Security

Analyzing Windows 2000's security

How secure is your Windows 2000 configuration? How can you tell? Microsoft provides the Security Configuration And Analysis Console to let you analyze your server's security. In this Daily Drill Down, Talainia Posey shows you how.


There’s no denying that security is an important part of most networks. With a security system that’s as rich and complex as the one used by Windows 2000, however, how do you ever really know if the security that you’ve set is getting the job done? Fortunately, Windows 2000 comes with a tool called the Security Configuration And Analysis Console that you can use to test your network’s security. In this Daily Drill Down, I’ll introduce you to this tool. As I do, I’ll also explain how to use the Security Configuration And Analysis Console.

What is the Security Configuration And Analysis Console?
As the name implies, the Security Configuration And Analysis Console is a tool that allows you to view your organization’s current security and then analyze it to test for weaknesses or discrepancies. You can also use the tool to correct any such problems that you might encounter.

How does it work?
Before you can effectively use the Security Configuration And Analysis tool, it’s necessary to understand how it works. At its most basic level, the Security Configuration And Analysis tool compares your organization’s current security level against a proposed security level. This means you’re telling the machine, “Okay, this is what my security should be set to; now see if the actual security configuration matches my intended configuration.”

Of course, this statement raises the question of how Windows knows your intended configuration. It does so by examining your configuration and comparing it to a security template. Windows 2000 contains several built-in security templates and also offers the ability to create custom templates.

Working with the Security Configuration And Analysis tool
Before you dive right into testing your network’s security, it seems appropriate to briefly go over the steps that you’ll be using. First, you must load the Security Configuration And Analysis Console (I’ll go into more detail below). When the console has loaded, you must select a working security database. Next, you’ll have to import a security template into the working database. You’re now ready to analyze the system’s security. Once the security analysis completes, you should review the results, make any necessary configuration changes, and, optionally, export the security database settings to a template file.

Now that you have an idea of what the process involves, let’s get started by loading the Security Configuration and Analysis Console. To do so, select the Run command from the Start menu. When you see the Run prompt, enter the MMC command. This will load an empty Microsoft Management Console.

When the Microsoft Management Console has loaded, select the Add/Remove Snap-In command from the Console menu. When you see the Add/Remove Snap-In properties sheet, click the Add button on the Standalone tab. You’ll now see a long list of console snap-ins. Select Security Configuration And Analysis from the list, click the Add button, and then click the Close button. You’ll now be returned to the Add/Remove Snap-In properties sheet. Click OK to close the properties sheet. The Security Configuration And Analysis snap-in is now loaded in the Microsoft Management Console.

Importing a security template
Now that the console is loaded, you’re ready to set a working database. To do so, select the words Security Configuration And Analysis from the column on the left. Now, right-click on these words and select the Open Database command from the resulting context menu. Now, select a database to work with. If this is the first time that you’ve run the Security Configuration And Analysis tool, then no databases will exist, so you’ll have to create one. To create a new database, type a filename to assign to the new database and click Open.

If you are creating a new database, then the next screen that you’ll see is the Import Template dialog box. This is where you select the security template that you want to use as a security standard. Select the desired security template and click Open. You now have a working security database.

Before I continue discussing the security analysis process, I need to take a moment and explain a few things about the template you imported into the security database. You probably noticed there were quite a few templates from which to choose. As you might have guessed, each template has a specific purpose. It’s very possible and likely that a single template isn’t going to get the job done, unless of course you’ve already created a custom template.

If you find yourself in a situation in which a single template is inadequate, you can import multiple templates into the security database, but you’ll have to do some thinking first. Although each security template has a different purpose, many of the templates share at least a couple of settings. As you import a template, any settings that the template may contain overwrite any settings that are already in the security database. This means that if you import a second (or third, fourth, etc.) template, the unique settings will be appended to the settings that have already been placed in the security database, while conflicting settings will always overwrite those already in the database.

With this in mind, you can import additional templates by right-clicking on the words Security Configuration And Analysis in the column on the left and selecting the Import Template command from the resulting context menu. Of course, this step assumes that you already have a security database containing at least one template open. When you do, you’ll see the Import Template dialog box. Simply select the template that you want to import and click Open. You can repeat these steps to import as many templates as necessary.

Suppose for a moment that you need to import multiple templates, but you accidentally started with the wrong one. You can start over by opening the Import Template dialog box and selecting the Clear This Database Before Importing check box, selecting the template that should have been first, and clicking OK.

Analyzing your system’s security
Once you’ve imported the appropriate templates, it’s time to begin the analyzing process. Remember that the tool works by comparing your system’s actual security settings against those found in the security database. If the tool detects a mismatch, it will point it out as a questionable security setting.

To analyze the system’s security, right-click on the words Security Configuration And Analysis in the left column and select the Analyze Computer Now command from the resulting context menu. When you do, you’ll see the Perform Analysis dialog box. This dialog box will ask you to confirm the path and filename for the log file that the tool will create. When you’ve verified the log file’s location, click OK to begin the analysis. While Windows 2000 performs the analysis, you’ll see a summary of the different areas being checked. When the process completes, the once basically empty console screen will fill with settings from the security database.

Windows 2000 may give you an error stating that you must first configure your computer. To do so, right-click Security Configuration in the left pane and select Configure Computer. Windows 2000 will ask for a location for the log file. Just click OK. Then you can go back to analyzing system security as described above.

Reviewing the results
Performing a security analysis is pointless if you don’t review and act on the results. Your first instinct may be to review the log file that you’ve created. However, as you can see in Figure A, the log file tends to be a bit cryptic and can be tedious to look through. Besides, if you go with the default log file location, you’ll have to configure Windows 2000 to let you into hidden directories.

Figure A
The log file can be a bit tedious to look through and decipher.


A better method for reviewing the Security Configuration And Analysis tool’s findings is to go through the GUI. To do so, simply navigate through the tree structure on the left side of the console. As you select each individual group of policies, you’ll see the results for that area displayed in the column to the right. For example, in Figure B, I’ve navigated to Console Root\Security Configuration And Analysis\Account Policies\Password Policy. Upon selecting Password Policy, the column on the right displays the various password settings, such as password history, password age, and password length.

Figure B
You can view the results of the comparison directly through the Security Configuration And Analysis Console.


As you can see in the figure, the column on the right displays the policy being checked, the database setting, and the computer’s actual setting. Each policy has an icon to the left of it. If the icon contains a red X, it means that the actual setting doesn’t match the database setting.

These columns allow you to quickly and easily check for policy settings that just aren’t up to par. If the icon contains a green check mark, it means that the policy has been checked and that the policy is set to the correct value. If the policy contains neither a check mark nor an X, it means that the policy wasn’t included in the database and therefore wasn’t tested.

Acting on the results
You can tell from the figure that there were several areas in which my system’s security simply didn’t measure up to the standards I set. So what can you do if this happens to you? Basically, what you’d want to do in such a case is to review each area that failed the test to see if the computer’s settings should be changed or if the security database should be changed to make the computer’s current value the new standard.

Reconfiguring the system
If you decide that some or all of the discrepancies that were found need to be changed to match the database, you can do so by right-clicking on the words Security Configuration And Analysis in the column on the left and selecting the Configure Computer Now command from the resulting context menu. When you do, you’ll see the Configure System dialog box. This dialog box will ask you to verify the location and name of the log file. Once you’ve verified the log file, click OK to continue.

At this point, the system will reset all of the policies to match whatever is in the database. You can confirm the success of this operation by reanalyzing the system’s security. You can see in Figure C that all of my system’s settings were changed with ease to match the database’s settings.

Figure C
You can tell the Security Configuration And Analysis tool to automatically set all of the security settings to match those found in the database.


Reconfiguring the database
Now, suppose that you wanted to change the database to match an existing setting. To do so, navigate through the policy tree structure to locate the policy that you want to change. Double-click the policy, and you’ll see the Analyzed Security Policy Setting dialog box.

As you can see in Figure D, this dialog box allows you to change a current value. Simply set the new value and select the Define This Policy In The Database check box. It’s important to point out that the changes that you make here affect only the database. They won’t change the computer’s actual settings. If you wanted to change the computer’s settings, you’d have to rerun the security analyzer against the new database and then use the Configure System option. I should also point out that this operation modifies the database only. The templates used to create the database remain unchanged.

Figure D
You can force the database to use the values you specify.


Conclusion
Security can be a tricky, though vital, thing for network administrators to deal with. It can take time to get all of your security policies working the way they should be. In this Daily Drill Down, I explained how you can use the Windows 2000 Security Configuration And Analysis Console to help by testing your organization’s security. I also walked you through the entire testing process.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks