For example, when you upgrade a Windows 9x system to Win2K, the upgraded system has all the default settings of a new Win2K system. However, when you upgrade an NT 4.0 system to a Win2K DC, setup doesn't change the NT security settings or system root ACLs. If you want the Win2K DC you upgraded from NT to have the same settings as a new Win2K DC, apply the basicdc template. If you want your upgraded Win2K DC to conform to the more restrictive settings of a secure DC, you must also apply the securedc template. The securedc template adds to but doesn't include controls in the basicdc template. In other words, built-in templates are incremental, not all-inclusive. (For more information about incremental templates, see the Web-exclusive sidebar "How Incremental Templates Work," InstantDoc ID 23083.)
Security Configuration and Analysis
The Security Configuration and Analysis snap-in configures and analyzes the local system by using a security template as a guide. The analysis effectively audits the local system against settings defined in a template, while the configuration component applies the template settings to the local system. If you plan to assign security templates to systems through Group Policy (e.g., to a group of systems or all systems in a domain or an organizational unit—OU), you need the Security Extensions to Group Policy snap-in.
Secedit.exe is the command-line interface for the Security Configuration and Analysis tool. Secedit has five commands—Analyze, Configure, Export, RefreshPolicy, and Validate—that help you define, apply, and audit security settings. The command-line interface is handy if you need to perform only one task, such as analyze a system, export a database to its companion .inf file, or refresh the Local Security Policy from local or Group Policy Object (GPO) settings. If you manually edit a template .inf file, you can use Secedit's Validate command to syntactically verify the contents of the .inf file before you use the template with the Security Configuration and Analysis snap-in.
All configuration and analysis tasks operate with a database built from a security template. The first time you start the Security Configuration and Analysis snap-in, the right pane contains instructions for opening an existing database or creating a new database. The first time you use a template, the snap-in creates and permanently saves the database. Because the tool creates a permanent copy of the database with an .sdb extension during database creation, you need to create the database only once. (For ease of use, I recommend that you give each database the same name as the template and that you store all the databases in the same directory.) After you create the database, right-click the Security Configuration and Analysis snap-in to display the tasks you can perform with the active template.
The Analysis Task: Auditing a System
You can use the Security Configuration and Analysis snap-in's Analyze Computer Now option to compare (i.e., audit) the current system configuration with settings in a template. With an audit, you can analyze a system to confirm the configuration or identify discrepancies. If the current settings don't match the template, either you missed a definition or someone has the (potentially undesirable) ability to modify security settings. In either case, an audit helps you identify and close loopholes.
During Win2K installation, the Setup utility uses the Setup Security .inf template to implement Win2K's default security settings. You can use the setup template to compare the system's current configuration with settings that the original installation implements. To compare configurations, right-click the Security Configuration and Analysis snap-in, select Open database, then type
Setup Security
in the File name text box. In the Import Template dialog box, which Figure 2 shows, select setup security .inf, then click Open to create the database. The next time you need the Setup Security database, it will appear in the database directory list as setup security.sdb.
To start the audit, right-click the Security Configuration and Analysis snap-in, select Analyze Computer Now, then either accept the default log-file name or enter an alternate path. The log duplicates most of the GUI results in a text file and, as such, is a permanent record of the audit. I recommend that you direct the log file to the same directory in which you store templates and databases. (By default, the Security Configuration and Analysis snap-in creates the log file in My Documents.)
You'll see a progress screen as the audit proceeds through the seven categories. When the analysis is finished, the Security Configuration and Analysis snap-in displays the results in each of the keys that appear below the snap-in. Expand each key to examine the detailed results of the audit. In the right pane of the console, you'll see three columns. The first column displays the policy name, the second column displays the template setting, and the third column displays the system's current setting, as Figure 3 shows. Whenever a discrepancy occurs between the template setting and the system setting, a red circle with an x appears over the policy item name. In Figure 3, the Setup Security template doesn't activate security logging, but the system is currently configured to audit several categories of security events.
Prev. page
1
[2]
3
next page 
