Microsoft

Lock IT Down: Secure WinNT with the Security Configuration Manager

Eliminate the need to use a host of other utilities by using the NT SCM to create a centralized interface to many security parameters.


Windows 2000 has not yet completely supplanted Windows NT in the enterprise. Windows NT's enduring vitality is evidenced by the fact that Microsoft has extended support for the operating system for an additional year. As a result, admins who are responsible for Windows NT servers still need to keep them safe and secure.

One tool that can be of great assistance in this endeavor is the Security Configuration Manager (SCM), which was originally introduced in Windows NT Service Pack 4. If you run NT systems and have not yet taken a look at this tool, it’s time to break it out and get it running.

What is it for?
Windows NT includes a number of utilities that let you secure portions of the system. Unfortunately, the more utilities it takes to lock down a system, the more likely it is that you will either miss something or simply not have the time to do the job the way it needs to be done. The NT SCM provides a centralized interface to many of these security parameters, eliminating the need to use a host of other utilities.

How is it run?
Assuming that you have installed at least Service Pack 4 for Windows NT (and by this time, I sincerely hope that you have), the SCM is already available for your use. To run it, start the Microsoft Management Console by choosing Start | Run, typing the command mmc, and pressing [Enter]. With the MMC running, choose Console | Add/Remove Snap-in. Click the Add button, choose Security Configuration Manager from the list of available snap-ins, and then click OK twice.

If the SCM option does not appear on the list of available snap-ins, it's possible that you installed an NT server and may have installed the option pack after installing SP6. In this case, you'll need to download the SCM files from Microsoft. Once you do so, run the installer using the instructions provided and try these steps again. When successful, you'll get a screen similar to the one in Figure A.

Figure A
Security Configuration Manager MMC


Using the utility
The SCM consists of a number of templates that match the role the server plays on the network. For example, if you are running a Windows NT 4 server as a domain controller, you may want to consider using the basicdc4 security template. We'll take a closer look at templates in a minute.

Scanning the system
The SCM can help you determine the current security parameters of the system. Just select the item that begins Database, right-click on it, and choose the Analyze System Now option. You will be asked for a location in which to save the error log. In most cases, you can simply use the default. After you've completed this step, a number of parameters will be added underneath the Database option. Each parameter corresponds with a specific security area. See Figure B for a sample of this on my testing system.

Figure B
Sample output from a system analysis


Upon further inspection and drilling down into the data, it becomes apparent that the testing system in my lab is not well locked down at all. In fact, even a simple precaution such as a password policy is not in place for this system (Figure C).

Figure C
The password policy for the NT system in my lab


An easy way to fix this mess
Since this testing system running NT is a new installation, it makes sense that many of the security options that are in place on my production systems are not yet mimicked here. What I need is a quick, easy way to set this information so that I don’t have to try to find every single parameter and set it to a reasonable value.

Luckily, the SCM comes with a number of preconfigured security templates. As an example, let's say that I want to tightly secure this system by setting a strict password policy, auditing login successes and failures, and setting AutoDisconnect parameters—while keeping in mind that this system is also a domain controller. One of the stock security templates, hisecdc4, can take care of this.

Looking through the parameters, you can see that hisecdc4 sets a password policy requiring a minimum of eight characters with a password age of 42 days and prohibiting duplication of the six most recent passwords. In addition, hisecdc4 audits all login failures and sets an AutoDisconnect time of 15 minutes for idle sessions. One parameter it does not include but that I would like to add is the auditing of logon successes.

This can be easily rectified by browsing to the hisecdc4 security template and choosing Local Policies | Audit Policy. This will bring up all of the policies related to system auditing. One of these policies is named Audit Logon Events. Opening this policy shows that only failures are audited. To enable auditing of logon successes, all I have to do is select the appropriate check box (Figure D) and click OK.

Figure D
Enabling logon success auditing


Before I can apply this policy to the current system, I have to save it. Since I’ve made changes to a default template, I’ll save it as hisecdc4-lowe by right-clicking on the modified template, choosing Save As, and entering the new name.

Next, I just right-click on the Database item at the top of the window and choose Configure System Now. After a couple of minutes, I choose to analyze the system again. As Figure E shows, the security parameters set in this example are enabled now.

Figure E
The logon audit parameter is now set on this system.


Summary
If you haven’t had the opportunity to make use of this tool, there’s no better time than the present. If you need to configure multiple similar NT servers, you can even reuse your custom security templates to make hardening your servers a breeze. While it’s not a new utility, the SCM is invaluable for helping you secure and protect your Windows NT infrastructure.

Editor's Picks