Security Configuration Tool Set

As we saw in the previous section, local policies can be exported and copied to other computers. However, trying to maintain a single policy across multiple standalone computers could potentially be a support nightmare. Fortunately, Microsoft has supplied some tools with the Security Configuration Tool Set to assist with this type of scenario. In the next few sections you will cover some of the items Microsoft provides in this set.

Security Templates

Microsoft has supplied 12 preconfigured security templates with Windows 2000 Server. These sample templates are located in the %systemroot%\security\templates folder. The supplied templates cover a variety of scenarios, from a basic low security workstation to a high security domain controller. The templates can be applied as-is using the Import Policy option from the Local Security Settings MMC, as discussed in the previous section. Or the individual settings of the template can copied, pasted, or merged with other templates.

The security templates are supplied for four different security levels:

• Basic These templates contain the equivalent security settings of a fresh Windows 2000 installation. They are useful for returning a Windows 2000 installation back to the default settings.

• Compatible This template sets the security level of a Windows 2000 computer to the equivalent of a Windows NT 4.0 computer. This is useful for running legacy applications that cannot run under the tighter security settings in Windows 2000.

• Secure This template has more restrictive settings for password policy, auditing, and Registry access. In addition, it removes all users from the Power Users group .

• Highly Secure This template can only be used in a pure Windows 2000 environment. Because of the secure settings, it will be unable to talk to any downlevel systems. All network communications will be digitally signed and encrypted.

Windows 2000 systems that were upgraded from Windows NT 4.0 or earlier will have security settings roughly equivalent to the Compatible template. The default security settings are only applied when a clean Windows 2000 installation is installed onto a NTFS partition.

Security templates are not supported if Windows 2000 is installed on a File Allocation Table (FAT) file system.

While you can import the security templates using the Local Security Policy MMC, to configure them you need to use the Security Templates snap-in. The snap-in is not available by default; you must create a new MMC, or add it to an existing MMC.

To create a new MMC to use with the Security Templates snap-in

1. Enter MMC in the Run dialog box.

2. From the Console Menu, select Add/Remove Snap-in.

3. Click the Add button.

4. From the Add Standalone Snap-in dialog shown in Figure 8.14, select the Security Templates snap-in. Click the Add button.

   Figure 8.14. The Add Standalone Snap-in dialog box, showing how to select Security Templates.

   

5. Click the Close button.

6. Click the OK button.

From the Security Templates snap-in, you can

• Create a new security template.

• Customize one of the supplied security templates.

Security Configuration and Analysis Tool

The Security Configuration and Analysis Tool is used to compare the security settings of a computer to those of a template. It allows you to view the results and make any necessary changes to resolve the differences. The tool can also import, export or configure security settings in a Group Policy.

Like the Security Templates, the Security Configuration and Analysis Tool is a snap-in that must be added to an MMC. To create the MMC

1. Enter MMC in the Run dialog box.

2. From the Console Menu, select Add/Remove Snap-in.

3. Click the Add button.

4. From the Add Standalone Snap-in dialog, select the Security Configuration and Analysis snap-in. Click the Add button.

5. Click the Close button.

6. Click the OK button.

To start using the tool, you must create a database to hold the templates:

1. From the Security Configuration and Analysis tool snap-in, right-click the Security Configuration and Analysis node in the left pane of the snap-in.

2. From the pop-up menu, select Open Database.

3. From the Open Database dialog, enter the name and location of the new database that you want to create. Click the Open button.

4. When the Import Template dialog box is displayed, select the desired template. Click the Open button.

Now that the template is imported into the database, you can change the configuration, import attributes, or merge this template with other templates. After the configuration of the template is finished, you can use it to analyze your computer. The tool will compare the settings of the template in the database with those of any computer. It will flag the differences for you to examine, and allow you to make changes as desired.

To perform an analysis

1. From the Security Configuration and Analysis tool snap-in, right-click the Security Configuration and Analysis node in the left pane of the snap-in.

2. From the pop-up menu, select Open Database.

3. From the Open Database dialog, enter the name and location of the database that you want to open. Click the Open button.

4. Right-click the Security Configuration and Analysis node in the left pane of the snap-in.

5. From the pop-up menu, select Analyze Computer Now.

6. Click the OK button to save the error log in the suggested folder.

7. The Configuring Computer Security dialog box appears and displays a progress indicator. When the process is finished, right-click the Security Configuration and Analysis node in the left pane of the snap-in and select View Log File.

The log file shows all the settings encountered and whether or not they match. For a graphical view of the analysis, click each node and observe the icons for each setting. As shown in Figure 8.15, the various icons indicate the following:

• A green check mark means the settings were the same

• A red X means there was a difference

• No icon means that the policy was not included in the template

If you want the settings on the computer that was being analyzed to be automatically configured to match the template in the database, right-click Security Configuration and Analysis and select Configure Computer Now from the pop-up menu.

Security templates should not be applied to production systems without thorough testing to ensure that application functionality is maintained .