With all of the attention outwardly focused on the security features of Windows 2000 and the upcoming Windows .NET servers, it’s easy to forget about Windows NT 4.0. Despite the lack of IT press, however, hackers are still as interested in attacking Windows NT servers as they are Windows 2000 servers. This means that you need to protect your older servers just as much as ever before.

In the Daily Drill Down “Analyze your Windows 2000 server’s security with the Security Configuration and Analysis Snap-in,” you learned about a utility that helped you analyze and secure Windows 2000 servers. The good news is that there’s a similar tool for Windows NT called the Security Configuration Manager (SCM). In this Daily Drill Down, I’ll introduce you to the SCM and then go on to explain how to install and use this utility.

What’s the Security Configuration Manager?
As the name implies, the Security Configuration Manager (SCM) is a tool that allows you to view a Windows NT 4.0 server or workstation’s current security policy. You can then compare the existing policy to your organization’s mandated policy. By doing so, you can ensure that no settings have been overlooked. You can also use the tool to correct any discrepancies that you might encounter.

The SCM can compare your organization’s current security level against a proposed security level known as a security template. The utility contains several built-in security templates and also offers you the ability to create custom templates that you can use to standardize the security across all Windows NT servers on your network.

Acquiring the SCM
Unfortunately, the SCM isn’t included with Windows NT. It is, however, included on the Service Pack 4 CD. If you happen to have an old Service Pack 4 CD lying around, the utility and its documentation are located in the CD’s MSSCE folder. The CD contains both Alpha and I386 versions of the utility.

If you don’t have a Service Pack 4 CD, you can download the SCM directly from Microsoft at Microsoft’s Security Configuration Manager Web site.

Installing the SCM
For the purposes of this Daily Drill Down, I’ll be installing the utility off of the Service Pack 4 CD. To install the SCM utility, make sure that your server has Internet Explorer 3.0 or higher installed. Next, open the Service Pack 4 CD and navigate to the \MSSCE\I386 folder. Now, double-click on the MSSCE icon.

When you do, the Setup program will ask if you want to perform a full installation. Click Yes, and Setup will ask if you want to install Microsoft Management Console (MMC). Because MMC is a required component, click Yes. You’ll now see a warning indicating that you may be required to reboot your computer during the installation process. Therefore, verify that all other applications are closed and that any attached users have been warned of a possible shut down. Click OK to acknowledge the warning.

Then you’ll see the End User License Agreement (EULA) screen. Click Yes to accept the license agreement. Setup will now begin copying all of the necessary files. When the Setup process completes, you’ll receive a message stating that Setup has completed successfully.

Using the SCM
Unlike most Windows NT administration utilities that you may be familiar with, the SCM functions within the MMC. Therefore, you must load the MMC before loading the SCM. To do so, enter the MMC command at the Run prompt. When the console loads, select the Add/Remove Snap-in command from the Console menu. When you do, you’ll see the Add/Remove Snap-in properties sheet.

Click the Add button on the properties sheet’s Standalone tab. When you do, you’ll see the Add Standalone Snap-in dialog box. Select the Security Configuration Manager snap-in from the list and click OK twice. The SCM will then appear within the MMC, as shown in Figure A.

Figure A
Unlike most other Windows NT utilities, the SCM runs within the MMC.

Now that the console is loaded, you’re ready to set up a working database. To do so, click the plus sign next to the words “Security Configuration Manager” to expand it. This will reveal a Database: Not Loaded container. Right-click on the words “Database: Not Loaded,” and select the Open Database command from the resulting context menu. Next, select a database to work with.

If this is the first time that you’ve run the SCM, then only a sample database will exist. Rather than using the sample database, you’ll want to create a new one. To create a new database, type a filename to assign to the new database and click Open.

If you are creating a new database, then the next screen that you’ll see is the Select Configuration To Import dialog box. This is where you select the security template that you want to use as a security standard. Select the desired security template and click Open.

Once you’ve opened a template, the SCM will ask you to confirm a log path and will then begin analyzing the system. Because this analysis can take some time to complete, it makes sense to review the security suggestions contained within the templates thoroughly before analyzing your system.

Once you’ve canceled the template selection process, navigate through the console tree in the left pane of the MMC to Security Configuration Manager | Configurations | C:\WINNT\Security Templates. Beneath this container, you’ll see a listing of all of the available templates. If you expand each template, you can view the various security settings that it contains. For example, the BASICSV4 template is set to remember 0 passwords and to allow a maximum password age of 42 days, as shown in Figure B.

Figure B
You can view the individual security settings contained within each template before analyzing a system.

Creating a custom template
Rather than comparing your system against someone else’s security template, I recommend creating a custom security template. To do so, make note of the path that the template files are stored in. Next, look through the existing templates to determine which template most closely resembles your desired security level.

Once you’ve located such a template, open My Computer and navigate to the folder containing the templates. Copy your selected template file to a temporary directory. Rename the copy (not the original) to something meaningful to you (your name, your company name, etc.). After renaming the file, move it back to the template directory. You’ve now got a template that you can customize.

As you browse through your personal template using the instructions at the end of the previous section, the template’s various settings will appear in the column on the right. You can change any of the settings by right-clicking on them and selecting the Security command from the resulting context menu. When you do, a dialog box will appear that gives you the chance to change the setting. Click OK to set the template to the value that you’ve just assigned.

Click the Close button to close the MMC. When you are asked if you want to save the console settings, answer No. You’ll then be told that you need to save your custom template file. Either click OK to save the changes or click Cancel to abort and revert back to the saved copy.

Analyzing your system’s security
To perform a security analysis, open the MMC and create a new database under a different name than you previously used. You’ll then be asked which template should be used with the database. Select your custom template from the list and click Open.

The SCM will now ask you for the path for the log file. Make note of the path and filename and click OK to begin the analysis.

As the analysis progresses, you’ll see a summary of the various areas that are being checked. Remember that the SCM is comparing the template values against the system’s actual security settings. If any differences are found, they will be listed in the log file.

When the analysis process completes, leave the console open but check the log file that was created. The log file tends to be a bit cryptic, but if you browse through it, you will probably see a huge number of differences between your desired configuration and your actual configuration. In fact, on my test system, there were over 10,000 differences in the registry alone, as shown in Figure C. The log file will tell you how many differences exist in each of the areas that were tested. Unfortunately, though, it doesn’t tell you exactly what those differences are.

Figure C
The log file tells you how many differences exist but not what those differences are.

Now that the analysis has completed, click the plus sign next to the database name to reveal its subcontainers. When you do, you’ll see that the database now contains the same containers as the template did. If you go to the individual containers, you can see exactly what the stored configuration values were, as opposed to the analyzed system’s actual settings. For example, on my test system, the Password Policy container revealed a difference in the maximum password age value, as shown in Figure D.

Figure D
The SCM has spotted a difference in the maximum password age.

Acting on the results
If you determine that your system didn’t measure up to the standards that you set for it, you have a decision to make. You must decide whether to manually change a handful of values, or whether you should completely reconfigure the entire system’s security policy. Don’t even think about overwriting an entire security policy unless you know exactly what effect it will have. If you haven’t examined every single line of the security template, then you could be very surprised by some of the settings that it may contain.

If you decide that the system’s entire security policy needs to be redone, you can overwrite the existing security policy with the template policy. Remember that this operation can have dramatic effects on your system and shouldn’t be attempted without adequate preparation.

To overwrite an entire security policy, go back to the SCM console and right-click on the database container. Now, select the Configure System Now command from the resulting context menu. Once again, the utility will ask you for the path of the log file. After verifying the log file’s path and filename, click the OK button. The system will now overhaul your system’s security policy, applying the settings chosen by the utility.

Customizing security suggestions
Now, suppose for a moment that you’ve analyzed your system’s settings and detected several differences but have decided that you prefer your current setting to the new setting suggested by the utility. In a situation like this, you’d probably want to update the template to reflect your preference over the current suggestion. One way to preserve your choice is to customize a template, as I mentioned above. However, there’s another way.

When you right-click on an individual security setting and select the Security command from the context menu, you’ll see a dialog box similar to the one shown in Figure E. In this dialog box, you’ll see a check box entitled Exclude This Setting From Configuration. If you select this check box in the template file before a comparison, then the policy setting that the dialog box applies to won’t be analyzed. Likewise, should you decide to overwrite your entire system configuration, you can use this check box to avoid overwriting one or more particular security policy settings.

Figure E
You can use the Exclude This Setting From Configuration check box to avoid making changes to a policy setting.

From a style perspective, it’s usually better to use a template that’s configured exactly the way that you need it to be if you’re planning on overwriting the security policy. Relying on the Exclude This Setting From Configuration check box leaves a lot of room for error. It’s good for one or two security settings, but that’s about it.

Security is just as important in a Windows NT server environment as it is in a Windows 2000 environment. Recognizing this fact, Microsoft created the SCM. Using this powerful, flexible utility, you can fine-tune and standardize security settings for all of the Windows NT servers in your network.