Securing a Windows Server? Time to Talk SCAT.

By Drew Bird | Sep 13, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3406931/Securing-a-Windows-Server-Time-to-Talk-SCAT.htm

One of the problems with managing security on a Windows Server 2003 system is the sheer volume of available settings. Even seasoned administrators often find it difficult to keep track of which setting has been set to what value. To make the tracking and checking of security settings simpler, Microsoft provides, with Windows Server 2003, the Security Configuration and Analysis (SCA) tool. Like other minority Windows tools, however, many people are not aware of the SCA’s existence. Fewer still are aware of its value.

One reason that the SCA tool is not as widely known as some of the other Windows Server 2003 administration tools is that it is doesn’t have a shortcut on the Administrative Tools menu. Instead, the SCA tool is a Microsoft Management Console (MMC) snap-in that must be manually added.

To do this, start a blank MMC by clicking Start»Run and then typing MMC in the Open field. Click OK . Next, from within the blank MMC, click the File menu and choose Add/Remove snap-in . From the Add/Remove Snap-in dialog box, click Add and then choose Security Configuration and Analysis Tool from the Available Standalone Snap-ins list. Click Add. While you are in this screen, it is also a good idea to add the Security Templates snap-in to the console. More about security templates and their role in a moment.

Figure 1. Adding the SCA snap-in
(Click for a larger image)
Once you have added the new snap-ins, click close. Then, on the Add/Remove Snap-in dialog, click OK. You should end up with a screen that looks like that shown in Figure 1.

Before going any further, save your customized MMC so that when you come to use the SCA tool again, you don’t have to start over creating a customized MMC. To save the MMC, simply click File»Save As, and then give your new MMC a name. You can save the shortcut anywhere, but the Administrative Tools menu, which is the default location, seems like an obvious place.

Security Templates and the SCA Tool

Before we talk more about the Security Configuration and Analysis tool itself, we should take a moment to discuss security templates, as without them, the SCA tool is basically pointless.

In simple terms, security templates are text files that contain security settings. Windows Server 2003 comes with a number of default security templates, all of which are located in the %SystemRoot%\Security\Templates folder. Nine default templates are provided.

  • Compatws.inf– Provides settings that allow users who are not members of the Power Users group to run applications that do not comply with the Windows Logo Program for Software.

  • DCSecurity.inf– Created when a system running Windows Server 2003 becomes a domain controller. Contains security modifications associated with the domain controller role including file system and registry permissions.

  • Hisecdc.inf– Provides additional security (over and above that provided by the Securedc.inf template) for domain controllers.

  • Hisecws.inf– Provides additional security (over and above that provided by the Securews.inf template) for member servers.

  • Iesacls.inf – Provides tighter security configuration for Internet Explorer.

  • Rootsec.inf – Allows you to reset the default file system permissions for the system drive on a Windows Server 2003 system.

  • Securedc.inf – Intended for domain controllers, this template tightens up account policies, auditing policies. It also increases restrictions for anonymous users.

  • Securews.inf – Intended for member servers, this template increases security while maintaining compatibility.

  • Setup Security.inf – Created by the Windows Server 2003 Setup program. Enables you to revert the security configuration back to the point at which the operating system was installed or upgraded.

Figure 2. A look at a SCA Tool template
(Click for a larger image)
Each of these templates can be modified from the existing settings through the Security Templates MMC snap-in, which we added earlier. However, best practice dictates that you make copies of these templates, by using the Save As feature, so as to leave the original templates intact.

Some of the templates, such as the DCSecurity.inf template, contain a wide range of settings, while others, such as the Rootsec.inf template contain very few. All, however, contain the same database of available settings as shown in Figure 2. The difference between the templates is how many and which of the settings are configured. The range of settings within the templates is significant, as it these elements that are included in the SCA Tool analysis.

Continued on page 2: Security Templates and the SCA Tool

Continued From Page 1

Running the SCA Tool

Back to the SCA tool, and before we conclude Part One of this article, we’ll look at the most basic function of the utility – running a security analysis on the system.

When you start the SCA tool for the first time, you are presented with two options - open an existing database, or create a new one. Working on the assumption that a database is not yet in place, creating a new database is the first step. The instructions for creating a new database are provided on the screen, so we won’t cover them here. During the creation process, you are prompted for the security template you would like to import as part of the database. The template you choose will be the one used for comparison to your system settings. For this initial analysis, choose a template such as SecureDC, as it will provide a larger number of configuration settings and subsequent comparisons.

Figure 3. A security analysis in progress.
(Click for a larger image)
After creating the database, start the analysis by clicking the Action menu and choosing Analyze Computer Now. You will be prompted for log file path, and then the analysis will start. The seven areas of configuration discussed earlier are scanned, as shown in Figure 3.

Once the scan is complete, you can view the results of the scan by clicking through the various elements of the policy and viewing the settings. As you can see from Figure 4, which shows the results of an analysis, the settings have icons attached to them such as a red circle with a cross, or a white circle with a question mark. These icons indicate what state that setting is, compared to the security template used for the analysis.

Figure 4. Results from a security analysis.
(Click for a larger image)

We’ll talk more about the icons and what they mean in Part Two of this article. We’ll also go through the process of verifying and configuring your security configuration from a template. Finally, we’ll look at how to use templates to reestablish baseline security settings on your server. Until next time!