This article is also available as a TechRepublic download.
One of the biggest pains for administrators in this day and
age is security compliance. Federal regulations and at the risks of data
disclosure related litigation from customers mean that administrators must make
security a top priority.
There are all sorts of third party tools designed to monitor
and audit your network to verify that your corporate security policy is being
adhered to. What you might not realize though is that there are similar tools
built right into the Windows Server 2003 operating system. These tools might
not be quite as powerful as some of their third party counterparts, but you
might be surprised at just how well they do when it comes to policy
In this article, I’m going to talk about two separate tools.
The first tool I want to show you is the Security Configuration and Analysis
tool. The main tool that I want to talk about though, is the Secedit tool. Secedit
is the command line version of the Security Configuration and Analysis tool. Both
of these tools are designed to compare your server’s current security settings
against the template that defines the corporate security policy. The idea is
that the server’s security settings should always match the template settings. If
there are discrepancies, then it may mean that the server in question is not in
compliance with your corporate security policy. These two tools will highlight
any discrepancies that may exist.
The Security Configuration and Analysis tool
The Security Configuration and Analysis tool does a great
job of verifying that a server is adhering to the corporate security policy. However,
if you have a large number of servers that you need to verify policy compliance
for, then the Security Configuration and Analysis tool is kind of impractical. This
is where the Secedit tool comes into play. Being that Secedit is a command line
tool, you can easily create a script that will run Secedit against all of your
I want to begin by quickly demonstrating the Security
Configuration and Analysis tool. The reason why I want to show you this tool is
because it is basically the graphical version of the Secedit tool that I will
show you later on. Since GUI based tools tend to be easier to understand and to
use, I wanted to start by showing you the GUI version.
Begin by entering the MMC command at the run prompt. Upon
doing so, Windows will load an empty Microsoft Management Console. Select the
Add/Remove Snap in command from the console’s File menu. When you do, Windows
will display the Add/Remove Snap in properties sheet. Click the Add button and
you will see a list of available snap-ins. Select the Security Configuration
and Analysis option from the list and click the Add button followed by the
Close and OK buttons.
Now that the Snap-in is loaded, right-click on the Security
Configuration and Analysis container and select the Open Database command from
the resulting shortcut menu. You will now see a window asking you for the
filename of the database that you want to load. If this is the first time that
you’ve run the Security Configuration and Analysis tool, then there won’t be a
database. If that’s the case, then just enter a filename to use for a database
and click the Open button. Doing so will create a database with the filename
that you’ve specified.
At this point, you must select the security template to
compare the server’s configuration to. Windows contains about half a dozen
predefined security templates, or you can always create your own. Select a
template and click the Open button. Now, right-click on the Security
Configuration and Analysis container and choose the Analyze Computer Now
command from the resulting shortcut menu. Windows will now prompt you to enter
the path to the error log. Just go with the defaults, and click OK.
The Security Configuration and Analysis tool will now take a
moment to compare the server’s security settings against the template that you’ve
selected. When the process completes, you’ll see a screen that looks like the
Group Policy Object Editor console, as shown in Figure A. As you scroll through
this console though, you’ll notice that the server’s settings are compared
against the template settings. Any deficiencies are flagged with an icon
containing a big red X, as shown in the figure.
|Of the server’s security settings are compared against the security
settings defined by the template.
The Secedit tool
Now that have shown you how the Security Configuration and
Analysis tool works, I want to show you how to use the command line version;
Secedit. As I said earlier, the Secedit tool can do the same basic things as
the Security Configuration and Analysis tool. The difference is that Secedit is
command prompt based, and can therefore be scripted to run against multiple
The Secedit tool has six primary functions; configure,
analyze, import, export, validate, and generate rollback. Although the generate
rollback function was the last one that are listed above, I want to talk about
it first because it is so important.
To generate rollback feature is designed to make a reverse
template. This is simply a template of the server’s current settings. The idea
is that if something goes horribly wrong, the rollback template can be used to
restore most of the server’s previous settings. You will notice that I said in
most of the previous settings, not all of the previous settings. The rollback
template is not able to change access control list entries on files or on
registry entries that were changed by the template that you want to undo.
When I talked about the Security Configuration and Analysis
tool earlier, I showed you that sometimes discrepancies can exist between the
server’s current configuration and at the settings defined by a security
template. When these types of discrepancies are found, the easiest way to
correct the problem is to simply apply the template settings to the server.
This is what the Configure option does. If you find that a
server’s configuration does not comply with the settings in your corporate
security template, then you can simply run the Secedit tool with the Configure
option to apply the template settings to the server.
As you may already guessed, the Analyze function is the
actual comparison between the template file and the server’s current security
configuration. I will walk you step-by-step through the Analyze function later
When I talked about the Security Configuration and Analysis
tool earlier, I showed you that you have to create a database as one of the
first steps. This is what the Import function does. The Import function imports
a template into a database. You can actually use the Import function to create
a database at the same time that you are using the Configure or Analysis
The Export function is designed to allow you to export a
template from the database. You can use this function to build a new template
by combining two or more existing templates. All you do is add each template in
the order that you want and then use the Export command to produce a new
The last function that I want to talk about is the Validate
function. As you may know, a template file is actually nothing more than a text
file and INF format. That being the case, it is possible to manually add
settings to a template by simply adding lines of text to the template file. This
is where the Validate function comes into play. You can use the Validate
function to validate the syntax of any lines of text that you have added to a
Before I can show you how to use the six functions that I
just talked about, there are some command line switches that you need to know
about. Not every function will necessarily support all of these switches, but
none of the functions will work without using at least some of the switches.
The DB switch allows you to specify the name of the database file that you want
to either create or use. In some cases, you may find that it is necessary to
specify the entire path to the database.
The CFG switch allows you to specify the name of the template that you want to
use. As was the case with the DB switch, you may sometimes need to specify the
entire path to the template file.
– The Overwrite switch is used with the Import function. Normally, when a
template is imported into a database (assuming the database already exists),
the template settings are combined with settings that are already stored in the
database. If contradictions exist, the settings in the template that is being
imported will overwrite existing contradictory settings. If the Overwrite
switch is used though, then the databases purged prior to the import function. This
provides the same basic functionality as creating a brand new database.
Log -Errors are always logged, whether the Log switch is used or not. If the Log
switch is not used, then errors are logged to the
Windows\Security\Logs\Scesrv.log file. What
the Log switch does is that it allows you to specify a log file to be used in
lieu of the default log file.
The Quiet switch is very useful if you are creating a script containing Secedit
command. Normally, certain functions, such as Configure, ask the user for
confirmation before the command is executed. If the Quiet switch is specified,
then Secedit will refrain from asking the user for confirmation.
The Areas switch is one of the trickier switches to use. As you may know, a
template file does not just contain group policy object settings. It can also
contain things like registry settings and access control entries. Normally when
a template is applied, the template is applied at its entirety. Secedit does
not care what type of data the template actually contains (assuming that the
data types are valid).
With the Areas switch does, is that it allows you to specify
which types of data from the template should be applied. All other types of
data within the template are ignored. Valid data types are:
– including account policies, audit policies, event log settings, and
– includes restricted groups settings.
– includes user rights assignments.
– includes registry permissions.
– includes file system permissions.
– include system service settings.
Creating a database
Now that I have shown you all of the functions and switches
that Secedit supports, it’s time to actually do something with Secedit. I want
to begin by showing you how to create a database. As I explained earlier,
creating a database is done through the Import function. The syntax for using
Secedit with the Import function is as follows:
SECEDIT /IMPORT /DB
database.sdb /CFG template.inf /OVERWRITE
In the command above, you’d replace database.sdb with the
name of the database that you’re creating. Likewise, you are placed
template.inf with the name of the template that you want to base the database
on. In this command, the Overwrite switch is optional.
When I talked about the available switches, I mentioned that
when you run the Import function, that it is sometimes necessary to provide a
full path to the database that you’re creating and to the template that you’re
importing. One way of getting around this requirement is to switch to the
folder containing the templates prior to running be Secedit command. By default
templates are stored in the C:\WINDOWS\security\templates folder. To change to
this folder from a command prompt, you would enter the following commands:
Now suppose that you wanted to create a database named
BRIEN.SDB based on a template named HISECWS.INF. To do so, you would enter the
SECEDIT /IMPORT /DB
brien.sdb /CFG hisecws.inf
Analyzing the server
Now that I’ve shown you how to create a database, let’s
perform an analysis using the database that we have just created. The syntax is
very straightforward if you take into account the rules that I discussed
earlier. The syntax for the command would be:
SECEDIT /ANALYZE /DB
brien.sdb /CFG hisecws.inf /OVERWRITE /LOG output.txt
This command will create a log file in the current directory
named OUTPUT.TXT. If you scroll through the log file, you can see a list of
every security setting for which the computer differs from the template.
Command line tools can be fairly intimidating to use,
especially when they have as many options as the SECEDIT tool does. However, if
you take the time to understand the various SECEDIT options that I have
discussed in this article, the syntax becomes very straightforward. If you
still have trouble figuring out SECEDIT though, you always have the Security
Configuration and Analysis console to fall back on.