Relevant Technologies: It's Easy to Secure Windows 2000 Servers: Part 4

Back to Article List

It's Easy to Secure Windows 2000 Servers: Part 4
By Laura Taylor
June 6, 2005

In the earlier installments of this series, you learned how to use Microsoft's Management Console (MMC) to automatically configure and enforce security policies by creating security templates. Now that you know how to automate security policies for a basic Windows 2000 server, it's time to learn how to distribute this policy so that you can use it on multiple systems and, by doing so, standardize your security configurations.

Refreshing Our Prior Lessons

Windows 2000 enables you to create security templates, also known as .inf files, and reload them into the server each time the server reboots. By doing this, you always re-load the same security configuration that you have already defined and tested. When you set up pre-configured files that reload the security of the system each time it restarts, you can more easily ensure that the right policies are being used.

Another good reason to use security templates is because they allow you to standardize your security configuration across multiple systems. On an enterprise network, you can create one type of security policy for a file and print server, for example, and then distribute it across your network to all file and print servers so they are all configured for security the same way. You can set up one kind of security template for file and print servers, one kind for DNS servers, one kind for database servers, one kind for Web servers, and so forth.

Configure Security Templates Centrally and Implement Them Globally

Once you have proven security templates that you have taken the time to develop, configure, and test, you can install these templates across your enterprise network onto other servers. The process of installing and applying a pre-defined security template to other systems is known as importing it. (Exporting a security template refers to the process of capturing and preserving or "exporting" the existing local security settings into a file for later use.) When you import a template, you take an already developed template and apply the settings. When you "export a template," you really are taking the existing settings and capturing them in a brand new template. The terminology is a bit confusing, and had I been the one to come up with it, I think I would have used other terms.

Import an Existing Security Template

You can use the Security Configuration and Analysis tool to "import" an existing security template from a centralized storage location. It's not a bad idea to keep your security templates all together in a central location. A standard default storage location for security templates is:

%systemroot%\Security\Templates

or...

C:\winnt\security\templates

If you create a network share for your template directory, you can then access the templates across your network, import templates from the share, and then apply them to the appropriate systems. To load the Security Configuration and Analysis tool, start the Microsoft Management Console (MMC) just as you learned how to do in Part 1 of this series.

When the Console1 box appears, click Console and use the dropdown menu to select Add/Remove Snap-in. After the Add/Remove Snap-in box appears, click Add. After you click the Add button, you will be prompted with a list of possible Snap-ins you can add. Select the Security Configuration and Analysis snap-in as illustrated in Figure 1 and then click Close in the Add Standaline Snap-in window.

Installing the Security Configuration and Analysis snap-in.

You will see the Security Configuration and Analysis tool appear in the Add/Remove Snap-in window as illustrated below. Now click OK.

Finishing the installation of the security configuration and analysis snap-in.

Before you can import the security template, however, you first need to create a database into which you will import it. In the left pane of the Console window, right click Security Configuration and Analysis and from the pull down menu select Open Database.

Creating the database for your security template.

If the template you are going to import is called basicsv (this is the template you learned how to configure in Part 1 and Part 2 of this series) then you should use the same name for the database, e.g., basicsv.sdb. The Security Configuration and Analysis tool will automatically put the .sdb extension on the end of the database file. Once you insert the name that you would like to call your database as illustrated below, click Open and immediately a new window will pop open and you will be prompted to select an .inf file from the security template default location.

Naming the database for your security template.

New Orleans Saints 24'' x 96'' Column Wrap,Denver Broncos Metal Frame Acrylic Bottom Inlaid Mirror License Plate Frame,Men's Detroit Lions New Era Heathered Gray 2 Striped Cuffed Knit Hat.Men's San Francisco 49ers Junk Food Black Sunday Full-Zip Hoodie,Eagles Wings New Orleans Saints Woven Silk Tie,Girls Infant Baltimore Ravens Gerber Purple Infant Girls Dazzle Bodysuit Patriots Jerseys On Sale.Mens Kansas City Chiefs Nike Charcoal Speed Long Sleeve Performance T-Shirt,Men's Philadelphia Eagles Mitchell & Ness Black NFL Wool/Leather Varsity Jacket,Men¡¯s Green Bay Packers Mitchell & Ness Gray Title Holder Vest.wholesale nfl hoodies,cheap nfl accessories zgu385nsmss,Atlanta Falcons Newborn Creeper Pant Set - Ash/Black,Antigua New York Jets Pique Xtra-Lite Polo - Green Patriots Jerseys Wholesale.Men's New England Patriots '47 Navy On the Fifty Super Bowl XXXIX Champ Flanker T-Shirt,Denver Broncos Snowman Plush Toy,Youth Philadelphia Eagles Jordan Matthews Midnight Green Mainliner Name & Number T-Shirt Patriots Jerseys Cheap.Women's Oakland Raiders Pro Line Gray Reversible Jacket,Newborn & Infant Philadelphia Eagles Black Snuggle Bear Security Blanket,Indianapolis Colts Black Roadblock Duffle Bag Wholesale New England Patriots Jerseys.Zubaz Chicago Bears Youth Navy Double Edge T-Shirt,Women's Denver Broncos Peyton Manning G-III Sports by Carl Banks White Play Action Mesh Name & Number Shirt.Green Bay Packers Pet Collar Bandana,San Diego Chargers Hood Cover

(If you want to share templates across your network, it is the default location that you just selected your template from that should be set up as a network share.) Remember, security templates are really just files and the files end with the extension .inf.

Importing your security template.

Before you import the database, be sure to check the box that says Clear this database before importing. Next click Open. You'll then see instructions on how to use the Security Configuration and Analysis tool in the right pane on the window.

Analyze the Security of Your Computer

Before you apply the template, it's a good idea to analyze the security of the computer you are applying the new settings to. This way, you can see and record the deltas in the security changes, in case something goes wrong and you need to change things back. To perform the analysis, right click Security Configuration and Analysis in the left pane of the window and select Analyze Computer Now as illustrated below.

Analyzing the existing security settings of your computer.

A new window will open and you'll be prompted to add the path and filename to create a log file where the results of the analysis will be stored as shown below. By default, the Security Configuration and Analysis tool will want to put the log file into the user account from where the analysis will run. Click OK and the analysis will begin.

Creating a log file for the security analysis.

A status box that says Analyzing System Security will pop up as shown depicted below.

Watching the status of the security analysis.

Reviewing the Results of the Analysis

When the analysis has finished, you will see the names of the policy settings in the right pane of the Console \ Root Security Configuration and Analysis box. By reviewing the results of the analysis, you can see the consistencies and discrepancies between your current computer security policy and the actual settings that are configured in your template that you imported.

Click the leading + to expand the Security Configuration and Analysis in the left pane. You can further expand the sub-categories by clicking the + in front of the sub-category you want to review as illustrated below. The consistencies and discrepancies of the new security policy settings and the existing ones will then become apparent. If there is an inconsistency in the two security policies, you will see a red X. Where there are consistencies, you will see a green checkmark.

Viewing the results of the security analysis.

Configure the New Security Settings, Apply the New Template

Up to this point, you have created and loaded the security template, viewed it, and analyzed the current system settings against the new settings, but you have not applied the template (or the new settings). To apply the new settings, in the left pane of the window, right click Security Configuration and Analysis and select Configure Computer Now as illustrated below. You'll be prompted to insert a file and directory location for a log file.

Configuring the security to apply the template.

Insert the log file location and then click OK. The application of the system security settings will begin and a status box will appear and inform you when the process has finished.

Though the Security Configuration and Analysis tool has a nice Graphical User Interface (GUI), you can also launch it and run it from the command line as secedit.exe. However, unless you are planning on building the application of the security template into a script, I don't really recommend using the command line.

Taking a Look Back and a Look Ahead

Congratulations, you have now applied the security settings of your new template and have learned how to analyze the existing security settings of your computer. Hopefully you are beginning to understand howuseful these Microsoft security tools really are. Though some experts claim that Windows operating systems are inherently insecure, the truth is that if you know what you are doing, you can lock them down so tight that leading security vulnerability assessment scanners will not even be able to recognize they are Windows boxes. In the next lesson, we'll take a look at how to create a specialized security template for a particular server type.