Windows Security Configuration and Analysis Tool, Part Two: This week we revisit the Windows Server 2003 SCA tool to learn more about how to read what it's telling you, and how to set up your own baseline security templates.
Welcome back to our look at the Security Configuration And Analysis (SCA) Tool. In part one
of this article we looked at security templates and the part they play, with the SCA tool, in configuring the settings on a Windows Server 2003 system. Now we can look at how you interpret the information provided by the SCA tool, and how to create and apply baseline security templates.
Interpreting the Information Provided by the SCA Tool
Figure 1. The results of an audit.|
(Click for a larger image)
We closed part one of this article by looking at the most basic task you can perform with the SCA tool – that of analyzing a system. In this process, the settings configured within your chosen security template are compared with the settings on the computer. The results are displayed, and each item in the template is assigned an icon depending on its state. You can see an example of this in Figure 1.
There are four possible icons:
- X in a red circle – The policy is defined in the security template and on the system, but the values don’t match.
- Green check mark in a white circle – The policy is defined in the security templates and on the system, and the values match.
- Question mark in a white circle – The policy is not defined in the security template and as a result was not included in the analysis. As a note, you will also get this result if the user running the analysis does not have the necessary permissions to access the policy on the system.
- Exclamation point in a white circle – The policy is defined in the security template, but does not exist on the computer.
If no icon is applied to a setting, it simply means that the setting is not configured in the template or on the computer.
At this point, no changes have been made to the configuration of the system. The SCA tool has simply performed the comparison. To see how your configuration matches up with the template, you can click through the results noting how the settings compare. As you work through the settings, you can view the properties of any item by double-clicking it. From within this screen, you can also change values.
Figure 2. The Properties page for the Minimum Password Age property.|
(Click for a larger image)
For example, in Figure 2, you can see the Properties page for the Minimum Password Age property. The computer setting is set to 4 days, but the setting from the security template, referred to as the Database setting, has a value of 2. If you want to change or accept the setting, you can do so from this page. Again, though, no system configurations are taking place. All you are doing is making changes to the settings in the database created from the security template and the analysis.
After reviewing the settings, and making any changes, you can proceed to configure the system with the new settings. Before you do that, however, consider the following. First, security templates are applied in their entirety. The SCA tool does not allow you to specify certain parts of the template to be applied. You can only do that by using the Secedit.exe command line tool. Second, some of the default security templates have specific requirements that must be met in order for them to be deployed across the entire network. You can find more information on this topic in the Online Help. Unless you are absolutely sure that you want all of the security configuration changes made by the template, and that you understand what changes will occur, you should not apply the template.
Figure 3. Security changes underway.|
(Click for a larger image)
If you are ready to apply the settings from the template to the computer, select Configure Computer Now
from the Action
menu. After providing a path for the error log file, the computer is reconfigured. As the configuration changes are made, a dialog box similar to that shown when the computer is being analyzed is displayed. You can see an example of this in Figure 3.
Continued on page 2: Creating and Applying a Baseline Security Template
Continued From Page 1
Creating and Applying a Baseline Security Template
Having looked at how you use the SCA tool to analyze a system, and configure a system, we can put this knowledge together to create and apply a baseline security template.
There are two ways to create a new template. You can either start from scratch or copy an existing template. To create a new template, in the Security Templates MMC snap-in, right click the %SystemRoot%\Security\Template object and choose New Template. You are prompted for a template name and description. After the template is created, you can go through and change the settings as appropriate.
Copying an existing template can often be easier, as the template you copy may have many of the settings you are looking for already configured. Refer to the Part One for a description for each of the default templates. It should be noted, though, that some templates only contain a small number of settings, and are intended for application as an addition to other templates. For example, the Hisecdc template is ideally intended to be applied after the Securedc template. This is because the Hisecdc template only contains a small number of settings. It relies on the bulk of the settings from the existing configuration or from another template such as Securedc.
To make a copy of a template, highlight it in the Security Templates snap-in and choose Save As from the File menu. After naming the new template, you can go through and make changes to the settings. You should also amend the description of the template, as by default it takes the description of the template you copied.
Once you have finished configuring your baseline template, go into the SCA tool and create a new database. During the creation process, choose the baseline security template you just created. It is a good idea to first perform an analysis to see what changes would be made if the template were applied to the system. Alternatively, if you are very confident of your settings, you can simply choose the Configure Computer Now option from the File menu. This will cause all of your changes to be applied, and your server will be in the ‘baseline’ configuration.
To apply the same settings to other servers, you have a number of options. For a small number of servers, you may just want to copy the baseline template to the other systems, and then use the SCA tool to configure the settings. If you have a large number of servers, you can apply the security template via Group Policy, or through script/batch files using Secedit.exe. The advantage of the Group Policy approach is that the security settings will be refreshed periodically. Secedit on the other hand, would only refresh the settings when you run the command.
Whichever way you decide to use it, the SCA tool is a valuable addition to any Windows Server 2003 administrator’s toolkit. Even if you only use it to review the settings currently in place on your server, it still provides the benefit of placing a large number of commonly configured settings into one, easy to use interface.