Advanced tool to find security holes in Windows XP

In my last tip I talked about the new Windows XP Security Center. Although the Security Center offers some great tools to help you secure Windows XP, it is really designed to help

Requires Free Membership to View

Windows novices achieve a semi-secure configuration. That being the case, I didn't want to leave out those with more advanced Windows skills. In today's tip, I am going to talk about one of the more advanced Windows XP security tools: Security Configuration and Analysis.

The idea behind the Security Configuration and Analysis tool is simple. It compares your system's security settings to a security template and looks for discrepancies. Doing so allows you to easily spot any security settings that might not be up to par. Windows offers various built-in security templates that correspond to different levels of security, from relatively weak to very strong. But you always have the option of creating your own security template that matches your own security needs.

The technique that I am about to show you is basically a way of looking at the settings within a machine's local Group Policy and making any necessary changes. If the machine you are working on is a member of a domain, many of these settings will probably be overwritten by domain-level Group Policy elements. I still think you should take the time to spot check the local Group Policy, though, because the local Group Policy is dominant any time a user isn't logged into a domain.

To access the Security Configuration and Analysis tool, enter the MMC command at the Run prompt. This will open an empty Microsoft Management Console. Now, select the Add/Remove Snap-In command from the File menu. When the Add/Remove Snap-In properties sheet appears, click the Add button found on the Standalone tab. Select the Security Configuration and Analysis option from the list of available snap-ins and click the Add button, followed by Close and OK.

Now that the Security Configuration and Analysis snap-in is loaded, right click on the Security Configuration and Analysis container and select the Open Database command from the resulting shortcut menu. By default there is no database, so just enter any name you want and click OK. You will now see a list of templates that you can import.

There are several templates to choose from, but you should avoid using any template with a file name ending in DC, because those are for domain controllers. Instead, you want to choose a file name ending in WS since those are for workstations. The COMPATWS.INF file offers the lowest security, while SECUREWS.INF offers medium security and HISECWS offers top-notch security. Make your selection and click OK.

At this point, right click on the Security Configuration and Analysis container and select the Analyze Computer Now command from the resulting shortcut menu. When you do, you will be prompted to enter a path for the error log. Go with the default and click OK. The analysis will now begin.

When the analysis completes, you will see a standard Group Policy tree. But what's different about this tree from other trees is that when you look at the various Group Policy elements, you will see a comparison between the template setting and the computer's actual setting. If any of the settings are flagged with a red X, it means your computer's setting is below the setting defined in the template.

If you do find discrepancies between the computer's configuration and the settings defined by the template, then you have a choice to make. If you believe that the computer's current configuration is appropriate for your organization, then you can create a template based on the computer's configuration. That way, the next time you scan the system, the scan will compare the system to the settings that are appropriate to your organization rather than compare them to a generic template. To create a custom template, just right click on the Security Configuration and Analysis container and select the Export Template command from the shortcut menu and follow the prompts to enter a file name for the new template.

Your other option is to change the current configuration to match the settings defined in the template. If you decide that the computer's configuration needs to be changed to match the template settings, all you have to do is to right click on the Security Configuration and Analysis container and select the Configure Computer Now command from the shortcut menu and follow the prompts.

As you can see, the Security Configuration and Analysis tool can be extremely valuable in insuring that your workstation's local security policy is up to par. In this article, I have explained how to compare a workstation's settings against a template and how to create a custom template if necessary.


For More Information


This was first published in December 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.