configuration and Analysis console:
The console appears on the Administrative Tools menu.
The Security Configuration and Analysis console uses a database to perform configuration and analysis functions. Before you can configure or analyze security you must determine the working security database to use.
Follow these steps to set a working security database:
Figure 21.16 The Security Configuration and Analysis console
This database is now the working security database.
In Lesson 5, "Using Security Templates," you learned to import a security template directly into a GPO. In this lesson you import a security template into the security database used in the Security Configuration and Analysis console.
You can merge several different templates into one composite template, which can then can be used for analysis or configuration of a system, by importing each template into a working database. The database merges the various templates to create one composite template, resolving conflicts in order of import; the last one imported takes precedence when there is contention. Only if you chose to overwrite will they not be merged into a composite template (stored configuration). Once the templates are imported to the selected database, you can analyze or configure the system.
Follow these steps to import a security template into a security database:
NOTE
If you want to replace the template rather than merge it into the stored template, click the Clear This Database Before Importing check box in the Import Template dialog box.
Security Configuration and Analysis performs security analysis by comparing the current state of system security against a security template that you have imported to a personal database. This template is the database configuration, and it is the template that contains your preferred or recommended security settings for that system.
Security Configuration and Analysis queries the system's security settings for all security areas in the database configuration. Values found are compared to the database configuration. If the current system settings match the database configuration settings, they are assumed to be correct. If not, the policies in question are displayed as potential problems that need investigation.
Follow these steps to analyze system security:
The different security areas are displayed as they are analyzed. Once this is complete, you can check the log file or review the results.
NOTE
To check the log file, right-click Security Configuration And Analysis, and then click View Log File.
The Security Configuration and Analysis console displays the analysis results organized by security area with visual flags to indicate problems. For each security policy in the security area, the current database and computer configuration settings are displayed.
Follow these steps to view security analysis results:
Figure 21.17 Analysis results for Password Policy
Security Configuration and Analysis enables you to resolve any discrepancies revealed by analysis, including the following:
You can repeat the import process and load multiple templates. The database merges the various templates to create one composite template, resolving conflicts in order of import; the last one imported takes precedence when there is contention. Once the templates are imported to the database, you can choose Configure System Now to apply the stored template (database configuration) to the system.
IMPORTANT
These changes are made to the stored template in the database, not to the security template file. The security template file only modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
Using the Security Configuration and Analysis console is not recommended when you are analyzing security for domain-based clients, as you would have to go to each client individually. In this case, you should return to the Security Templates console, modify the template, and reapply it to the appropriate GPO.
Follow these steps to configure system security:
The different security areas are displayed as they are configured. Once this is complete, you can check the log file or analyze system security and view the results.
Follow these steps to edit the database security configuration:
Follow these steps to view security configuration results:
The export feature provides the ability to save a security database configuration as a new template file that can be imported into other databases, used as is to analyze or configure a system, or even redefined with the Security Templates console.
To export security database settings to a security template
In this practice you access the Security Configuration and Analysis console, set a working security database, analyze system security, and then view the results.
In this exercise you access the Security Configuration and Analysis console, the main tool for using the Security Configuration and Analysis tool.
To access the Security Configuration and Analysis console
The console appears on the Administrative Tools menu.
In this exercise you determine the working security database to use.
To set a working security database
The new database is now the working security database, and it contains the securedc security template.
In this exercise you analyze system security, comparing the settings in the security template securedc with the security settings currently running on your system.
To analyze system security
The different security areas are displayed as they are analyzed.
In this exercise you view the security analysis results.
To view security analysis results
In the details pane, what is indicated in the Policy column? In the Database Setting column? In the Computer Setting column?
In the Policy column, what does the red X indicate? What does the green check mark indicate?
Answer
In this lesson you learned how the Security Configuration and Analysis console uses a database to perform configuration and analysis functions.
You learned that when you configure system security using the Security Configuration and Analysis console, changes are made to the stored template in the database, not to the security template file. The security template file is only modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
You also learned that Security Configuration and Analysis performs security analysis by comparing the current state of system security against a security template that you have imported to a personal database. This template is the database configuration, and it is the template that contains your preferred or recommended security settings for that system.
In the practice portion of this lesson you accessed the Security Configuration and Analysis console, set a working security database, analyzed system security, and then viewed the results.