Windows Security: Make SCAT Sing
Welcome back to our look at the Security Configuration And Analysis (SCA) Tool. In part one of this article we looked at security templates and the part they play, with the SCA tool, in configuring the settings on a Windows Server 2003 system. Now we can look at how you interpret the information provided by the SCA tool, and how to create and apply baseline security templates.
Interpreting the Information Provided by the SCA Tool
(Click for a larger image)
There are four possible icons:
- X in a red circle – The policy is defined in the security template and on the system, but the values don’t match.
- Green check mark in a white circle – The policy is defined in the security templates and on the system, and the values match.
- Question mark in a white circle – The policy is not defined in the security template and as a result was not included in the analysis. As a note, you will also get this result if the user running the analysis does not have the necessary permissions to access the policy on the system.
- Exclamation point in a white circle – The policy is defined in the security template, but does not exist on the computer.
If no icon is applied to a setting, it simply means that the setting is not configured in the template or on the computer.
At this point, no changes have been made to the configuration of the system. The SCA tool has simply performed the comparison. To see how your configuration matches up with the template, you can click through the results noting how the settings compare. As you work through the settings, you can view the properties of any item by double-clicking it. From within this screen, you can also change values.
(Click for a larger image)
After reviewing the settings, and making any changes, you can proceed to configure the system with the new settings. Before you do that, however, consider the following. First, security templates are applied in their entirety. The SCA tool does not allow you to specify certain parts of the template to be applied. You can only do that by using the Secedit.exe command line tool. Second, some of the default security templates have specific requirements that must be met in order for them to be deployed across the entire network. You can find more information on this topic in the Online Help. Unless you are absolutely sure that you want all of the security configuration changes made by the template, and that you understand what changes will occur, you should not apply the template.
(Click for a larger image)
Creating and Applying a Baseline Security Template
Having looked at how you use the SCA tool to analyze a system, and configure a system, we can put this knowledge together to create and apply a baseline security template.
There are two ways to create a new template. You can either start from scratch or copy an existing template. To create a new template, in the Security Templates MMC snap-in, right click the %SystemRoot%\Security\Template object and choose New Template. You are prompted for a template name and description. After the template is created, you can go through and change the settings as appropriate.
Copying an existing template can often be easier, as the template you copy may have many of the settings you are looking for already configured. Refer to the Part One for a description for each of the default templates. It should be noted, though, that some templates only contain a small number of settings, and are intended for application as an addition to other templates. For example, the Hisecdc template is ideally intended to be applied after the Securedc template. This is because the Hisecdc template only contains a small number of settings. It relies on the bulk of the settings from the existing configuration or from another template such as Securedc.
To make a copy of a template, highlight it in the Security Templates snap-in and choose Save As from the File menu. After naming the new template, you can go through and make changes to the settings. You should also amend the description of the template, as by default it takes the description of the template you copied.
Once you have finished configuring your baseline template, go into the SCA tool and create a new database. During the creation process, choose the baseline security template you just created. It is a good idea to first perform an analysis to see what changes would be made if the template were applied to the system. Alternatively, if you are very confident of your settings, you can simply choose the Configure Computer Now option from the File menu. This will cause all of your changes to be applied, and your server will be in the ‘baseline’ configuration.
To apply the same settings to other servers, you have a number of options. For a small number of servers, you may just want to copy the baseline template to the other systems, and then use the SCA tool to configure the settings. If you have a large number of servers, you can apply the security template via Group Policy, or through script/batch files using Secedit.exe. The advantage of the Group Policy approach is that the security settings will be refreshed periodically. Secedit on the other hand, would only refresh the settings when you run the command.
Whichever way you decide to use it, the SCA tool is a valuable addition to any Windows Server 2003 administrator’s toolkit. Even if you only use it to review the settings currently in place on your server, it still provides the benefit of placing a large number of commonly configured settings into one, easy to use interface.