Securing a Windows Server? Time to Talk SCAT.

Windows Security Configuration and Analysis Tool, Part One: With the Windows Server 2003 SCA Tool, you've got a valuable means to lock down your server. Here's how to use one of the best tools you may have never heard of.

By Drew Bird | Posted Sep 13, 2004
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

One of the problems with managing security on a Windows Server 2003 system is the sheer volume of available settings. Even seasoned administrators often find it difficult to keep track of which setting has been set to what value. To make the tracking and checking of security settings simpler, Microsoft provides, with Windows Server 2003, the Security Configuration and Analysis (SCA) tool. Like other minority Windows tools, however, many people are not aware of the SCA’s existence. Fewer still are aware of its value.

One reason that the SCA tool is not as widely known as some of the other Windows Server 2003 administration tools is that it is doesn’t have a shortcut on the Administrative Tools menu. Instead, the SCA tool is a Microsoft Management Console (MMC) snap-in that must be manually added.

To do this, start a blank MMC by clicking Start»Run and then typing MMC in the Open field. Click OK . Next, from within the blank MMC, click the File menu and choose Add/Remove snap-in . From the Add/Remove Snap-in dialog box, click Add and then choose Security Configuration and Analysis Tool from the Available Standalone Snap-ins list. Click Add. While you are in this screen, it is also a good idea to add the Security Templates snap-in to the console. More about security templates and their role in a moment.

Figure 1. Adding the SCA snap-in
(Click for a larger image)
Once you have added the new snap-ins, click close. Then, on the Add/Remove Snap-in dialog, click OK. You should end up with a screen that looks like that shown in Figure 1.

Before going any further, save your customized MMC so that when you come to use the SCA tool again, you don’t have to start over creating a customized MMC. To save the MMC, simply click File»Save As, and then give your new MMC a name. You can save the shortcut anywhere, but the Administrative Tools menu, which is the default location, seems like an obvious place.

Security Templates and the SCA Tool

Before we talk more about the Security Configuration and Analysis tool itself, we should take a moment to discuss security templates, as without them, the SCA tool is basically pointless.

In simple terms, security templates are text files that contain security settings. Windows Server 2003 comes with a number of default security templates, all of which are located in the %SystemRoot%\Security\Templates folder. Nine default templates are provided.

  • Compatws.inf– Provides settings that allow users who are not members of the Power Users group to run applications that do not comply with the Windows Logo Program for Software.

  • DCSecurity.inf– Created when a system running Windows Server 2003 becomes a domain controller. Contains security modifications associated with the domain controller role including file system and registry permissions.

  • Hisecdc.inf– Provides additional security (over and above that provided by the Securedc.inf template) for domain controllers.

  • Hisecws.inf– Provides additional security (over and above that provided by the Securews.inf template) for member servers.

  • Iesacls.inf – Provides tighter security configuration for Internet Explorer.

  • Rootsec.inf – Allows you to reset the default file system permissions for the system drive on a Windows Server 2003 system.

  • Securedc.inf – Intended for domain controllers, this template tightens up account policies, auditing policies. It also increases restrictions for anonymous users.

  • Securews.inf – Intended for member servers, this template increases security while maintaining compatibility.

  • Setup Security.inf – Created by the Windows Server 2003 Setup program. Enables you to revert the security configuration back to the point at which the operating system was installed or upgraded.

Figure 2. A look at a SCA Tool template
(Click for a larger image)
Each of these templates can be modified from the existing settings through the Security Templates MMC snap-in, which we added earlier. However, best practice dictates that you make copies of these templates, by using the Save As feature, so as to leave the original templates intact.

Some of the templates, such as the DCSecurity.inf template, contain a wide range of settings, while others, such as the Rootsec.inf template contain very few. All, however, contain the same database of available settings as shown in Figure 2. The difference between the templates is how many and which of the settings are configured. The range of settings within the templates is significant, as it these elements that are included in the SCA Tool analysis.

Continued on page 2: Security Templates and the SCA Tool

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter