Assessing Security Configuration

Previous page
Table of content
Next page

Assessing Security Configuration

Windows 2000 and Windows XP allow you to define security configuration settings in security templates. These templates contain security configuration settings for a computer account, either by applying the security template settings to the local computer directly or by importing them into a Group Policy object (GPO). Importing the security template into a GPO linked to the OU where the computer account is located ensures consistent application of security template settings to all computers affected by the GPO.

Security templates applied by using a GPO can be affected by other GPOs and the local security policy applied to the computer account. Local policies and GPOs are processed in the following order:

  1. Any local security policies defined for the local computer.

  2. Any GPOs defined for the site where the computer is located.

  3. Any GPOs defined for the domain in which the computer account exists.

  4. Any GPOs defined in the OU in which the computer account exists. GPOs are applied based on where they exist in the OU structure, with the GPOs applied at the OU where the computer account resides located last.

If multiple GPOs are defined at a Group Policy container, GPOs are applied based on their order in the site s Group Policy tab. The GPO at the top of the list is applied last, ensuring that if conflicts exist, the GPO at the top takes precedence.

In addition to the default Group Policy inheritance model, the Resultant Set of Policies (RSoP) the effective policies applied to the computer or user after all local policies and group policies are applied can be affected by the No Override and Block Policy Inheritance settings at the Group Policy container.

To determine whether security policy matches the security template, you can use one of two tools to analyze the computer s security configuration:

  • The Security Configuration and Analysis console

  • The Secedit command-line utility

The Security Configuration and Analysis Console

You can use the Security Configuration and Analysis console to determine whether the RSoPs applied to a computer differ from those defined in a security template.

When performing a security analysis, you import the security settings defined in one or more security templates into an analysis database. When you import the security templates, you can merge the template settings and create a composite security template. The order in which you import the security templates is important. As with GPOs, the settings of the last imported security template take precedence if settings in different security templates conflict.

For information on creating custom security templates to enforce security settings, see Chapter 11, Configuring Security Templates.

To analyze current security settings of a local computer by using the Security Configuration and Analysis console, follow these steps:

  1. Open a blank MMC and add the Security Configuration and Analysis console.

  2. In the console tree, right-click Security Configuration And Analysis and click Open Database.

  3. In Open Database, create a new database by entering a name in the File Name field. Then click Open.

  4. In the Import Template window, select the security template that defines the required settings for the computer and click Open.

  5. In the details pane, right-click Security Configuration And Analysis and click Analyze Computer Now.

  6. In the error log file path, click OK to create a log file in the default location.

When the analysis is complete, the Security Configuration and Analysis console displays the results, as shown in Figure 24-1.

figure 24-1 analysis results of the security configuration and analysis console

Figure 24-1. Analysis results of the Security Configuration and Analysis console

The console uses the icons shown in Table 24-1 to describe how well the security template settings are enforced at the analyzed computer.

Table 24-1. Using the Output of the Security Configuration and Analysis Console

Icon

Description

Red X

The entry is defined in the analysis database and on the system, but the security setting values do not match.

Green check

The entry is defined in the analysis database and on the system, and the setting values match.

Question mark

The entry is not defined in the analysis database and therefore is not analyzed. This occurs when a setting is not defined in the analysis database or when the user running the analysis does not have sufficient permissions.

Exclamation point

This item is defined in the analysis database but does not exist on the actual system.

No highlight

The item is not defined in the analysis database or on the system.

A red X does not necessarily indicate a security configuration weakness. The actual system can be configured more securely than the security level indicated by settings of the security template. For example, in Figure 24-1, the Enforce Password History setting indicates a mismatch between the security template and the actual computer configuration. In the security template, no passwords are kept in the password history, whereas the computer s current configuration does not allow a password to be reused when a user must change his password.

The Secedit.exe Command-Line Utility

The Secedit.exe utility includes all the analysis functionality of the Security Configuration and Analysis console. To use the Secedit utility to analyze whether a computer implements the security settings defined in a security template, use the following syntax:

secedit /analyze /db DBFileName /CFG SecurityTemplate /log LogPath /verbose

This command is comprised of the following parts:

  • /analyze

    Indicates that Secedit will compare the current security settings of the local computer against the security settings defined in SecurityTemplate.

  • /db DBFileName

    Determines the analysis database file into which the SecurityTemplate settings are imported. You must indicate the full path to the security analysis database.

  • /cfg SecurityTemplate

    Indicates one or more security template files to import into the security analysis database. You must indicate the full path to the security template file or files. This option is not required if the security analysis database exists and the desired security template is already imported.

  • /log LogPath

    Provides the path to the folder where the log file is generated for security analysis.

  • /verbose

    Enables verbose output during the security analysis.

Once the Secedit command process is complete, you can view the results in the Security Configuration and Analysis console by opening the database file referenced in the Secedit command in the Security Configuration and Analysis console.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
CompTIA Project+ Study Guide: Exam PK0-003
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
VBScript in a Nutshell, 2nd Edition
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy