Using the Security Configuration Editor

Previous page
Table of content
Next page


The Microsoft Security Configuration Editor is an administration tool that reduces both security management and analysis time. Initially you’ll use this tool to configure the operating system security parameters. Once these parameters are in place, you can use the Security Configuration Editor to schedule periodic tests.

Note

Windows 2000 and Windows XP divide the Security Configuration Editor into two parts. The Security Configuration and Analysis MMC snap-in helps you configure the security database, while the Security Templates MMC snap-in helps you work with the security configuration files. All of these operating systems provide similar functionality. Windows 2000 and Windows XP do provide some advanced features. The screenshot in this section of the chapter depicts the Windows XP setup.

The overall goal of the Security Configuration Editor is to provide a single place to manage all of the security concerns for a network. However, it doesn’t actually replace the tools you used in the past—the Security Configuration Editor augments other security tools. The Security Configuration Editor also provides auditing tools that Windows has lacked in the past.

One of the unique ideas behind the Security Configuration Editor is that it’s a macro-based tool. You’ll create a set of instructions for the Security Configuration Editor to perform and then allow it to perform those instructions in the background. Obviously, this saves a lot of developer time since the developer doesn’t have to wait for one set of instructions to complete before going to the next set. You can also group tasks, which saves input time.

Creating a security setup begins when you choose an existing template or when you create a new one using the Security Templates MMC snap-in. If you want to use an existing template as a basis for creating a new one, you can right-click on the desired template and use the Save As command found on the context menu. Microsoft supplies a variety of templates designed to get you started in creating this security database.

Microsoft designed each of the security templates for a different purpose (which is indicated by the name). The one I’ll use in this section is the compatibility workstation template (compatws), but all of the other templates work about the same as this one. All of the templates contain the same basic elements shown in Figure 14.2.

click to expand
Figure 14.2: Each of the security templates contains the same security elements.

Each of these elements plays an important part in the overall security configuration for a system. Table 14.5 describes each of these elements.

Table 14.5: Security Template Elements

Element Name

Description

Account Policies

Defines the password, account lockout, and Kerberos policies for the machine. Password policies include items like the minimum password length and the maximum time the user can use a single password. The account lockout policy includes the number of times a user can enter the wrong password without initiating a system lockout. Kerberos policies feature elements like the maximum user ticket lifetime.

Local Policies

Defines the audit policy, user rights assignment, and security options. Audit policies determine the types of data you collect. For example, you could audit each failed user logon attempt. User rights assignments are of special interest since this policy affects the rights you can assign to a user (the access token). The security options policy contains the elements that determine how the security system will react given a set of circumstances. For example, one policy will log a user off when their usage hours expire.

Event Log

Defines how the event log stores data and for how long. These policies also determine maximum event log size and event log viewing rights.

Restricted Groups

Defines groups that can’t access the workstation or server at all, or restricts the amount of access they can obtain.

System Services

Displays a list of the system services on the target machine. Double-clicking a service displays a dialog that allows you to set the policy for that service and allows you to adjust the startup mode for the service. Normally, you’ll leave the icons in this policy alone. However, you can safely change any system service DLLs you create.

Registry

Contains all of the major registry hives. Double-clicking a branch displays a dialog you use to set the security for that branch. In addition, you can choose the method of security inheritance by children of this branch.

File System

Contains protected file system entries. You can add new files to the list or modify exiting entries. Double-clicking a file system entry displays a dialog you use to set the security level for that file system member. In addition, you can choose the method of security inheritance by children of this file system entity (applies only to folders).

Active Directory Objects

This entry is only available if you have Active Directory enabled (which means you must have a domain controller set up). It allows you to edit the security settings for any Active Directory objects, including users and groups.



Previous page
Table of content
Next page
.Net Development Security Solutions
.NET Development Security Solutions
ISBN: 0782142664
EAN: 2147483647
Year: 2003
Pages: 168
Authors: John Paul Mueller
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Inside Network Security Assessment: Guarding Your IT Infrastructure
Image Processing with LabVIEW and IMAQ Vision
A+ Fast Pass
MySQL Cookbook
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy