The Microsoft Security Configuration Editor is an administration tool that reduces both security management and analysis time. Initially you'll use this tool to configure the operating system security parameters. Once these parameters are in place, you can use the Security Configuration Editor to schedule periodic tests.
Note Windows NT provides one MMC snap-in for the Security Configuration Editor; it's called the System Configuration Manager. You can use the System Configuration Manager to work with the security database (SDB) and security configuration (INF) files you create using the Security Configuration Editor. Windows 2000 and Windows XP divide the Security Configuration Editor into two parts. The Security Configuration and Analysis MMC snap-in helps you configure the security database. The Security Templates MMC snap-in helps you work with the security configuration files. All of these operating systems provide similar functionality. Windows 2000 and Windows XP do provide some advanced features. All screen shots in this section of the chapter depict the Windows XP setup.
The overall goal of the Security Configuration Editor is to provide a single place to manage all of the security concerns for a network. However, it doesn't actually replace all of the tools you used in the past—the Security
Configuration Editor augments other security tools. The Security Configuration Editor also provides auditing tools that Windows has lacked in the past.
One of the unique ideas behind the Security Configuration Editor is that it's a macro-based tool. You'll create a set of instructions for the Security Configuration Editor to perform and then allow it to perform those instructions in the background. Obviously, this saves a lot of developer time because the developer doesn't have to wait for one set of instructions to complete before going to the next set. You can also group tasks, which saves input time.
At this point, you may wonder why a developer should care about this tool at all. After all, configuring network security is a network administrator task. That idea used to be true—a network administrator was responsible for all security on the network. However, as computer networks become more complex and the technologies used with them more flexible, part of the responsibility for network security has shifted to the developer. As a developer, you need to know how this tool works so that you can test the applications you create. This is especially true for token-based applications because the .NET Framework provides nothing in the way of internal checks for your application. For the Win32 API developer, this is an essential test tool.
Creating a security setup begins when you choose an existing template or create a new one using the Security Templates MMC snap-in. If you want to use an existing template as a basis for creating a new one, you can right-click on the desired template and use the Save As command found on the context menu. Microsoft supplies a variety of templates designed to get you started in creating this security database, as shown in Figure 8.4.
Each of the security templates is designed for a different purpose (which is indicated by the name). The one I'll use in this section is the compatibility workstation template (compatws), but all of the other templates work about the same as this one. All of the templates contain the same basic elements shown in Figure 8.5.
Figure 8.5: Each of the security templates contains the same security elements.
As you can see from the figure, each template defines a number of security elements. The following list describes each of these elements for you:
Account Policies Defines the password, account lockout, and Kerberos policies for the machine. Password policies include items like the minimum password length and the maximum time the user can use a single password. The account lockout policy includes the number of times a user can enter the wrong password without initiating a system lockout. Kerberos policies feature elements like the maximum user ticket lifetime.
Local Policies Defines the audit policy, user rights assignment, and security options. Audit policies determine the types of data you collect. For example, you could audit each failed user logon attempt. User rights assignments are of special interest because this policy affects the rights you can assign to a user (the access token). The security options policy contains the elements that determine how the security system will react given a set of circumstances. For example, one policy will log a user off when their usage hours expire.
Event Log Defines how the event log stores data and for how long. These policies also determine maximize event log size and event log viewing rights.
Restricted Groups Defines groups that can't access the workstation or server at all, or restricts the amount of access they can obtain.
System Services Displays a list of the system services on the target machine. Double-clicking a service displays a dialog that allows you to set the policy for that service and adjust its startup mode. Normally, you'll leave the icons in this policy alone. However, you can safely change any system service DLLs you create.
Registry Contains all of the major registry hives. Double-clicking a branch displays a dialog you use to set the security for that branch. In addition, you can choose the method of security inheritance by children of this branch.
File System Contains protected file system entries. You can add new files to the list or modify exiting entries. Double-clicking a file system entry displays a dialog you use to set the security level for that file system member. In addition, you can choose the method of security inheritance by children of this file system entity (applies only to folders).
Active Directory Objects This entry is only available if you have Active Directory enabled (which means you must have a domain controller set up). It allows you to edit the security settings for any Active Directory objects, including users and groups.
Was this article helpful?