There is no question that your Windows 2000 server is secure, right? Or do you only think it’s secure? Often, you won’t know about security holes until a hacker has already found them for you—and then it’s too late. One way you can beat hackers to the punch is by using Windows 2000’s built-in security tools. In this Daily Drill Down, I’ll take a look at the Security Configuration and Analysis Snap-in and explain how you can use it to analyze and modify security settings for your server.

What is the Security Configuration and Analysis Snap-in?
The Security Configuration and Analysis Snap-in is part of Windows 2000’s Security Configuration Tool Set. The Security Configuration and Analysis Snap-in compares the current security settings on your server against ones specified by security templates. Microsoft includes a set of basic security templates with Windows 2000. These templates include:

  • Basicdc.inf: Default domain controller security
  • Basicsv.inf: Default server security
  • Basicwk.inf: Default workstation security
  • Compatws.inf: Compatible workstation or server security (This setting doesn’t apply to servers. It just allows you to customize security for Windows 2000 Professional workstations to allow users flexibility when running applications.)
  • Hisecdc.inf: Highly secure domain controller
  • Hisecws.inf: Highly secure workstation or server
  • Notssid.inf: A security template that removes unnecessary Terminal Server SIDs from a server’s file system and registry
  • Ocfiless.inf: Security templates for optional components on servers, such as Terminal Server
  • Ocfilessw.inf: Security templates for optional components on workstations
  • Securedc.inf: Secure domain controller settings
  • Securews.inf: Secure workstation or server security
  • Setup Security: The default security settings applied during installation of Windows 2000

As you can see, except for the oddball templates like Notssid.inf and Oc*.inf, the templates are broken down into three major categories: Basic, Hisec, and Secure. Most templates are further divided into ws, sv, and dc subcategories. These subcategories contain security settings specific to workstations, servers, or domain controllers, respectively. In situations where there are only ws or dc choices, stand-alone servers can use the ws templates.

Basic templates provide minimal security and are good for reversing other security templates that you apply. If you overly secure your server, you can use the basic server or DC templates to undo all of those settings and revert your server to a lower security level. Basic settings apply to all areas of server security except for user rights.

Secure templates, Securews.inf and Securedc.inf, increase basic security for your server. These templates modify everything except for file, folder, and registry key security. These are not modified because file system and registry permissions are configured securely by default. If you apply secure settings to your server, you can force your server to use the NTLM authentication protocol, blocking access from workstations that only use LAN Manager requests, such as OS/2 or Windows 9x workstations. Workstations will only be allowed to log on if they run Windows NT with Service Pack 4 or later.

Secure templates increase security by blocking users from untrusted domains from accessing information about the network. Finally, the secure templates also enable Server Message Block (SMB) signing, which causes servers to reject SMB requests from unsigned clients and prevents hackers from spoofing SMB requests.

The highly secure templates, Hisecws.inf and Hisecdc.inf, define maximum-security settings for your Windows 2000 network. Servers configured with a highly secure template can only communicate with other Windows 2000 computers. That’s because servers using the high security templates refuse requests from both LAN Manager and NTLM workstations, which includes requests from older operating systems, as well as SMB clients like Linux and OS/2.

Secure templates enable server-side SMB packet signing, but servers running high security templates require it. Servers using the high security templates require 128-bit encryption and signing for domain-to-member and domain-to-domain trust relationships.

After you configure your server to run high security, your server will reject requests from Lightweight Directory Access Protocol (LDAP) clients that attempt to access Active Directory unless the client and server have negotiated data signing in advance. That means that your LDAP clients must be using Transport Layer Security\Secure Sockets Layer (TLS/SSL) in order to make the connection.

High security templates limit the use of cached logon data. This includes such things as user ID and passwords stored by Winlogon and Stored User Names and Passwords. While this forces users to type information more often, it prevents hackers from locating this information in the caches and using it later.

Another thing high security templates do is remove all members from the Power Users group. Microsoft does this because it assumes that if you’re running in a high-security environment, you’re only using Windows 2000 certified applications. These applications have security built in and integrate better with Active Directory, eliminating the need for the Power Users group. Members of the Power Users group are assumed to be savvier when it comes to running applications, so by eliminating programs that can cause problems, you can then remove an otherwise useless group.

Creating the Security Configuration and Analysis MMC
You won’t find the Security Configuration and Analysis Snap-in on your server’s Administrative Tools menu. You’ll need to start by creating a custom Microsoft Management Console (MMC) to run it. To do so, click Start | Run. When the Run dialog box appears, type mmc /a in the Open field and click OK. You’ll then see an empty MMC window appear.

Next, select Add/Remove Snap-in from the Console menu. When the Add/Remove Snap-in window appears, click Add. This will display the Add Standalone Snap-in dialog box. Scroll through the Available Standalone Snap-ins list box until you see Security Configuration And Analysis. Select this snap-in and click Add. Then, click Close to close the Add Standalone Snap-in dialog box. Click OK to close the Add/Remove Snap-in Window.

You’ll now notice the Security Configuration And Analysis choice in the Console Root tree in the left pane of the MMC. Before you start to use the Security Configuration and Analysis Snap-In, you should save the MMC you just created. This will save you the effort of having to jump through all of the previous instructions in the future.

To save the MMC, select Save As from the Console menu. When the Save As window appears, type Security Analysis on the Filename field and click Save. In the future, you’ll then be able to start the Security Configuration and Analysis Snap-in by clicking Start | Programs | Administrative Tools | Security Analysis.

Analyzing your security
Now that you’ve got the snap-in loaded, you can use it to analyze your system’s security. Start by opening a database that contains your server’s security information. To do so, right-click Security Configuration And Analysis in the left pane and select Open Database. When the Open Database window appears, you’ll see a list of the security databases on your server. If you don’t see one, don’t panic. That just means you haven’t created one yet.

To create a database, type the name of the database in the Filename field and click Open. To make it easier to find in the future, you may want to give the database the same name as your server.

Next, you’ll see the Import Template menu. In the Template list box, you’ll see a list of security templates. You’ll select one of these templates as the baseline to compare your server’s current security configuration against. Select a template and click Open.

After the template loads, you can analyze your server by right-clicking Security Configuration and Analysis and selecting Analyze Computer Now. When you do, you’ll see the Perform Analysis dialog box. This box asks you to enter a filename to store logging information during the analysis. Security Configuration and Analysis will give you a default log name equal to the name of the database you entered above with a .LOG extension. Click OK to accept the name of the log.

You’ll then see the Analyze System Security screen. This will quickly compare your server’s security with settings in the template you’ve chosen. The amount of time this takes will vary depending on the speed of your server, but it shouldn’t take long.

When it completes, you’ll see the list of policies appear in the right pane of the Security Configuration and Analysis MMC. You can now click on each entry to see how your server’s security compares with the baseline template you’ve chosen.

If you double-check a policy in the right pane, you’ll see all of the settings and how they compare, as shown in Figure A. The right pane is broken into three columns: Policy, Database Setting, and Computer Setting. The Database Setting column shows the setting recommended by the template while the Computer Setting column shows the current settings on the server.

Figure A
The Security Configuration and Analysis MMC checks your security against a predefined template.

As you can see on this example, some Policy icons appear with little red Xs while others appear with little checkmarks. Policies with red Xs conflict with those specified in the template. Checked policies meet or exceed those in the template. If the icon doesn’t have a check or X, then the policy doesn’t have a corresponding setting in the template and wasn’t analyzed.

It may take some time, but you should go through all of the sections in the Security Configuration and Analysis MMC and double-check to see how your server rated against the defaults. At this point, you have a choice. You can either use the analysis provided by the Security Configuration and Analysis MMC as information only or you can change your server’s settings to match those suggested by the MMC. If you just want to use the tool for information purposes, make notes of the differences and quit the Security Configuration and Analysis MMC.

Beefing up your security
You can use the Security Configuration and Analysis MMC’s suggestions to adjust the security of your server, as well as just perform analysis. To do so, start by going through the suggestions made by the analysis one by one. If the suggested change looks OK, you don’t have to do anything. Just check the next suggestion. If you don’t agree with a comparison that the template makes with your server, you can fix it by double-clicking the policy in question.

This will cause a Settings dialog box to appear. If you completely disagree with the suggested change and don’t want it to apply to your server, deselect the Define This Policy In The Database check box and click OK. This will cause the Database Setting column to change from whatever the suggested value was to Not Defined.

If you want to accept the change but don’t want to use the precise value, you can change it. When you double-click the policy and cause the Settings window to appear, just change the value of the setting from the default and click OK. This will cause the new setting to appear in the Database setting column.

If you’ve made significant changes to the template, you may want to save your template for future use or use on other servers. To do so, right-click Security Configuration And Analysis and select Export Template. Give your new template a name and click Save.

After you’ve double-checked the suggested changes, you can apply them to the local machine by right-clicking Security Configuration And Analysis and selecting Configure Computer Now. You’ll then see a Configure System dialog box appear. Here you’ll enter the name of the log file you want to use to record any errors that may occur when the reconfiguration occurs. Click OK to start the reconfiguration.

The Configure System screen will then quickly appear. It looks much like the Analyze System screen you saw earlier as it checks off its progress. When the configuration completes, you should reanalyze your system to make sure that all of the settings applied correctly. When everything checks out, you can close the Security Configuration and Analysis MMC.

Using the Security Configuration and Analysis MMC sets the policy locally, but it won’t change the settings specified by Active Directory. You can apply the settings networkwide by creating a group policy that applies to all servers and workstations on your network. This will allow you to centrally locate the setting in Active Directory. When servers connect to Active Directory, they’ll pick up the security settings. To do so, you’ll edit the Security Settings for a group policy using the Group Policy Editor. Navigate to Security Settings in the Group Policy Editor, right-click it, and select Import Policy. Then select the policy you created above. For more information about Group Policy Objects, see the Daily Drill Down “Working with Windows 2000 group policies”. Finally, make sure that the group policy applies to all of your servers.

Windows 2000 has so many security settings that it’s hard to keep them all straight. Fortunately, the Security Configuration and Analysis MMC can help you compare your system against baselines and adjust settings accordingly. Using it on all of the servers and workstations on your network can help enforce security networkwide.