One of the problems with managing security on a Windows Server 2003 system is the sheer volume of available settings. Even seasoned administrators often find it difficult to keep track of which setting has been set to what value. To make the tracking and checking of security settings simpler, Microsoft provides, with Windows Server 2003, the Security Configuration and Analysis (SCA) tool. Like other minority Windows tools, however, many people are not aware of the SCA’s existence. Fewer still are aware of its value.
One reason that the SCA tool is not as widely known as some of the other Windows Server 2003 administration tools is that it is doesn’t have a shortcut on the Administrative Tools menu. Instead, the SCA tool is a Microsoft Management Console (MMC) snap-in that must be manually added.
To do this, start a blank MMC by clicking Start»Run and then typing MMC in the Open field. Click OK . Next, from within the blank MMC, click the File menu and choose Add/Remove snap-in . From the Add/Remove Snap-in dialog box, click Add and then choose Security Configuration and Analysis Tool from the Available Standalone Snap-ins list. Click Add. While you are in this screen, it is also a good idea to add the Security Templates snap-in to the console. More about security templates and their role in a moment.
(Click for a larger image)
Before going any further, save your customized MMC so that when you come to use the SCA tool again, you don’t have to start over creating a customized MMC. To save the MMC, simply click File»Save As, and then give your new MMC a name. You can save the shortcut anywhere, but the Administrative Tools menu, which is the default location, seems like an obvious place.
Security Templates and the SCA Tool
Before we talk more about the Security Configuration and Analysis tool itself, we should take a moment to discuss security templates, as without them, the SCA tool is basically pointless.
In simple terms, security templates are text files that contain security settings. Windows Server 2003 comes with a number of default security templates, all of which are located in the %SystemRoot%\Security\Templates folder. Nine default templates are provided.
Compatws.inf– Provides settings that allow users who are not members of the Power Users group to run applications that do not comply with the Windows Logo Program for Software.
DCSecurity.inf– Created when a system running Windows Server 2003 becomes a domain controller. Contains security modifications associated with the domain controller role including file system and registry permissions.
Hisecdc.inf– Provides additional security (over and above that provided by the Securedc.inf template) for domain controllers.
Hisecws.inf– Provides additional security (over and above that provided by the Securews.inf template) for member servers.
Iesacls.inf – Provides tighter security configuration for Internet Explorer.
Rootsec.inf – Allows you to reset the default file system permissions for the system drive on a Windows Server 2003 system.
Securedc.inf – Intended for domain controllers, this template tightens up account policies, auditing policies. It also increases restrictions for anonymous users.
Securews.inf – Intended for member servers, this template increases security while maintaining compatibility.
Setup Security.inf – Created by the Windows Server 2003 Setup program. Enables you to revert the security configuration back to the point at which the operating system was installed or upgraded.
(Click for a larger image)
Some of the templates, such as the DCSecurity.inf template, contain a wide range of settings, while others, such as the Rootsec.inf template contain very few. All, however, contain the same database of available settings as shown in Figure 2. The difference between the templates is how many and which of the settings are configured. The range of settings within the templates is significant, as it these elements that are included in the SCA Tool analysis.