Working With Windows 2000 Security
Templates, Part 2
By: Brien M. Posey, MCSE
In Part 1
of this article series, I discussed how you can
use templates to apply a preset level of security to your network. In this
article, I’ll discuss some more things that you can do with security
templates.
Introducing The Security Configuration and Analysis
Tool
In my first article on security templates, I showed
you how to apply a security template to a group policy object. Unfortunately,
the method that I demonstrated blindly applies the policy. Blindly applying a
security template is a bad idea since there are cases in which you may want to
leave some existing settings instead of overwriting all of the current settings
with the settings dictated by the template. For example, suppose that you’ve
got a higher level of security applied to your Administrator’s account than to
the rest of the accounts. In such a case, you wouldn’t want to blindly apply a
template that reduces the security level of the Administrator’s account to the
level of the other accounts.
In Part
1, I also discussed the procedure for
creating a custom security template. However, sometimes you may want to create a
custom template based on your existing security structure rather than having to
build the template completely from scratch. The Security Configuration and
Analysis Tool can be used to solve both of these problems.
Right now you may be wondering how the Security
Configuration and Analysis Tool can solve these types of problems. The tool
works by comparing your network’s current security to the security defined by
a template. The Security Configuration and Analysis Tool doesn’t actually
change anything unless you tell it to. Instead, it merely tells you how your
existing security differs from the security prescribed by the template that
you’ve chosen. The report that the tool produces gives you the chance to
review the existing security for settings that you may not want to overwrite
before you blindly apply a security template. The can also indirectly help you
to build a custom template based on you current network settings. Simply create
an empty custom template and then compare the empty template to your existing
security structure. You can then check your existing settings and then go back
and edit the template to reflect your current settings.
Working With The Security Configuration and Analysis
Tool
Now that you know what the Security Configuration and
Analysis Tool is and have a basic idea of how it works, let’s work through a
real life situation using the tool. As with most functions in Windows 2000, the
Security Configuration and Analysis Tool runs from within the Microsoft
Management Console. Therefore, you should begin by entering the MMC command at
the Run prompt to load an empty console. When the console loads, select the Add
/ Remove Snap-ins command from the Console menu. When you do, you’ll see the
Add / Remove Snap-In properties sheet. Click the Standalone tab’s Add button
and Windows will present you with a long list of available console snap-ins.
Select Security Configuration and Analysis from the list and click the Add
button followed by the Close button. When you do, Windows will return you to the
Add / Remove Snap-In properties sheet. Click OK to close the properties sheet
and begin using the Security Configuration and Analysis snap-in.
Before I continue, I should mention that this tool
uses a database to record the current settings and the template settings so that
it can make a comparison. Therefore, if this is the first time that you’ve
used the Security Configuration and Analysis Tool, you’ll have to create a
database. To do so, right click on the words Security Configuration and Analysis
from the column on the left, and select the Open Database command from the
resulting context menu. At this point you may either select a database that
you’ve previously created or you can create a new database by simply typing in
a filename to assign to the database. Click the Open button when you’ve made
your selection or typed a filename.
For the purposes of this article, I’m assuming that
this is the first time that you’ve used the tool. Therefore, when you type the
name of the database that you want to create, you’ll see the Import Template
dialog box. This is where you select which security template that you want to
use for the comparison. Make your selection and then click the Open button. The
database is now ready to use.
As I mentioned in Part 1, depending on what you’re
trying to accomplish, a single template may be inadequate. If this is the case,
you can import multiple templates into the database. If you choose to do this,
the same rules apply as apply to importing multiple templates into a group
policy object. This means that if two templates contain contradictory settings
then the template that was imported more recently takes precedence. If you do
decide to import additional templates, you can do so by right clicking on the
words Security Configuration and Analysis in the column on the left and
selecting the Import Template command from the resulting context menu.
When your database contains the desired template or
templates, it’s time to make the comparison. To do so, right click on the
words Security Configuration and Analysis in the column on the left and select
the Analyze Computer command from the resulting context menu. At this point,
you’ll see a dialog box that asks you to confirm the name and location for a
log file that will be created. Although the tool does produce a log file, the
log file can be a bit difficult to read. It’s much easier to get the results
of the comparison directly through the console.
After you’ve specified the log file’s
information, click OK to begin the analysis. A status screen will show you the
progress that the tool is making. When the process completes, the console screen
will fill the column on the left with the same categories that you’d see if
you were looking at a template. You can navigate through the tree structure to
see the differences between the network’s actual settings and those contained
in the database. You can see an example of this in Figure A.
Figure A
The Security Configuration and Analysis Tool displays the
differences between the network’s actual settings and those contained in the
database.
You’ll notice in the figure that the settings that
don’t match contain an icon with an X while the settings that do match use an
icon with a check mark. This can help you to compare differences more quickly.
Once you’ve reviewed the results, you have some
choices to make. You can either make database settings match the settings from
your network (or some other value) or you can reset your network’s security to
match the database. If you want to update the database, you can do so by double
clicking on the policy that you want to update. The procedure for doing so is
identical to the procedure for customizing a template. I should point out though
that this operation only updates the database, not the template that you used to
build the database.
If you want to apply the database’s settings to the
network, right click on Security Configuration and Analysis and select the
Configure Computer Now command from the resulting context menu. Upon doing so,
the tool will confirm the name and location of the log file. Once you’ve
confirmed the log file, click OK and all of your settings will be changed to
match the database settings. I should caution that this is a permanent
operation. There is no undo function associated with the operation.
Conclusion
In this article, I’ve explained how you can use the
Security Configuration and Analysis Tool to compensate for some of the lacking
in working directly with security templates. As I did, I walked you through the
process of analyzing a network.
If you've found this article helpful then please consider making a donation to
help with the cost of keeping this site going. To make a donation, please click on the
PayPal link below.
