The most important thing for Windows 2003 system administrators is the security of the Windows 2003 system. In order to improve the security of the system, we may have a wide range of security settings for the system, but whether these security settings can fully improve the security level of the system, the system is still a number of unsafe factors, the overall security level of the system at what level, for these, we need to have a holistic understanding and mastery.
Basic knowledge of security configuration and analysis and security templates
1. Security Configuration and Analysis
Security Configuration and Analysis Overview Security Configuration and Analysis is a tool for analyzing and configuring local system security. Including:
• Safety analysis
The state of the operating system and applications on the computer is dynamic. For example, to resolve administrative or network problems immediately, you may need to change the security level temporarily. However, this change is often not recoverable. This means that the computer can no longer meet the requirements of enterprise security. General analysis, as part of an enterprise risk management program, allows administrators to track and ensure that there is a high enough level of security on each machine. Administrators can adjust the security level and, most importantly, detect any security failures that occur during the system's long-running operation. Security Configuration and analysis enables you to quickly review the results of your security analysis. Make recommendations next to the current system settings, highlighting areas where the current settings do not match the recommended security level, using visual markup or annotations. Security Configuration and analysis also provides the ability to resolve any inconsistencies that the analysis displays.
• Security Configuration
Security Configuration and analysis can also be used to directly configure security for the local system. With personal databases, you can import security templates created by the security templates and apply them to your local computer. This will immediately configure system security using the level specified in the template.
2. Security Templates
Security templates using the Microsoft Management Console's security Templates snap-in, you can create security policies for your computer or your network. It is a single point of entry that takes into account the overall system-wide security. The security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes together to facilitate security management. Importing a security template into a Group Policy object simplifies domain administration by immediately configuring the security of a domain or department. To apply a security template to your local computer, you can use Security configuration and analysis or the Secedit command-line tool.
A security template can be used to define the following:
• Account Policy
• Password Policy
• Account Lockout Policy
· Kerberos Policy
• Local Policy
• Audit strategy
• User Rights Assignment
• Security Options
• Event log: Application, System, and security event log settings
• Restricted Groups: Membership of security-sensitive groups
• System Services: Startup and permissions for system services
• Registry: Permissions for registry keys
• File system: Permissions for folders and files
Save each template as a text-based. inf file. This allows you to copy, paste, import, or export some or all of the template properties. In a security template, you can include all security attributes except Internet Protocol security and public key policies.
3, there are two ways to configure local computer security
There are two ways to configure local computer security using the command line and the Windows graphical interface. Here mainly introduces the former. One of the most important features of Windows command line is the cheapness of network management, the administrator can do a lot of complicated operation and achieve the desired goal by simply entering several commands at the Command Line window. Moreover, some command tools can be used to judge the internal physical faults and network security problems, and realize the automation and batch of network management.
DOS under Windows 9X and the command line under Windows nt/2000/xp/2003, while providing a black-and-white character interface, have a different nature. The reason is that Windows nt/2000/xp/2003 has been completely out of the shackles of DOS, DOS only as a virtual machine provided by the operating system exists, in other words, the command line is no longer the basis, and become a tool. However, we cannot underestimate these seemingly simple command-line tools. The reason is simple, the command line is still our first solution to the thorny problem.
command-line format:/secedit/analyze/db filename.sdb [/cfg filename] [/overwrite] [/log filename] [/quiet]
Main parameters:
/DB FileName: Specifies the database used to perform this analysis.
/CFG FileName: Specifies the security template to import into the database before performing the profiling. Security templates are created using the security Templates snap-in.
/log FileName: Specifies a file that is used to record the state of the configuration process. If not specified, the configuration data is recorded in the Scesrv.log of the%windir%securitylogs folder.
/quiet: Specifies that no more involvement is involved in the execution of the analysis process.
/log logpath: Specifies a file that is used to document the state of the configuration process. If unspecified, the configuration data is recorded in the Scesrv.log file in the%windir%securitylogs folder.
/quiet: Specifies that the user should be configured without prompting.
Use the Secedit command-line tool to create a template. You can automatically create and apply templates and analyze the security of your system by using the Secedit.exe tool in the batch file or at the command prompt of the automated Task Scheduler. You can also run the command dynamically from a command prompt. Secedit.exe is useful when you have to analyze or configure the security of multiple computers, and you need to perform tasks during a non-working time. To view the complete syntax for this command, at the command prompt, enter: secedit/? , see Figure 1.
Figure 1 The complete syntax for the secedit command
The following child commands are briefly described below:
L Secedit/analyze: You can analyze the security settings on a computer by comparing it to the basic settings in the database.
L Secedit/configure: Configures the local computer's security settings by applying the settings stored in the database.
L Secedit/export: The security settings stored in the database can be exported.
L Secedit/import: You can import a security template to a database so that the settings specified in the template can be applied to the system or as a basis for the analysis system.
L Secedit/validate: Verify the syntax of the security template to be imported into the Analysis database or system application.
L Secedit/generaterollback: You can generate a rollback template based on the configuration template. When you apply a configuration template to a computer, you have the option of creating a rollback template that, when applied, resets the security settings to the value before the configuration template was applied.
By default, several security template files are as follows:
• Default security settings template (Setup security.inf)
The Setup security.inf template was created for each computer during installation. Depending on whether the installation is complete or upgraded, the template may be different on different computers. The setup security.inf represents the default security settings that are applied during the installation of the operating system, including file permissions on the root of the system drive. It can be used on a server or on a client computer, but not on a domain controller. Some parts of this template can be applied to failure recovery. Do not apply the Setup security.inf by using Group Policy. This template contains a large amount of data that, if applied through Group Policy, can severely degrade performance (because the policy is refreshed periodically, which will result in large amounts of data being moved in the domain). Therefore, it is recommended that you apply the Setup security.inf template locally. Because the Secedit command-line tool supports this feature, it is recommended to use this tool.
• Domain controller default security settings template (DC security.inf)
The template was created when the server was upgraded to a domain controller. It reflects the default security settings for files, the registry, and system services. After you reapply it, the security settings for the above range are reset to the default values. It may overwrite the permissions of new files, registries, and system services created by other applications. Use the Security Configuration and Analysis snap-in or the Secedit command-line tool to apply it.
• Compatibility Template (Compatws.inf)
The default permissions for workstations and servers are primarily granted to three local groups: Administrators, Power Users, and users. Administrators enjoys the highest privileges, while Users have the least privilege. Because of this, you can dramatically improve the security, reliability, and overall cost of system ownership by ensuring that end users are members of the user. Deploy applications that can be successfully run by members of the Users group. A person with User permissions can successfully run an application that has been added to the Windows Logo program for Software. However, User may not be able to run applications that do not meet the schedule requirements.
• Advanced Security Templates (Hisec*.inf)
Advanced Security templates are extensions of security templates that further restrict encryption and signing, which are required for identity authentication and for securing data across secure channels and for secure transport between SMB clients and servers. For example, a security template can cause a server to deny a LAN Manager response, while an advanced security template can result in a rejection of both LAN Manager and NTLM responses. The security template can enable server-side SMB packet signing, which is required by the Advanced security template. In addition, the Advanced security template requires strong encryption and signing of secure channel data that forms a trust relationship between domain to member and domain to domain. HISECDC and Hisecws: Advanced Security Templates. Further restrictions on encryption and signing are made on the basis of security templates. These encryption and signing are necessary to authenticate and ensure data transmission in a secure channel, and require strong encryption and signature of secure channel data to form a trust relationship between domain members and members to the domain.
• system root security template (Rootsec.inf)
Rootsec.inf can specify root directory permissions. By default, Rootsec.inf defines these permissions for the root directory of the system drive. If you inadvertently change the root permissions, you can use the template to reapply root permissions or to apply the same root permissions to other volumes by modifying the template. As described, the template does not overwrite permissions that have been explicitly defined on child objects, it simply passes the permissions inherited by a descendant object.
• No Terminal Server user SID template (notssid.inf)
The default file system and registry access control lists on the server grant permissions to the Terminal Server's security identifier (SID). The Terminal Server SID can be used only if it is running in Application compatibility mode. If you are not currently using Terminal Server SID, you can apply the template to remove unwanted Terminal Server SIDs from the file system and registry locations. However, removing the access control entries for the Terminal Server SID from these default file systems and registry locations does not increase the security of the system. Therefore, do not remove the Terminal Server SID and run Terminal Server directly in full security mode. The Terminal Server SID is not used when running in full security mode.
Here we describe the command-line method for configuring local computer security, as described in how to do it in the Windows graphical interface.
Ii. use of security Configuration and analysis tools
The following is a detailed procedure for upgrading Windows 2003 system security using the security Configuration and analysis tools in the graphical interface:
1. Login with admin rights
You must first log on to the system as a member of the system administrator or Administrators group to complete the loading of the snap-in and the system security analysis and configuration; Note: To perform this procedure, you must be a member of the local computer Administrators group. Or you must be delegated the appropriate permissions. If you join a computer to a domain, members of the domain Admins group may also be able to perform this procedure. As a security best practice, consider using the Run method to perform this procedure.
2, open "Security Configuration and Analysis"
To open security Configuration and analysis, click Start, click Run, enter MMC, and then click OK. On the File menu, click Open, click the console you want to open, and then click Open. Then, in the console tree, use the Ctrl+m shortcut key to open Add/Remove snap-in as shown in Figure 2.
Figure 2 Using the Ctrl+m shortcut key to open the Add/remove snap-in
3. Add the Security Configuration and Analysis snap-in
In the Add/Remove snap-in dialog box, click Add on the Options page, in the pop-up Add Standalone snap-in dialog box, select the Security Configuration and analysis item in the list, and click Add, as shown in Figure 3.
Figure 3 Adding the Security Configuration and Analysis snap-in
4, complete the Add
Click "Close" to return to the Add/Remove snap-in dialog box, where you can see the new added security configuration and analysis item in the list, and click OK to complete the load of the security configuration and Analysis snap-in. Note: Performing security analysis is based on the security templates provided by the system, which requires the user to open or create a new database containing security information and select the appropriate security template.
5, open the database
In the Console window, right click Security Configuration and Analysis under the Console root node. Alternatively, select Open Database on the shortcut menu, and if this is the first security analysis for the system, you need to create a new database and enter a name for the new database in the file name in the Open Database dialog box. Then click "Open";
6. Security Templates
In the Import Templates dialog box that pops up, you can see several security template files that have the security level and effect of:
Predefined security templates predefined security templates are provided as an initial point for creating security policies that are customized to meet different organizational requirements. You can customize the template by using the security Templates snap-in. Once you have customized the predefined security templates, you can use them to configure the security of a single or thousands of computers. You can configure a single computer by using the Security Configuration and Analysis Snap-in, the Secedit command-line tool, or by importing the template into the local security policy. You can configure multiple computers by importing templates into security settings, which are part of Group Policy extension. By using the Security Configuration and Analysis Snap-in, you can also use a security template as a basis for analyzing potential security vulnerabilities or policy violations in your system.
Description: You can view security template settings through the security template. *.inf files can also be viewed as text files. These files are located at:%windir%securitytemplates. %windir% represents the system directory such as: C:windows. The steps to define a security template are as follows:
• Open "Security Templates".
• Right-click the folder where you want to store the new template, and then click New Template.
• In template name, type a name for the new security template.
• In Description, type a description of the new security template, and then click OK.
• In the console tree, double-click the new security template to display the security zone and navigate to the security settings that you want to configure in the details pane.
• In the details pane, right-click the security settings that you want to configure, and then click Properties.
• Select the Define this policy setting in template check box, edit the setting, and then click OK.
If you want to use another security template for security analysis, you can right-click on the Security Configuration and Analysis node, click Import Template on the shortcut menu, select the security template file you want in the Import Template dialog box, and select the clear this database before importing selection box, as shown in Figure 4. Repeat the steps above.
Figure 4 Importing Security Templates
7. Safety analysis
Using security templates for system security analysis is OK. Select a suitable security template, such as Securews.inf, click "Open", right-click the security Configuration and analysis item, select the "Analyze Computer Now" command on the menu, and in the Analyze dialog box, specify the path to save the error log file, and click OK. Start the analysis process of the system security mechanism, see figure 5;
Fig. 5 The analysis process of system security mechanism screenshot
8. View security Analysis Results
After the security analysis process finishes, expand the items under the Security Configuration and Analysis node, and in the list of projects in the right pane, you can see which security settings match the system's recommended security levels and which do not match, as shown in Figure 6;
Figure 6 View security Analysis results
In Figure 6, there are six policies in the password policy with a green checkmark indicating a match. If the policy has a red difference, this indicates a mismatch. As shown in Figure 7.
Figure 7 Security analysis results mismatch strategy
The detailed security analysis results are shown in table-1
Table-1 Safety analysis result description
flag |
Flag Description |
Red X |
this item is defined in the Analysis database and system, but the security setting values do not match. |
Green tick |
> in the analysis number The item is defined in the library and system and the values are set to match. |
question mark |
Not in the analysis The item is defined in the database and is therefore not parsed. If an item is not parsed, it may be because it is not defined in the Analysis database, or the user performing the analysis does not have sufficient permissions to perform an analysis on a particular object or region. |
Exclamation mark |
The item is defined in the analysis database, but does not exist in the actual system. For example, a restricted group that does not exist in the system that is actually parsed may be defined in the analysis database. |
Not highlighted |
|
Security Configuration and analysis displays the results of the analysis by Safe zone and uses visual indicators to indicate the problem. It displays the current system configuration settings and basic configuration settings for each security attribute in the security zone. To change the settings for the Analysis database, right-click the project, and then click Properties.
9. Configure system security mechanism
We can then modify the mismatch strategy in the analysis results. And then do a re analysis to know how satisfied. Right-click the security Configuration and analysis item, select the Configure Computer Now command in the menu and specify the path to save the error log file in the Configuration Analysis dialog box, click OK to start the configuration process for system security, as shown in Figure 7; Complete the configuration you can select the Save option to complete the operation.
Figure 8 "Configuring the Computer Now" security interface
10. Attention Matters
With the Windows 2003 Security Configuration and Analysis management tool, you can not only analyze the suitability of your system's security configuration, but also set your system security configuration so that your system's security is in your own hands, but you need to be aware of the following two points when using Security Configuration and analysis management tools:
• For security analysis and configuration, it is appropriate to select a security template, especially for system security configuration, if the level of security templates is low, we are not easy to find the existence of security vulnerabilities; the level is too high, may affect the user's habitual operation. A thoroughly secure system is theoretically impossible, so what we mean by security is just a trade-off between cost and usability. If each of the variables submitted by the user requires biological validation (such as fingerprint identification), it will achieve very high levels of reliability. But it can also cause users to log in for a few 10 minutes. Users will then take the approach of bypassing security authentication. The reliability of a system can only be determined by the weakest link in the chain. In any security system, people are the most vulnerable connections, and technology alone cannot make the system secure.
• If you use Windows 2000 and Windows XP, you can also use similar security configuration and analysis tools to enhance system security performance.
Summary: The security Configuration and Analysis management tool provided by the Windows 2003 system can help us achieve this goal, and its primary role is to analyze and configure the security of the local system. The Security Configuration and Analysis management tool can analyze security settings for the current system based on the different levels of security templates provided by the system. In the results of the analysis, highlight the areas where the current settings do not match the recommended security level of the system, with visual markup or annotations, to identify weaknesses in the security of the system, At the same time, this tool provides us with a quick way to securely configure the system, the user only needs to select the appropriate security template, the rest of the things by the "Security Configuration and Analysis" management tool automatically for you to complete, so easy to control the security of the system.
Source: Tenkine Author: Cao Jianghua Zebian: Bean Technology Application