Before deploying security templates, you need to compare a target computer's current security settings to the desired settings configured in the security template for that class of computer.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Once you've created your security template, it's valuable to compare the current security settings of a Windows 2000–based computer to the security template to determine how the current configuration differs from the desired configuration.
This comparison ensures that the template meets all security requirements. If the Security Configuration And Analysis console indicates that the current security matches the tested baseline and there are still security issues, further work is required on the template design.
Comparing current security to desired security helps you identify
You use the Security Configuration And Analysis console to analyze a computer's current security settings against a security template. The console indicates whether a Windows 2000–based computer's current security configuration matches the defined configuration in the security template. To perform the analysis, complete the following steps:
Figure 8.5 Performing an analysis of current security against a security template
Figure 8.6 Reviewing the analysis of current security against a security template
The only time it's recommended to apply the security template at this point is when the computer being analyzed is in a workgroup or non–Windows 2000 network environment. In an Active Directory environment, it's better to import the security template into Group Policy to ensure the security template's continued application.
Automating the Continued Analysis of a Security Template
While the Security Configuration And Analysis console does allow one-time analysis of your computer's configuration compared to a security template, it doesn't allow for long-term analysis. You can perform long-term analysis by using the Secedit command line tool with the /ANALYZE option.
The syntax of the secedit command line is:
SECEDIT /ANALYZE [/DB filename ] [/CFG filename ] [/LOG logpath] [/VERBOSE]
- /DB filename provides the path to the database file that contains the stored configuration from the desired security template indicated in the /CFG option.
- /CFG filename provides the path to the security template that's imported into the database for analysis. If this option isn't provided, it's assumed that a security template has already been imported in the indicated database.
- /LOG logpath provides the path that's used to log the reports of the analysis.
- /VERBOSE indicates that the log file contains more detailed progress information than regularly recorded.
By creating a batch file that contains your preconfigured Secedit command line, you can use the Scheduled Tasks program in the Control Panel to provide automated analysis of the security configuration of select computers, as shown in Figure 8.7.
Figure 8.7 Adding the Secedit batch file to Scheduled Tasks
You can collect the Secedit log files by using Microsoft Systems Management Server (SMS) and then search for the phrase "Mismatch." Mismatch indicates that the current configuration of a computer doesn't match the security template.
When determining whether a computer matches the security template, include the following in your security design:
A mismatch doesn't indicate weaker security configuration. It only indicates that the current configuration doesn't match the setting in the security template. It's up to you to determine whether the mismatch has strengthened or weakened security. For example, if the template requires a minimum password length of six characters and your DCs are configured to require eight, is this a weakness? No, it's simply a longer minimum password length.
Market Florist must ensure that any custom security templates meet security requirements. There are a few ways that Market Florist can accomplish this. The easiest would be to create a test OU structure within the marketflorist.tld domain and apply the security templates to OUs within this structure, as shown in Figure 8.8.
Figure 8.8 Developing an OU structure for testing security templates
To test the application of the Security Templates, you can define a Group Policy object (GPO) at each of the sub-OUs. You can import the security template associated with the sub-OU into the Group Policy object to apply the security template settings. Finally, you can move a computer to the OU to verify the security template settings.
For all of the Windows 2000–based computers, you can accomplish ongoing analysis of the security template application by running a batch file in the computer's startup script that runs Secedit with the /ANALYZE parameter. For example, the startup script for laptop computers could include the following line:
SECEDIT /ANALYZE [/DB Security.sdb ] [/CFG Laptop.inf ] [/LOG c:\Sectemp.log] [/VERBOSE]
Finally, you can use a product such as SMS to collect the c:\Sectemp.log files from each computer. You can examine these log files for the word Mismatch. If you find it, the effective security on the laptop computer doesn't match the security defined in the Laptop.inf security template.
Analyzing a Windows 2000–based computer current security configuration against the recommended settings in a security template allows you to determine how well security is configured on the Windows 2000–based computer. Scheduling regular analysis of security configuration will help prevent security weaknesses created by a user of the network modifying security configuration. Ongoing analysis will help in detecting the security configuration change before security weaknesses can be exploited.