Security Templates Define and Enforce the Rules

Email this Article

Printer-Friendly

View Reader Comments

[December 18, 2001]
Security Templates Define and Enforce the Rules
By: Paula Sharick
Feature
InstantDoc #23375
Web Exclusive from Windows IT Pro

SideBar The Purpose of Built-in Templates, Building a Custom Security Template, How Incremental Templates Work

The Configuration Task: Activating a Security Template
Using a template to configure a system is as easy as performing an audit. For example, let's say that you want to reset a system to installation defaults so that you have a known starting point for testing a custom template. If you have a different template loaded in the Security Configuration and Analysis snap-in, you need to create or open the Setup Security database I referred to in the previous section.

After the database is loaded, right-click the Security Configuration and Analysis snap-in, then select Configure Computer Now. The same progress screen the snap-in displays when it's auditing a system will appear. Because the Security Configuration and Analysis snap-in is implementing changes, configuring a system takes slightly longer than analyzing one with the same template. When the Security Configuration and Analysis snap-in finishes configuring the system, the system's security settings duplicate settings from the original installation.

When you configure a system, the Security Configuration and Analysis snap-in doesn't display the results after a configure task like it does after an analysis. To check a specific setting or verify settings or policies, use the same template to analyze the system a second time, then look at the results of the analysis report. (You can also examine the log file that the Configure task creates, but looking at the GUI version of the Analysis report is much easier.)

A word of caution about configuring a system with the built-in templates: You might expect that the Securews template contains all the policies from the Basicwk template, but such isn't the case. Each built-in template implements a specific set of nonoverlapping policies and controls. To bring a system into compliance with the Securews template, you first apply the Basicwk template, then apply the Securews template. Similarly, to configure a highly secure workstation, apply the Basicwk, Securews, and Hisecws templates in that order.

Configuring with Multiple Templates
You can expedite using multiple templates to configure a system by creating a composite database of all the templates that you need to implement necessary security controls. The Security Configuration and Analysis snap-in can import multiple templates into the same database, which produces a database that reflects the combined settings of all the templates. (For more information about using multiple templates, see the Web-exclusive sidebar "How Incremental Templates Work.")

When you import multiple templates into the same database, the Security Configuration and Analysis snap-in doesn't track or inform you about the templates you load, which means it's easy to become confused about what you've imported. So, be methodical when you perform these tasks. Also, the Security Configuration and Analysis snap-in doesn't support unloading a template, so you can't revert a database to a previous state. If you import the wrong template, you need to delete the database and start over. When you're satisfied with the results, you can save the cumulative database in its own security template. To save the database, right-click the Security Configuration and Analysis snap-in, select Export, then enter a template name. After you export the database, the new template appears in the Security Templates snap-in.

When you create a new database that combines multiple templates (as opposed to opening an existing database), you must name the database before you select and import a template. Be sure to give the cumulative database a name that reflects the composite contents (i.e., don't name it for the first template you load).

The Security Configuration and Analysis snap-in also routinely reports that it can't open a database you've previously created—either because the database is corrupt or because the snap-in encountered an unknown error when it tried to load the file. When this problem occurs, you can recreate the database from your carefully documented notes or restore the database from a backup copy. One other annoyance is that the Security Configuration and Analysis snap-in doesn't support renaming or deleting a database. You must perform these operations from Windows Explorer or at a command prompt.

Room for Improvement
After experimenting with the Security Configuration Tool Set, I've identified several features that would make these utilities more convenient. But first I want to discuss one obvious security problem. The .inf files, databases, and log files that these tools create contain system-configuration data such as registry settings and values and file-system access controls. To protect this sensitive information, I recommend that you restrict access to these files to administrators and security personnel. Although one directory that contains all the template files, databases, and log files is important for usability reasons, having one directory also lets you monitor and restrict access to sensitive OS security configuration information (e.g., through ACLs and directory-access auditing). Here's a list of tool-set shortcomings that you should be aware of:

You can't redirect either the Security Templates snap-in or the Security Configuration and Analysis snap-in, so you can use them only on the local system. The ability to apply a template to a remote system independent of Active Directory (AD) would make auditing and configuring a remote system easier.
If you start with a system that doesn't conform to any of the built-in templates, you can't tell the Security Configuration and Analysis snap-in to create an .inf file of the system's current settings, which means that you must always set a system to a known state with one of the basic templates before you test another built-in or custom policy.
The Security Configuration and Analysis snap-in can access only one database at a time. If you're testing two templates that you apply incrementally, it's easier to have both databases handy as you make and test template changes. The alternative is to import multiple templates into one database. However, because the Security Configuration and Analysis snap-in can't roll back a specific template, tracking what the database contains is difficult.
Security templates don't support implementing file or printer share permissions, setting the user account and password for a service, or checking service pack and hotfix versions.
Both the Security Configuration and Analysis and the Security Templates snap-ins are slow when loading templates and either creating or opening a database, which I'm sure is a function of the code that parses the complex .inf files.
Win2K stores security templates in the default location \win2k\security\ templates. The Security Configuration and Analysis snap-in stores databases in the default document location (typically, My Documents). To keep track of your templates and databases, I recommend that you create a separate directory to store all the files that the Security Configuration Tool Set utilities access and produce. Copy the Win2K templates into this directory, and store all the Security Analysis and Configuration tool databases in this location.
When you analyze or configure a system, the Security Templates snap-in and the Security Configuration and Analysis snap-in create but never delete temporary files in the security database directory (by default, the My Documents and Settings folder). The files follow the naming convention Sctxxx.tmp and have a size of zero bytes. You can safely delete these temporary files at any time.

Making Enterprise Security Easier
Despite its shortcomings, you can employ the Security Configuration Tool Set to define, implement, audit, and enforce corporate security standards on workstations and servers throughout your enterprise. The Security Templates snap-in helps you define several levels of workstation and server security-specific configurations once. With the Security Configuration and Analysis snap-in, you can interactively configure a system with the template that corresponds to its function. You can also interactively audit a system to determine whether the security settings conform to the security role you previously defined. I didn't explain how you define file-system or registry ACLs or how you can include registry entries in a template. Fortunately, the applicable online Help is fairly straightforward. If you're responsible for defining, configuring, and enforcing Win2K security, you've learned most of what you need to know to get the job done.

End of Article

Prev. page 1 2 [3] next page -->

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard: Fast, easy real-time performance monitoring.

FEATURED LINKS

Coming in December –SQL Live Event Series: Join independent experts to discover about if or when you should make the critical upgrade decision about SQL Server 2008

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard

FEATURED LINKS

Coming in December –SQL Live Event Series