Windows Security: Make SCAT Sing

Welcome back to our look at the Security Configuration And Analysis (SCA) Tool. In part one of this article we looked at security templates and the part they play, with the SCA tool, in configuring the settings on a Windows Server 2003 system. Now we can look at how you interpret the information provided by the SCA tool, and how to create and apply baseline security templates.

Interpreting the Information Provided by the SCA Tool

Figure 1. The results of an audit. (Click for a larger image)

We closed part one of this article by looking at the most basic task you can perform with the SCA tool – that of analyzing a system. In this process, the settings configured within your chosen security template are compared with the settings on the computer. The results are displayed, and each item in the template is assigned an icon depending on its state. You can see an example of this in Figure 1.

There are four possible icons:

• X in a red circle – The policy is defined in the security template and on the system, but the values don’t match.
• Green check mark in a white circle – The policy is defined in the security templates and on the system, and the values match.
• Question mark in a white circle – The policy is not defined in the security template and as a result was not included in the analysis. As a note, you will also get this result if the user running the analysis does not have the necessary permissions to access the policy on the system.
• Exclamation point in a white circle – The policy is defined in the security template, but does not exist on the computer.

If no icon is applied to a setting, it simply means that the setting is not configured in the template or on the computer.

At this point, no changes have been made to the configuration of the system. The SCA tool has simply performed the comparison. To see how your configuration matches up with the template, you can click through the results noting how the settings compare. As you work through the settings, you can view the properties of any item by double-clicking it. From within this screen, you can also change values.

Figure 2. The Properties page for the Minimum Password Age property. (Click for a larger image)

For example, in Figure 2, you can see the Properties page for the Minimum Password Age property. The computer setting is set to 4 days, but the setting from the security template, referred to as the Database setting, has a value of 2. If you want to change or accept the setting, you can do so from this page. Again, though, no system configurations are taking place. All you are doing is making changes to the settings in the database created from the security template and the analysis.

After reviewing the settings, and making any changes, you can proceed to configure the system with the new settings. Before you do that, however, consider the following. First, security templates are applied in their entirety. The SCA tool does not allow you to specify certain parts of the template to be applied. You can only do that by using the Secedit.exe command line tool. Second, some of the default security templates have specific requirements that must be met in order for them to be deployed across the entire network. You can find more information on this topic in the Online Help. Unless you are absolutely sure that you want all of the security configuration changes made by the template, and that you understand what changes will occur, you should not apply the template.

Figure 3. Security changes underway. (Click for a larger image)

If you are ready to apply the settings from the template to the computer, select Configure Computer Now from the Action menu. After providing a path for the error log file, the computer is reconfigured. As the configuration changes are made, a dialog box similar to that shown when the computer is being analyzed is displayed. You can see an example of this in Figure 3.

Continued on page 2: Creating and Applying a Baseline Security Template