From: Subject: Step-by-Step Guide to Using the Security Configuration Tool Set Date: Wed, 6 Jun 2001 10:13:45 -0400 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0279_01C0EE71.5F0CBF80"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 This is a multi-part message in MIME format. ------=_NextPart_000_0279_01C0EE71.5F0CBF80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/secconfsteps.asp Step-by-Step Guide to Using the Security = Configuration Tool Set
3D"Windows   All Products  |   Support  |=20   Search  |=20   microsoft.com = Guide  
3D"" 3D"microsoft.com
  Windows 2000 Home  |   Windows 2000 Worldwide  |=20
Search = This Site
3D""
Advanced=20 = Search
3D"" 3D""
3D"" Windows 2000 Home
3D"" Evaluation
3D"" How to Buy
3D"" Technical Resources
3D"" Downloads
3D"" Support
3D"" Technologies
3D"" Partners
3D""
3D"" Windows Family
3D""
3D""=20
Windows 2000 =  > Technical Resources =  > Step-by-Step Guides =
3D""

Step-by-Step Guide to Using the Security=20 Configuration Tool Set

3D""
3D""=20
3D"White 3D"" Posted:=20 February 16, 2000 3D""
 =
3D""=20
3D""
3D"" 3D""
3D""
=
Related Links
Part=20 1: Installing a Windows 2000 Server as a = Domain=20 Controller
Part=20 2: Installing a Windows 2000 = Professional=20 Workstation and Connecting it to a=20 Domain
Windows=20 2000 Server Online Help
Windows=20 2000 Planning and Deployment = Guide
Windows=20 2000 Resource Kits
Windows=20 2000/NT Forum

<= /SPAN>		 3D""
3D"" 3D""

ON THIS PAGE

  • Introduction=20
  • Viewing=20 and Modifying Local Security Policy=20
  • Working=20 with security templates=20
  • Performing=20 a Security analysis=20
  • Configuring=20 System Security=20
  • Command-line=20 configuration and analysis=20
  • Pre-defined=20 security templates

Introduction

This step-by-step guide describes how to = view,=20 configure, and analyze local security policy and = local=20 security settings using various components of = the=20 Security Configuration Tool Set included with = the=20 Windows=AE 2000 = operating=20 system.

The Security Configuration Tool Set allows = you to=20 configure the following security areas:

Area
 Configurable=20 Items
Account = Policies Password, = lockout,=20 and Kerberos settings.
Local = Policies Audit, user = rights,=20 and security options.
Event = Log Settings = for system,=20 application, security and directory = service=20 logs.
Restricted=20 Groups Policy = regarding=20 group membership.
System = Services Startup = modes and=20 access control for system = services.
Registry Access = control for=20 registry keys.
File = System Access = control for=20 folders and = files.

Administrators can use the following = components of=20 the Security Configuration Tool Set to configure = some or=20 all of the security areas described above:

  • Security Templates snap-in. The = Security=20 Templates snap-in is a stand-alone Microsoft=20 Management Console (MMC) snap-in that allows = the=20 creation of a text-based template file that = contains=20 security settings for all security areas.=20
  • Security Configuration and Analysis=20 snap-in. The Security Configuration and = Analysis=20 snap-in is a stand-alone MMC snap-in that can=20 configure or analyze Windows 2000 operating = system=20 security. Its operation is based on the = contents of a=20 security template that was created using the = Security=20 Templates snap-in.=20
  • Secedit.exe. Secedit.exe is a = command-line=20 version of the Security Configuration and = Analysis=20 snap-in. It allows security configuration and = analysis=20 to be performed without a graphical user = interface=20 (GUI).=20
  • Security Settings extension to Group=20 Policy. The Security Configuration Tool = Set also=20 includes an extension snap-in to the Group = Policy=20 editor to configure local security policies as = well as=20 security policies for domains or = organizational units=20 (OUs). Local security policies only include = the=20 Account Policy and Local Policy security areas = described above. Security policies defined for = domains=20 or OUs can include all security areas. =

This step-by-step guide describes how to use = the=20 snap-ins, command-line tool, and Security = Settings=20 extension to view, configure, and analyze local = security=20 policy and local security settings.

Requirements and Prerequisites

This guide assumes that you have run the = procedures=20 in the two-part "Step=20 by Step Guide to A Common Infrastructure for = Windows=20 2000 Server Deployment." The common = infrastructure=20 documents specify a particular hardware and = software=20 configuration. If you are not using the common=20 infrastructure, you need to make the appropriate = changes=20 to this document. The most current information = about=20 hardware requirements and compatibility for = servers,=20 clients, and peripherals is available at the Product=20 Compatibility Web site.

Viewing and Modifying Local Security = Policy

Local security policy is exposed through the = Security=20 Settings extension to Group Policy. Local = security=20 policy includes the Account Policy and Local = Policy=20 areas only. The Account Policy area contains = password=20 and lockout information. The Local Policy area = contains=20 audit, user rights, and security options = information.=20

To view local security policy:


  1. Log on to a Windows 2000-based computer as = a user=20 with administrative privileges. In our = example, we log=20 on as Administrator to the server named = HQ-RES-SRV-01.=20
  2. To open the Group Policy console, click=20 Start, click Run and type=20 Gpedit.msc. Click OK.=20
  3. Click the + next to Computer=20 Configuration, then Windows = Settings, then=20 Security Settings, and then Local = Policies=20 to expand these folders.=20
  4. Click the Security Options folder = under=20 Local Policies. Your window should be = similar=20 to the one shown below in Figure 1. =



    Figure 1. Security = Options=20

For each security setting, notice that the = Security=20 Settings extension displays the local policy and = an=20 effective policy. Local Policy describes policy = settings=20 as they are defined on the local computer. = Effective=20 policy describes the combined local, domain, and = organizational unit policies for each setting. = This=20 distinction is made because local policy = settings can be=20 overwritten by domain or OU policy settings. The = order=20 of precedence for policies is from lowest to = highest:=20

  • Local Policy=20
  • Domain Policy=20
  • OU Policy

Local Policy has the least precedence and the = OU that=20 directly contains the computer has the highest=20 precedence. The effective policy column displays = the=20 security policy in effect based on these = precedence=20 rules.

Modifying local security policy

To modify a local security policy setting,=20 double-click the security item of interest and = revise=20 the policy. For example, to change the minimum = password=20 age defined by the local password policy:

  1. Click the + next to Account = Policies=20 in the left pane (under Security Settings) = to=20 expand it.=20
  2. Click Password Policy.=20
  3. Double-click Minimum Password Age = in the=20 right pane.=20
  4. Set a Minimum Password Age of 1 = day, and=20 click OK.

When you OK the policy change, policy = propagation is=20 triggered, which causes an effective policy to = be=20 computed (based on any overriding domain or OU = policies)=20 and applied to the system. Status regarding this = policy=20 propagation is available in the application = event log.=20

  1. Right-click Security Settings = (in=20 the left pane), and then click Reload. =

Reloading the local policy updates the = effective=20 policy in the user interface. Depending on = domain or OU=20 password policies that are in effect, the = effective=20 policy may or may not have changed on your = computer.=20

  1. Close the Group Policy console. =

Working with security templates

The Security Templates snap-in allows you to = create a=20 text-based template file that can contain = security=20 settings for all of the security areas supported = by the=20 Security Configuration Tool Set. You can then = use these=20 template files to configure or analyze system = security=20 using other tools.

  • You can import a template file into the = Security=20 Settings extension to configure local, domain, = or OU=20 security policy.=20
  • You can use the Security Configuration and = Analysis snap-in to configure or analyze = system=20 security based on a text-based security = template.=20
  • You can use the Secedit.exe command-line = tool=20 directly or in conjunction with other = management tools=20 such as Microsoft Systems Management Server or = Task=20 Scheduler to deploy a security template or = trigger a=20 security analysis.

To load the Security Templates snap-in: =

  1. Click Start, click Run, and = then=20 type MMC /s into the text box and click = OK. (Note: there is a space between the = C=20 and the /s).=20
  2. Click Console (under Console1 in = the upper=20 right of the window), click Add\Remove = Snap-in,=20 and click Add.=20
  3. From the list of available Standalone = Snap-ins,=20 select Security Templates, as shown in = Figure 2=20 below.



    Figure 2. Adding the = Security=20 Templates snap-in

  4. Click Add, then click Close. =
  5. Click OK.=20
  6. Click the + next to Security = Templates=20 in the left pane to expand it.=20
  7. Click the + next to=20 C:\WINNT\security\templates to expand = it.=20 (Note: if you installed Windows 2000 = in a=20 different drive and/or directory, that path = will=20 display instead of C:\WINNT.) =

Windows 2000 ships with several predefined = security=20 templates. Please see the section, Predefined=20 Security Templates, in this paper for more=20 information.

Modifying a Security Template

You can create your own security template by=20 right-clicking the default templates folder=20 (C:\WINNT\security\templates) under Security = Templates=20 and selecting New Template. (Note: = If=20 you installed Windows 2000 in a different drive = and/or=20 directory, that path will display instead of=20 C:\WINNT.) However, in this guide you = are=20 going to modify the predefined secure = workstation or=20 server template (Securews.inf) that is included = with=20 Windows 2000.

To view the settings defined by = Securews.inf:=20

  1. In the left pane, scroll down and then = Click the=20 + next to Securews to expand it. = Notice=20 in Figure 3 below that (unlike the local = security=20 policy covered in the previous two sections) = all=20 security areas are configurable when you = define a=20 security template.



    Figure 3. Reviewing = settings=20 defined by Securews.inf

  2. Browse the Account Policies and = Local=20 Policies defined by Securews by = expanding=20 those folders, selecting the different areas = and=20 viewing the Stored Template settings in = the=20 right pane.

Displaying a Custom Logon Message

You can modify the Securews to display a = custom=20 message to all users who log on.

  1. Click the Security Options node = under=20 Local Policies.=20
  2. In the right pane, scroll down and then=20 double-click Message Text for Users = Attempting to=20 log on.=20
  3. Type a message that will be displayed to = all users=20 when they log on, and click OK. =

Creating a Restricted Group Policy

A Restricted Group Policy allows you to = define who=20 should and should not belong to a specific = group. When a=20 template (or policy) that defines a restricted = group is=20 applied to a system, the Security Configuration = Tool Set=20 adds members to the group and removes members = from the=20 group to ensure that the actual group membership = coincides with the settings defined in the = template (or=20 policy). In this procedure, you will define a = restricted=20 group policy for the Local Administrators group = in=20 addition to the restricted group policy that is = already=20 defined for the local Power Users group in = Securews.inf.=20

To create the restricted group policy: =

  1. In the left pane, right-click = Restricted=20 Groups, and select Add Group.=20
  2. Type NewAdmins as the group name = and click=20 OK. The local Administrators group is = added as=20 a restricted group in the right pane of the = Security=20 Templates snap-in.=20
  3. Double-click Administrators in the = right=20 pane.

You can now define who should be a member of = the=20 Administrators group and specify other groups = that the=20 Administrators group can be a member of.

  1. Click Add and then click=20 Browse. The Select Users or Groups=20 dialog appears as shown in Figure 4 below. =
  2. Select the Administrator user in = the=20 Select Users or Groups dialog. Click=20 Add.

    3D"Select

    Figure 4: Select = Administrator=20

  3. Click OK, and then click = OK=20 twice more.

This restricted group policy states that only = the=20 local administrator user can belong to the=20 Administrators local group when the Securews = template is=20 used to configure a Windows 2000 system. During=20 configuration, the tool set removes all other = users that=20 belong to the Administrators group at the time = of=20 configuration. Similarly, if (at the time of=20 configuration) the Administrator user does not = belong to=20 the Administrators group, the Security = Configuration=20 Tool Set adds the Administrator user to the=20 Administrators group.

  • If the Members list is = empty–If no users=20 are specified as members of a defined = restricted group=20 (the top box is empty), the Security = Configuration=20 Tool Set removes all current members of that = group=20 when the template is used to configure a = system.=20
  • If the Member of list is = empty–If no groups=20 are specified for a restricted group to belong = to (the=20 bottom box is empty), no action is taken to = adjust=20 membership in other groups.

Configuring Permissions for a File System = Directory=20

You can use Securews to configure permissions = for=20 file system directories as well.

  1. Right-click File System in the left = pane,=20 and click Add File.=20
  2. Click the %systemroot%\repair = directory as=20 shown in Figure 5 below. Click OK. =



    Figure 5. Configuring = file=20 system permissions — selecting the = repair directory=20

    The Access Control List (ACL) = Editor shown=20 in Figure 6 below appears. This allows you to = specify=20 permissions for the %systemroot%\repair = directory in=20 the Securews.inf template.



    Figure 6. Using the = ACL Editor=20 to specify permissions

  3. Select the Everyone group in the = top pane=20 and click the Remove button.=20
  4. Click the Add button and select the = Administrators group. Click Add = and=20 click OK.=20
  5. Click the Full Control checkbox in = the=20 bottom pane to give the Administrators group = full=20 control permissions.=20
  6. Clear the Allow inheritable = permissions=20 from parent to propagate to this object = checkbox.=20
  7. Click OK to accept the = Administrator-only=20 permissions defined for the directory. =



    Figure 7: Template = Security=20 Policy Setting

  8. Select the Replace existing permission = on all=20 subfolders and file with inheritable = permissions=20 button and click OK.

Inheriting, Overwriting, and Ignoring Policy = Changes=20

After you define permissions for a file = system or=20 registry object, the Security Configuration Tool = Set=20 asks you how the object's children should be = configured.=20

If you select Propagate inheritable = permissions to=20 all subfolders and files, normal Windows = 2000 ACL=20 inheritance procedures are in effect. = Specifically, any=20 inherited permissions on child objects are = adjusted=20 according to the new permissions defined for = this=20 parent. Any explicit access control entry (ACE) = defined=20 for a child object remains unchanged.

If you select Replace existing permission = on all=20 subfolders and files with inheritable = permissions,=20 all explicit ACEs for all child objects (which = are not=20 otherwise listed in the template) are removed, = and all=20 child objects are set to inherit the inheritable = permissions defined for this parent.

To prevent a child object from being = overwritten by a=20 parent, the child object can be added to the = template=20 and ignored. If a child object is added to the = template=20 and ignored, then that child's inheritance mode = and that=20 child's explicit ACEs remain untouched. Choosing = the=20 option: Do not allow permissions on this file = or=20 folder to be replaced for an object in a = template=20 makes sense only if an ancestor of that object = is=20 configured to overwrite children. If no ancestor = exists=20 in the template, ignoring an object has no = impact. If an=20 ancestor exists but is configured such that = children=20 inherit, then ignoring a child has no impact. =

In this example, the ACL configuration for = the=20 %systemroot%\repair directory in the = Securews.inf=20 template is defined as follows:

  • Administrators have full control on the=20 %systemroot%\repair directory. By default, = these full=20 control permissions apply to this folder, = subfolders,=20 and files. You specified this when you defined = the=20 Administrator permissions in the ACL Editor. =

Note: The degree to which an ACE is = inheritable is specified in the Advanced = tab of=20 the ACL Editor under the Apply to column. = This=20 walkthrough did not examine the Advanced = tab when=20 defining the permissions for = Administrator.

  • The %systemroot%\repair directory does not = inherit=20 any permissions from its parent. You specified = this=20 when you cleared the Allow inheritable = permissions=20 from parent to propagate to this object = checkbox=20 in the ACL Editor.=20
  • All ACLs on all subfolders and files of = the repair=20 directory are configured such that they = inherit the=20 inheritable Administrators full control = permission=20 from this parent, regardless of their current=20 configuration. You specified this when you = selected=20 the Replace existing permission on all = subfolders=20 and files with inheritable permissions = mode of=20 operation.

To save your customized Securews.inf file: =

  1. Right-click Securews.inf, click = Save=20 As, and type Mysecurews and click=20 Save.=20
  2. Exit the Security Templates snap-in = console by=20 clicking the Close button in the upper = right=20 corner.=20
  3. Click Yes to save the console = settings=20
  4. Save the console as Security = Templates.=20 This allows you to start the Security = Templates=20 snap-in without having to add it to a console = in the=20 future.

Performing a Security analysis

You can analyze current system settings = against a=20 baseline template at anytime. Performing an = analysis is=20 useful for several different reasons:

  • To identify security holes that may exist = in a=20 current configuration.=20
  • To identify changes that a potential = security=20 policy may impart to a system, before actually = deploying the security policy.=20
  • To identify deviations from a policy that = is=20 currently imposed on a system.

During this part of the guide, you will = analyze the=20 current system settings against the custom = security=20 template you created in the previous section. If = you=20 assume that the custom security template defines = a more=20 secure configuration, this analysis should = identify=20 security holes that may exist in the current = system=20 configuration, and can also identify changes = that will=20 take place if this template is used to configure = the=20 system.

To load the Security Configuration and = Analysis=20 MMC snap-in:

  1. On the Start menu, click Run = and=20 type: MMC /s
  2. From the Console menu, select = Add\Remove=20 Snap-in, and click Add.=20
  3. Select Security Configuration and = Analysis.=20
  4. Click Add and then click = Close.=20 Click OK.

Creating a Database

All configurations and analyses are = database-driven.=20 Therefore, you must get the baseline analysis = template=20 into a database prior to performing the analysis = operation.

To create the database

  1. Click Security Configuration and = Analysis=20 in the left pane.=20
  2. Right-click Security Configuration and = Analysis=20 in the left pane.=20
  3. Click Open Database.=20
  4. Type Mysecurews.sdb as the name of = the=20 database.=20
  5. Click Open.=20
  6. Select Mysecure.inf as the security = template to import into the database.=20
  7. Click Open.

Notice that the name of the database is now = exposed=20 in the result pane and that there are several = more=20 options on the context menu for Security = Configuration=20 and Analysis.

To perform the analysis

  1. Right-click Security Configuration and=20 Analysis, and then select Analyze = Computer Now,=20 from the context menu shown in Figure 8 = below.=20

    3D"Analyze

    Figure 8. Analyze = Computer=20 option

  2. Specify the log file for the analysis = operation as=20 follows: (note: you can find this = also by=20 clicking the browse button instead of typing = it=20 in) =
    %windir%\security\logs\Mysecurews.log=20
    where %windir% is the drive and = path to=20 your Windows directory; for example:=20
    C:\WINNT\security\logs\Mysecure.log
  3. Click Open and then click = OK. A=20 progress dialog like the one show in Figure 9 = below=20 displays as the analysis proceeds. =



    Figure 9. Analyzing = System=20 Security Progress Report =

Reviewing the Analysis Results

After the analysis has completed, the = security areas=20 are available under the Security Configuration = and=20 Analysis node.

To review the results

  1. From the Security Configuration and = Analysis node,=20 click View.=20
  2. Select the Description Bar to = expose the=20 database you are currently working with.=20
  3. Expand Security Configuration and = Analysis=20 in the left pane, and then expand Local = Policies, and then click Security = Options=20 as shown in Figure 10 below.

3D"New

Figure 10. New Security = Settings=20

In the right pane, both database and actual = system=20 settings are displayed for each object. = Discrepancies=20 are highlighted with a red flag. Consistencies = are=20 highlighted with a green check mark. If there is = no flag=20 or check mark, the security setting is not = specified in=20 the database (that is, the security setting was = not=20 configured in the template that was imported). =

You can double-click any setting in the = result pane=20 to investigate discrepancies further and modify = database=20 settings if desired.

For example:

  1. Expand the File System node in the = left=20 pane.=20
  2. Expand the %windir% directory (for = example,=20 C:\WINNT).=20
  3. Right-click the Repair directory. =

Note that files contained in the repair = directory are=20 also highlighted as being OK or mismatched. When = a=20 template specifies a container object in = overwrite mode=20 (which was the case when we configured the = repair=20 directory) all children of that object are = analyzed for=20 compliance. Child objects that do not inherit = from the=20 parent are flagged as mismatched because = overwrite=20 implies that all children (not otherwise = specified in=20 the template) should inherit from the parent. = Child=20 objects that are inheriting from the parent (and = contain=20 no explicit ACEs of their own) are flagged as = matches=20 even if they are currently inheriting a = different DACL=20 than the one specified by the parent in the = template. In=20 this latter case, the relevant mismatch was = flagged on=20 the parent itself.

  1. Select Security. You can = view the=20 analyzed permissions, the database = permissions, or=20 both.=20
  2. Click View Security then click = OK.=20 (Note that you cannot modify the actual system = settings while viewing analysis results.)=20
  3. Drag the Last Analyzed Security = dialog out=20 of the way, and click Edit Security in = the=20 previous window. Line up the windows side by = side as=20 shown:

    3D"Compare

    Figure 11. Compare = Repair ACL=20

    You can see the discretionary = access=20 control list (DACL) defined in the database = (that was=20 imported from the Mysecure template) and the = actual=20 DACL at the time the analysis was performed. = Because=20 the DACLs differ, the repair directory is = highlighted=20 as a mismatch.=20
  4. Close these three windows.

Modifying Baseline Analysis Settings

After you review the analysis results, you = may decide=20 to update the baseline database that was used to = perform=20 the analysis. This may be desirable if you have = changed=20 your mind about the relevancy or the security=20 specification that was originally defined for an = object.=20 For example:

  • If you consider an object to be security = relevant,=20 then you would check the Define this policy = in the=20 database checkbox when viewing the = detailed=20 analysis results. If this box is unchecked, = the object=20 is removed from the configuration and receives = its=20 inheritance from the parent object, as = defined.=20
  • If you want to base future configurations = or=20 analyses on a different security = specification, then=20 you can click the Edit Security = settings=20 control to modify the security definition = currently=20 stored in the database.

In the example above, you already clicked the = Edit=20 Security control in step 6. If = desired, you=20 can modify the ACL currently defined for the = repair=20 directory in the database. Future analyses or=20 configurations using this database would then be = based=20 on the newly defined ACL. Such modifications can = be=20 saved to a template by selecting Export = Template=20 from the context menu of the Security = Configuration=20 and Analysis node.

Configuring System Security

Thus far, you have created a customized = security=20 template (Mysecure.inf) and analyzed the current = system=20 settings against this template. If you are = comfortable=20 with the security changes indicated by this = template (as=20 noted by the mismatches flagged in the = analysis), you=20 can now configure the system with these new = security=20 settings.

To configure the system with the new = settings:=20

  1. Right-click the Security Configuration = and=20 Analysis node.=20
  2. Select Configure System Now.=20
  3. Specify the following as the path to the = log file:=20
    %windir%\security\\logs\Mysecure.log=20
    where %windir% is the drive and path = to your=20 Windows directory (for example, = C:\WINNT).=20
  4. Click OK. A progress dialog = displays to=20 indicate the security areas being configured. = When the=20 configuration has completed your system is = configured=20 with the settings specified in Mysecure.Inf.=20
  5. Click the Close button in the upper = right=20 corner of the Security Configuration and = Analysis MMC=20 snap-in.=20
  6. Click Yes to save the console = settings.=20
  7. Specify SCA as the file name, and = save the=20 file.

This allows you to start the Security = Configuration=20 and Analysis snap-in without having to add it to = a=20 console in the future. Note that both the = Security=20 Templates snap-in and the Security Configuration = and=20 Analysis snap-in can be added to the same = console if=20