Security

SolutionBase: Using the Secedit tool to work with security templates

Windows Server 2003 allows you to create security templates to quickly and easily secure your network. Multiple templates applied to a user can conflict and create unintended results. Here's how you can verify security template settings using Secedit.

This article is also available as a TechRepublic download.

One of the biggest pains for administrators in this day and age is security compliance. Federal regulations and at the risks of data disclosure related litigation from customers mean that administrators must make security a top priority.

There are all sorts of third party tools designed to monitor and audit your network to verify that your corporate security policy is being adhered to. What you might not realize though is that there are similar tools built right into the Windows Server 2003 operating system. These tools might not be quite as powerful as some of their third party counterparts, but you might be surprised at just how well they do when it comes to policy enforcement.

In this article, I'm going to talk about two separate tools. The first tool I want to show you is the Security Configuration and Analysis tool. The main tool that I want to talk about though, is the Secedit tool. Secedit is the command line version of the Security Configuration and Analysis tool. Both of these tools are designed to compare your server's current security settings against the template that defines the corporate security policy. The idea is that the server's security settings should always match the template settings. If there are discrepancies, then it may mean that the server in question is not in compliance with your corporate security policy. These two tools will highlight any discrepancies that may exist.

The Security Configuration and Analysis tool

The Security Configuration and Analysis tool does a great job of verifying that a server is adhering to the corporate security policy. However, if you have a large number of servers that you need to verify policy compliance for, then the Security Configuration and Analysis tool is kind of impractical. This is where the Secedit tool comes into play. Being that Secedit is a command line tool, you can easily create a script that will run Secedit against all of your servers.

I want to begin by quickly demonstrating the Security Configuration and Analysis tool. The reason why I want to show you this tool is because it is basically the graphical version of the Secedit tool that I will show you later on. Since GUI based tools tend to be easier to understand and to use, I wanted to start by showing you the GUI version.

Begin by entering the MMC command at the run prompt. Upon doing so, Windows will load an empty Microsoft Management Console. Select the Add/Remove Snap in command from the console's File menu. When you do, Windows will display the Add/Remove Snap in properties sheet. Click the Add button and you will see a list of available snap-ins. Select the Security Configuration and Analysis option from the list and click the Add button followed by the Close and OK buttons.

Now that the Snap-in is loaded, right-click on the Security Configuration and Analysis container and select the Open Database command from the resulting shortcut menu. You will now see a window asking you for the filename of the database that you want to load. If this is the first time that you've run the Security Configuration and Analysis tool, then there won't be a database. If that's the case, then just enter a filename to use for a database and click the Open button. Doing so will create a database with the filename that you've specified.

At this point, you must select the security template to compare the server's configuration to. Windows contains about half a dozen predefined security templates, or you can always create your own. Select a template and click the Open button. Now, right-click on the Security Configuration and Analysis container and choose the Analyze Computer Now command from the resulting shortcut menu. Windows will now prompt you to enter the path to the error log. Just go with the defaults, and click OK.

The Security Configuration and Analysis tool will now take a moment to compare the server's security settings against the template that you've selected. When the process completes, you'll see a screen that looks like the Group Policy Object Editor console, as shown in Figure A. As you scroll through this console though, you'll notice that the server's settings are compared against the template settings. Any deficiencies are flagged with an icon containing a big red X, as shown in the figure.

Figure A

Of the server's security settings are compared against the security settings defined by the template.

The Secedit tool

Now that have shown you how the Security Configuration and Analysis tool works, I want to show you how to use the command line version; Secedit. As I said earlier, the Secedit tool can do the same basic things as the Security Configuration and Analysis tool. The difference is that Secedit is command prompt based, and can therefore be scripted to run against multiple servers.

The Secedit tool has six primary functions; configure, analyze, import, export, validate, and generate rollback. Although the generate rollback function was the last one that are listed above, I want to talk about it first because it is so important.

Generate rollback

To generate rollback feature is designed to make a reverse template. This is simply a template of the server's current settings. The idea is that if something goes horribly wrong, the rollback template can be used to restore most of the server's previous settings. You will notice that I said in most of the previous settings, not all of the previous settings. The rollback template is not able to change access control list entries on files or on registry entries that were changed by the template that you want to undo.

Configure

When I talked about the Security Configuration and Analysis tool earlier, I showed you that sometimes discrepancies can exist between the server's current configuration and at the settings defined by a security template. When these types of discrepancies are found, the easiest way to correct the problem is to simply apply the template settings to the server.

This is what the Configure option does. If you find that a server's configuration does not comply with the settings in your corporate security template, then you can simply run the Secedit tool with the Configure option to apply the template settings to the server.

Analyze

As you may already guessed, the Analyze function is the actual comparison between the template file and the server's current security configuration. I will walk you step-by-step through the Analyze function later on.

Import

When I talked about the Security Configuration and Analysis tool earlier, I showed you that you have to create a database as one of the first steps. This is what the Import function does. The Import function imports a template into a database. You can actually use the Import function to create a database at the same time that you are using the Configure or Analysis functions.

Export

The Export function is designed to allow you to export a template from the database. You can use this function to build a new template by combining two or more existing templates. All you do is add each template in the order that you want and then use the Export command to produce a new template.

Validate

The last function that I want to talk about is the Validate function. As you may know, a template file is actually nothing more than a text file and INF format. That being the case, it is possible to manually add settings to a template by simply adding lines of text to the template file. This is where the Validate function comes into play. You can use the Validate function to validate the syntax of any lines of text that you have added to a template file.

Miscellaneous switches

Before I can show you how to use the six functions that I just talked about, there are some command line switches that you need to know about. Not every function will necessarily support all of these switches, but none of the functions will work without using at least some of the switches.

DB - The DB switch allows you to specify the name of the database file that you want to either create or use. In some cases, you may find that it is necessary to specify the entire path to the database. CFG - The CFG switch allows you to specify the name of the template that you want to use. As was the case with the DB switch, you may sometimes need to specify the entire path to the template file. Overwrite - The Overwrite switch is used with the Import function. Normally, when a template is imported into a database (assuming the database already exists), the template settings are combined with settings that are already stored in the database. If contradictions exist, the settings in the template that is being imported will overwrite existing contradictory settings. If the Overwrite switch is used though, then the databases purged prior to the import function. This provides the same basic functionality as creating a brand new database. Log -Errors are always logged, whether the Log switch is used or not. If the Log switch is not used, then errors are logged to the Windows\Security\Logs\Scesrv.log file. What the Log switch does is that it allows you to specify a log file to be used in lieu of the default log file. Quiet - The Quiet switch is very useful if you are creating a script containing Secedit command. Normally, certain functions, such as Configure, ask the user for confirmation before the command is executed. If the Quiet switch is specified, then Secedit will refrain from asking the user for confirmation. Areas - The Areas switch is one of the trickier switches to use. As you may know, a template file does not just contain group policy object settings. It can also contain things like registry settings and access control entries. Normally when a template is applied, the template is applied at its entirety. Secedit does not care what type of data the template actually contains (assuming that the data types are valid).

With the Areas switch does, is that it allows you to specify which types of data from the template should be applied. All other types of data within the template are ignored. Valid data types are:

SECURITYPOLICY - including account policies, audit policies, event log settings, and security options. GROUP_MGMT - includes restricted groups settings. USER_RIGHTS - includes user rights assignments. REGKEYS - includes registry permissions. FILESTORE - includes file system permissions. SERVICES - include system service settings.

Creating a database

Now that I have shown you all of the functions and switches that Secedit supports, it's time to actually do something with Secedit. I want to begin by showing you how to create a database. As I explained earlier, creating a database is done through the Import function. The syntax for using Secedit with the Import function is as follows:

SECEDIT /IMPORT /DB database.sdb /CFG template.inf /OVERWRITE

In the command above, you'd replace database.sdb with the name of the database that you're creating. Likewise, you are placed template.inf with the name of the template that you want to base the database on. In this command, the Overwrite switch is optional.

When I talked about the available switches, I mentioned that when you run the Import function, that it is sometimes necessary to provide a full path to the database that you're creating and to the template that you're importing. One way of getting around this requirement is to switch to the folder containing the templates prior to running be Secedit command. By default templates are stored in the C:\WINDOWS\security\templates folder. To change to this folder from a command prompt, you would enter the following commands:

C:

CD\windows\security\templates

Now suppose that you wanted to create a database named BRIEN.SDB based on a template named HISECWS.INF. To do so, you would enter the following command:

SECEDIT /IMPORT /DB brien.sdb /CFG hisecws.inf

Analyzing the server

Now that I've shown you how to create a database, let's perform an analysis using the database that we have just created. The syntax is very straightforward if you take into account the rules that I discussed earlier. The syntax for the command would be:

SECEDIT /ANALYZE /DB brien.sdb /CFG hisecws.inf /OVERWRITE /LOG output.txt

This command will create a log file in the current directory named OUTPUT.TXT. If you scroll through the log file, you can see a list of every security setting for which the computer differs from the template.

That's it!

Command line tools can be fairly intimidating to use, especially when they have as many options as the SECEDIT tool does. However, if you take the time to understand the various SECEDIT options that I have discussed in this article, the syntax becomes very straightforward. If you still have trouble figuring out SECEDIT though, you always have the Security Configuration and Analysis console to fall back on.

Editor's Picks

Free Newsletters, In your Inbox