Windows Server 2003 System Security Analysis 'Quick and Easy'
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
Security Configuration and Analysis MMC
With Windows Server 2003, you can create a mew MMC that enables Security Analysis functionality. Before we begin, we should ensure you understand what an MMC is. The MMC (Microsoft Management Console) should be something you are familiar with as it was introduced way back in Windows NT - with older versions of IIS. Since then, Windows 2000 and 2003 have been utilizing this console for just about every service available within Windows. You can make a new console by going to the Run dialog box in the Start menu and typing: mmc
This will open a new Console. You can also open it in author mode by adding an mmc /a to the command. You can see this in Figure 1.
In figure 2, you can see that the new MMC has been opened and is ready for you to populate.
Once you have the MMC open, you only need to add the Security Configuration and Analysis tool. Before we do, lets go over it briefly.
Security Configuration and Analysis Snap in
Now you can set up the Security Configuration and Analysis in the Microsoft Management Console (MMC) to analyze and to configure security on a computer that is running Windows Server 2003. What the Security Configuration and Analysis does is compare the current security configuration with a security configuration that is stored in a database. To break this down into simplistic terms:
Run the tool
It checks you settings against a template in its database
It reports to you where you have weaknesses
You fix them
Run the tool again to check
Simple right? Ok, now that you know this, lets look at some more details and how to set it up and run it.
In Microsoft terms, you can create a database that contains a preferred level of security and then run an analysis that compares the current configuration to the settings in the database. Again, this is simple as it just checks your system to verify its locked down and hardened.
Security Configuration and Analysis includes the following features:
Security Configuration and Analysis
Secedit command-line command
To analyze the security configuration of your computer, you must perform the following two steps:
Create the security database by using a security template.
Compare the computer security analysis to the database settings.
In this article we will look at these steps in great detail so that you completely know how to run this tool and get your security analysis information.
Create the Security Database
Lets look at the steps required to create the initial security database. We still need to connect the Security Configuration and Analysis tool, so lets look at finishing that up:
In figure 3, you can see that once you open up a new MMC, you will have the option to add in snap ins. To do this, go to the MMC's File menu and select the Add/Remove Snap-In… option.
Once opened, you can click on the Add button so that you can get figure 4 up so you can add your analysis tool.
Once you open the Add Standalone Snap-in, you can select the Security Configuration and Analysis tool as seen in figure 4. Next, highlight it and click on Add. Nothing will happen as you can see, so click Close, and then you will see in Figure 5, the Security Configuration and Analysis tool has been added and ready to use. Click Ok and proceed to this will bring you back to the MMC.
Figure 6 shows you the snap in added and ready to use. Directions are provided in the contents pane of the MMC. To create a database to use, you need to right click the Security Configuration and Analysis tool and select, Open Database… as seen in figure 6.
Once you open the database, you will be shown the Open Database dialog box as seen in figure 7.
As you see in figure 7, I name logs and databases so that I can reference back to them intelligently so here, I simply use the date the database was created. Once you are done, click Open, and this will invoke Figure 8.
Figure 8 is the security template that will be applied against your current configuration… and in this instance; I selected securedc.inf because I want to check security on my Domain Controller. Once you select the right template, click Open.
Note: You do not have to click 'Clear this database before importing' because there are no entries in the database yet! If there were, then you can select this so that it runs clear.
Now, you have just set up your MMC to run the Security Configuration and Analysis tool against your DC with the securedc.inf security template. This is where the analysis phase comes in now that your database has been completed.
Analyze System Security
Now that you have made the database, you need to analyze the system to populate it with all the cool information you will use to analyze the security posture of your Windows Server 2003 system.
To compare system security with the settings in the security database, follow these steps: In the left pane, right-click Security Configuration and Analysis, and then click Analyze Computer Now as seen in figure 9.
Once you kick off the analysis, you will be promoted with a location for the security log. Note the location of the error log file, and then click OK.
Figure 11 shows you the process of the scan, it should not take more than a minute of two to perform this scan.
Once you have completed your scan, you will be presented with what looks like figure 12. Figure 12 shows the analysis that was done hierarchically.
Now, we need to dig into the analysis done to see what we need to do. Although it will take you awhile to sift through all the information, lets explain to you what it is you are looking at so you can read the analysis and work through what it is telling you.
Figure 13 shows you the Security Options in the MMC. There are quite a few symbols shown to you and if you are to analyze this properly, you will need to know what they stand for.
Table 1 gives you the explanations for the symbols you see:
The entry is defined in the analysis database and on the system, but the security setting values do not match
Green check mark
The entry is defined in the analysis database and on the system, and the setting values match
The entry is not defined in the analysis database and was not analyzed. If an entry is not analyzed, the entry may not be defined in the analysis database, or the user who is running the analysis may not have permissions to perform analysis on a specific object or area
The entry is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the system that you are analyzing
If no symbol appears, the entry is not defined in the analysis database or on the system
Now that you understand these entries, take a good look at figure 13 again, or look at your own analysis for your server. In figure 14, there is another look at these symbols. In figure 14, you can see that there are question marks near Account lockout duration and Rest account lockout counter after, and on both, this simply means that the entry is not defined in the analysis database and was not analyzed. You can see that there is a red X on the Account lockout threshold. This means that this setting (on the Windows Server 2003 system) does not match that in the database and needs to be analyzed by you. See how easy that was?
Add Settings to the Database
In the case of the missing entries in the database you can add them pretty effortlessly. If a setting is not contained in the database, you can add it very easily. To do so, Right-click an entry that is not defined in the database, and then click Properties. You can see this in figure 15. Remember, this only affects the database and analysis, you are not turning on any services, or so on when you do this, just set the database to look at this setting as well.
That’s it! You have successfully set up the Security Configuration and Analysis tool, built a database, performed a scan and learned how to alter it. Now, you can expand on this knowledge by looking through all the settings and whatever the Security Configuration and Analysis tool flagged, you should check out.
Note: Before you close the Security Configuration and Analysis tool and MMC, make sure that you save the console or you will close the MMC and have to re-add the Security Configuration and Analysis tool and so on.
In sum, you should have a better understanding of how to analyze security on a Windows Server 2003 system. This tool is free, it comes with Windows Server 2003, and with a little bit of configuration, you can be off and running.