Security Configuration and Analysis
It was back in the late days of Windows NT 4 that Microsoft introduced the security templates and the capability to lock down the security of a system with a centralized group of settings. The tool has evolved over time and has now come to be known as the Security Configuration and Analysis tool. The tool is a snap-in that is used on a computer-by-computer basis. The tool allows for security analysis and configuration.
After the tool is opened in an MMC, as shown in Figure 3.6, you need to open one of the security templates into a database. The security templates are text files that contain security settings that can be used to analyze a computer, be applied to computers, or be imported into a GPO. The idea is that you bring the security template settings into the database for further analysis of the existing computer settings. With the security template settings in a database, you can easily run an analysis against the computer settings to see whether the existing settings are in compliance with what the database has recorded. Figure 3.6 is a result of one analysis. Note that some settings are equal to or better than the database, but some settings are not as secure as what the database indicates; these are shown with a red x by them.
Figure 3.6 Security Configuration and Analysis tool.
Multiple security templates are available and can be used to analyze your computers’ security settings. Some are related to the security levels of the system, and others are related to the compatibility of a system with legacy applications. Following is a listing of the different types of security templates:
Securews.inf—This template is designed to boost the security of a Windows XP system with regard to Auditing, Account Policy, and some well-known Registry subkeys.
Hisecws.inf—The settings in this security template will significantly increase the security of the system. You should use this template with caution; the settings might cause the computer to drop communication with the network because of the lack of security on other computers on the network.
Compatws.inf—This template is designed to reduce the security settings on your computer, basically the Users group, so that they can run legacy applications more easily.
Security templates can be modified, copied, and created from scratch. The goal is to make all the necessary security settings in each template and then apply them to the appropriate computers. Security templates can be applied to computers in any one of three ways:
Using the Security Configuration and Analysis MMC snap-in
Using the Secedit command-line tool
Importing security templates into a GPO