Using Security Configuration and Analysis

Security Configuration and Analysis is an MMC snap-in that allows an administrator to check the state of a system's security against one or more security templates and make appropriate modifications. Useful as both a setup tool and a maintenance tool, the snap-in lets you import predefined or modified security templates, analyze every security area against those templates with a single command, and view concise results. You can then synchronize system security to the template at once or resolve discrepancies on an attribute-by-attribute basis.

This tool, along with an appropriate security template, is invaluable for setting up the initial security configuration of a machine on which many security attributes and file, folder, and registry-key permissions have to be defined. A company or division's entire computer security policy can be translated into a single template and imported to quickly configure one or more machines. In addition, the snap-in is useful for maintaining the security level of a system. Invariably, in the course of resolving temporary network or administrative problems, security attributes become disabled and permissions of objects are set to full access. Periodically analyzing a system's security against its defining template allows you to locate and easily fix security flaws.

Finally, the tool permits you to export security templates that have been modified during the configuration of a machine or to reevaluate such templates in the Security Templates snap-in. If more than one template has been imported, you can save a single composite template that is the sum of all of the template settings.

Opening a Security Database

Like any other MMC snap-in, Security Configuration and Analysis is added to the MMC by choosing Add/Remove Snap-In from the Console menu. Click the Add button and select Security Configuration And Analysis from the list of snap-ins provided.

Security templates are imported into a database, which is used to perform the analysis and configuration. Security database files use an .SDB extension. To create a new database or open an existing one, right-click Security Configuration And Analysis and choose Open Database. In the Open Database dialog box, select an .SDB file to open or type a new filename to create a database. When you type a new filename, a second dialog box appears allowing the import of a base security template. Choose a predefined template or a template modified with the Security Templates snap-in. The list of predefined templates is in the %SystemRoot%\Security\Templates folder. See the section "Using Predefined Templates," earlier in this chapter, for an explanation of these security templates.

Importing and Exporting Templates

Once you have opened a security database, you can import additional security templates into it. To do so, right-click Security Configuration And Analysis and choose Import Template. Select the .INF template file that you want to import. This template supplements the current database template or templates; it does not replace them.

In the process of analyzing and configuring a system's security with a database template, you may find it necessary to define a more precise policy and thereby modify the template. This modification is not saved to the original imported template; instead, it is saved as a database copy. To use the modified template on another machine, you'll need to export it. You can also combine multiple imported templates into a single composite template that you then export. To export a template, right-click Security Configuration And Analysis and choose Export Template. In the ensuing dialog box, choose a filename for the template, using the .INF extension.

Analyzing Security and Viewing the Results

Once you have imported the necessary templates into the database, you can analyze the system. To analyze system security, right-click Security Configuration And Analysis and choose Analyze System Now. In the Perform Analysis dialog box, select the target path and filename of the analysis results. Click OK, and the Analyzing System Security progress window appears, as shown in Figure 18-3.

Figure 18-3. The Analyzing System Security progress window.

The analysis generates two types of results. First, the success and failure of each analyzed component is written to an error log. Second, the security areas listed under Security Configuration And Analysis in the console tree are populated. Each area gives the analysis results in an attribute-by-attribute comparison. When the analysis is complete, view the error log by right-clicking Security Configuration And Analysis and choosing View Log File. The log appears in the right pane with a date and time stamp; it reports on the completion of each analyzed area. The following is a small excerpt from a typical log file:

 View Log File -------------------------------------------- 07/03/1999 18:49:00 ----Analysis engine is initialized successfully.---- ----Reading Configuration info... ... ----Analyze Security Policy... Analyze password information. Analyze account lockout information. Analyze other policy settings. System Access analysis completed successfully. Analyze log settings. Analyze event audit settings. Audit/Log analysis completed successfully. Registry values analysis completed successfully. 

This log file does not show discrepancies in individual attributes but rather integral errors in the analysis. To view the actual analysis results, expand Security Configuration And Analysis in the console tree. The familiar seven areas of system security appear: Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System.

To view analysis results for any of these areas, expand the area and highlight a subcategory. Restricted Groups and System Services are not hierarchical and need only to be highlighted. Figure 18-4 shows sample results for Security Options under Local Policies.

Figure 18-4. Analysis results for Security Options.

In the right pane of the console, each attribute is followed by two settings: the stored template (database) setting and the analyzed system (computer) setting. The icon for the attribute in which settings agree contains a green check mark. If the database and computer settings differ, a red "X" punctuates the attribute icon. Attributes that are not configured in the template are not analyzed, and no marking appears in the icon.

In the figure, all attribute settings agree except Allow System To Be Shutdown Without Having To Log On. This setting is enabled in the template but disabled on the system. Seven other attributes are not configured (defined) in the template and thus are not analyzed.

Configuring Security

After you've successfully analyzed the system and found discrepancies between database and computer settings, you have a few alternatives. Depending on your evaluation of the results, you may decide that the current security template is not appropriate for this computer. A more stringent or relaxed template may be required, or perhaps vital attributes were left unconfigured and additional security areas need to be addressed. The solution is to import a template that is better suited to your particular security requirements. Templates can be added in increasing order of importance. New templates that are merged into the database override any conflicting attributes or permissions.

On the other hand, you may decide that the correct template was indeed used but that the computer settings are actually inappropriate. In this case, you'll want to change the database template so that further analysis won't show any discrepancies. To do so, right-click the offending attribute and choose Security to display a dialog box in which you can change the database template. For example, right-clicking the attribute showing a conflict in Figure 18-4 displays the dialog box shown in Figure 18-5. You can change the template setting to match the computer setting, or you can clear the Define This Policy In The Database check box to specify that the setting should no longer be considered during analysis.

Figure 18-5. Reconciling a conflict between a system security setting and a template setting.

Finally, you may determine that the security template is right on and that the system is in violation of your security policy and needs to be aligned. Once you've weeded out all of the template mismatches and only valid discrepancies remain, you'll want to configure the system. Do this by right-clicking Security Configuration And Analysis and choosing Configure Computer Now.