Configuring workgroup security on individual computers is a time-consuming task even using a single tool to do...
so, as described in my previous checklist. If you've tried it, you realize there has to be a better way. There is. The secedit command allows you to apply a security template to a computer at the command line, or you can use it in a script or batch file to apply settings each time the computer is booted. If you are networked, you could also use it to apply settings remotely, though I caution you about making it too easy to remotely administer your computers over the network.
You may download a printer-friendly version.
|Checklist: Use secedit for workgroup security|
|Step 1: Prepare a security template|
|To prepare a security template, use the instructions in my previous checklist.|
|Step 2: Make a copy|
|Copy the template you just created to the computer you wish to configure.|
|Step 3: Study the syntax of the secedit command|
|The secedit command can be used to perform the same tasks as the Security Configuration and Analysis tool -- and then some. It allows you to configure or analyze|
|security on a computer. In Windows XP and Windows Server 2003, it can also be used to create a rollback template (to reverse settings in the template you just applied). To use|
|the command, you need the name and location of the security template, the name and location of the database (use the command to create one) and the correct syntax of the command.|
|For instance, to configure a computer using a security template, you would need:
Secedit/configure/dbfilenamedb /cfg filenamest/overwrite
|The filenamedb is the security database name to be used. The filenamest is the security template name. If the database and template do not exist in the folder you open when you|
|issue the command, you must enter the complete path of the file. Use the overwrite parameter to instruct that the database be emptied before loading the security template.|
|(If you do not specify this, any security settings already in the database may be combined with those in the security template.) A log file is created and placed in the scesrv.log file|
|located in the <systemroot>\security\Logs folder by default. You can also use the \log parameter and enter your own name for a log file to be created. Use the /quiet parameter|
|to prevent any data from appearing on the screen during the application.|
|Step 4: Use the secedit command to apply the template|
|This command allows you to apply mytemplate.inf using database mydatabase.sdb:
Secedit /configure /db mydatabase.sdb cfg/ mytemplate.inf /overwrite /quiet
|Step 5: Optionally, use a script to apply the command|
|Use the previous command in a script if you're comfortable doing so. If you are not a scripting wizard, a sample script is available at Microsoft's TechNet resource.|
|Scroll down to the section on configuring security for workgroup/standalone computers.|
More checklists from Roberta Bragg
- Automate security administration for standalone PCs
- Three security mandates for any Windows environment
- Lock down workgroups, PCs and Active Directory domains
ABOUT THE AUTHOR: Go back to Checklists Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.