The birth of a comprehensive security configuration and analysis tool in NT

When you manage an operating system's (OS's) security, you face two basic tasks: securing the system and making sure the system remains secure. For Windows NT administrators, the first task--configuring the security parameters of an NT system--hasn't been easy. Administrators have needed to employ the User Manager, NT Explorer, and a registry editor to adjust various aspects of overall system security. And even after administrators finally configure security just the way they want it, to ensure that the system remains secure, they've needed to manually inspect the system with the same three utilities, or with a third-party add-on tool.

Although you can use NT's built-in utilities to manage security, the task is tedious because NT lacks a centralized security configuration interface. Security settings in NT are spread far and wide, and many tools are necessary to adjust and review each setting. However, Microsoft now has a solution to these security configuration woes in Security Configuration Editor (SCE) for NT 4.0. SCE is a Microsoft Management Console (MMC) snap-in in Service Pack 4 (SP4) that consolidates most of NT's sensitive basic security settings in one simple interface, virtually eliminating the need to use separate administration tools. By rolling several utility functions into one snap-in, Microsoft has created the strong beginning of a comprehensive security configuration and analysis tool. Although MMC is already part of NT 4.0, SCE is slated to ship in SP4 for NT 4.0 (SP4 remains in beta at press time) and will be standard in NT 5.0 when Microsoft releases that OS.

A Template for Security
SCE's overall concept is simple. SCE is a template-based security editor capable of three basic functions: configuring security templates, applying a security template's settings to an NT system, and inspecting the security settings of an NT system by comparing those settings to the contents of a security template. SCE does not introduce new NT security parameters but instead organizes existing security parameters (including most of those introduced through service packs and hotfixes) into one easy-to-use interface for speedy configuration and analysis. SCE acts as both a security configuration tool and a check-and-balance analysis tool. Using SCE, you can configure a security template, then apply that template to the system. Templates contain most of the sensitive system settings you'd usually adjust, and you save the templates to disk in a secured directory SCE uses.

Microsoft predefines template contents, which are static and contain an almost complete set of security parameters that cover most aspects of basic NT security. I say almost complete, because the SCE version I tested is an early beta copy and is not feature-complete. For example, in the SCE beta version, the user rights you usually find under User Manager are listed in SCE for easy editing; however, the SCE list doesn't contain all the advanced rights you usually find in User Manager. In addition, the SCE templates don't contain all the specialized changes you might make to an NT system that is exposed to the Internet: for instance, blocking NetBIOS ports 137, 138, and 139 on the Internet-exposed network interface.

As you can see in the SCE Console in Screen 1, SCE has two top-level trees: Last Configuration/Inspection and Configuration/Inspection Templates. The Last Configuration/Inspection tree reveals all the current security configuration settings. After SCE performs an inspection, the Last Configuration/Inspection tree clearly identifies which settings do not match a particular security template.

The Configuration/Inspection Templates tree is a list of security templates and their associated settings, which you use for configuring and inspecting system security. You set system security by adjusting each item in a template, then instructing SCE to reconfigure NT by applying that template to the system. I'll walk you through step-by-step configuration and analysis shortly. First, let's examine SCE templates.

What's in a Template, Anyway?
An SCE template is a collection of system security parameters (which, as I've already noted, you usually view and change by using Explorer, User Manager, and a Registry editor) that NT arranges as a hierarchical tree containing various nodes, subnodes, and items. SCE nodes are Account Policies, Local Policies, Event Log, Restricted Groups, System Service, Registry, and File System. Both the Last Configuration/Inspection and Configuration/Inspection Templates trees contain these nodes. Each SCE node contains a variety of associated subnodes and items that you can adjust as necessary. Let's take a quick look at each of these nodes and their basic overall contents.

The Account Policies node contains two subnodes--Password Policies and Lockout Policies--that are usually found within User Manager. Local Policies contains the subnodes Audit Policies, User Rights Assignment, and Security Options. You usually find Audit Policies and User Rights Assignments within User Manager, and you find Security Options as individual Registry keys when you use a registry editor. The Event Log node contains the subnode Log Settings, which you usually adjust using Event Viewer.

The Restricted Groups node is a new check-and-balance feature the SCE snap-in introduces, and Microsoft intends this node to be a governing gauge for group membership. Restricted Groups works by keeping track of original group membership and correcting the membership by adding and removing users as needed, using the original group members as a base. For example, suppose you add the Administrators group to Restricted Groups. Administrators contains three users: MJE, Mark Mazzei, and Administrator. Later, another administrator removes MJE from Administrators and adds the user Sonny to Administrators. When you use SCE to perform a security inspection, SCE will discover the change and notify you through Event Log so that you can take any necessary action. In addition, if you reconfigure the system by applying the security template to it, SCE restores the original membership to the Administrators group, automatically removing Sonny, re-adding MJE, and recording those two transactions in Event Log.

The System Service node contains a list of all installed system services. You can modify the service parameters in SCE that you would usually see under Control Panel, Services. Service parameters include startup mode, the account a service runs under, account password, and whether a service interacts with the desktop.

The Registry node contains Registry keys and their associated security settings--what you usually see with a registry editor. The File System node contains files and directories with their associated security settings, which you usually see by using NT Explorer.

In the beta version, SCE templates contain static item entries. Static means you can't add new nodes, nor can you add item settings to existing nodes. For example, although you can add Registry keys and their associated security access settings, you can't add Registry keys to set the keys' values. Microsoft says it's currently testing functionality in SCE that will let you add new nodes and add item settings to existing nodes. Such functionality might appear in the product's final release, but this possibility is by no means certain. However, Microsoft points out that SCE is easily extendable when you use an API. So if you're a code slinger, you can modify the SCE as you see fit (for more information about APIs and extending the functionality of SCE, visit Microsoft's Web site at http://www .microsoft.com/ntserver/basics/future/windowsnt5/whitepapers.asp).

MMC Crash Course
To use SCE, you need a basic understanding of MMC. Here's a mini-refresher course. (For a more comprehensive discussion of MMC, see Darren Mar-Elia, "Microsoft Management Console," June 1998.) MMC is a GUI shell to which you can add applications that Microsoft designs especially for MMC for easy use. You might think of MMC as a specialized GUI, much like the Internet Explorer (IE) Web browser, in which the browser is empty and idle until you load a Web page. The MMC is an empty interface until you load a snap-in application.

To use SCE, simply load the SCE snap-in into MMC. To start MMC, click Start, select Run, type

MMC

and press Enter. After MMC starts, click Console, select Add/Remove Snap-ins, click Add, and select Security Configuration Editor. As Screen 1 shows, after you load the SCE snap-in, the familiar NT Explorer-style tree view displays in the SCE Console's left pane, and node-item contents display in the right pane for review and editing.

Configuring NT Security with SCE
To configure system security using SCE, create a new SCE template by right-clicking the directory path (%SYSTEMROOT%\Security\Templates), which is listed under the Configuration/Inspection Templates tree. Then select the New Template command from the pop-up menu. This action creates an empty template with the name New Template.

Rename the template by clicking the template name once to highlight it, and again to enter the edit mode (as you do to rename a file using NT Explorer). After you've renamed the template, follow these steps to configure the template and apply it to the system.

  1. Select the new template in the left pane and expand the tree to reveal all the tree's nodes.
  2. Navigate through each node and subnode, editing the associated list of item values in the right pane. To edit an item value, double-click the value to display an associated dialog box, from which you adjust the settings. Click OK to close the dialog box.
  3. After you've edited the item values, save the template to disk by right-clicking the template's name in the left pane, then clicking the Save icon.
  4. Apply the template settings to the system by right-clicking the template name and clicking Configure from the drop-down list.

I know the process sounds easy, and it is easy. The toughest part of using SCE is understanding individual security items and their parameters. SCE introduces no new configuration parameters, so you can directly apply what you've learned about NT security to SCE to define security templates and apply them to the system. I discuss most of NT's security parameters in Internet Security with Windows NT (29th Street Press, formerly Duke Press).

Inspecting NT Security
After you apply your security template settings to the system, you can inspect the settings at any time to make sure they remain unchanged. SCE's inspection process compares the system's current security settings with the settings in the template you previously configured and applied to the system. (Also, you can use SCE to audit your system. For instructions, see Alistair G. Lowe-Norris, "How to Enable Auditing with the Security Configuration Editor," page 157.)

SCE makes inspecting current security configuration settings easy. You can perform a manual inspection at any time, or you can use a batch file and the Schedule service to automate inspections.

Manual inspection. To inspect the current system security settings manually, follow these steps:

  1. Right-click the Last Configuration/Inspection node in the SCE Console's left pane. Select Perform Inspection from the pop-up menu to display the Secu-rity Inspection dialog box, as Screen 2 shows.
  2. Click Change next to the Comparison (base) Template field, and select the template you previously created that you want to compare against the current system security configuration.
  3. Click Change next to the Error Log File field, and choose a log file name and location.
  4. If you've already used SCE to configure system security, you can choose which security configuration to inspect by changing the filename in the Inspection Database field.
  5. Click OK to begin the inspection.

SCE inspects each security setting, comparing the current values with the template values and displaying its progress along the way. Then SCE writes a log file of the inspection findings.

When the inspection completes, SCE displays the currently configured security settings and the template settings in the Last Configuration/Inspection tree for easy review. To review the current settings, navigate the tree by clicking each node and subnode in the left pane. Doing so reveals each node's contents in the right pane. As Screen 3 shows, a green check-mark icon or a red X icon accompanies some node items. The green check mark signifies that the item's parameters are set identically to the template, whereas the red X signifies that the item's parameters are not set identically to the template. The absence of an icon means that the item is not configured and therefore is not part of the inspection process. For maximum security, consider configuring all node items so that they will be part of the SCE inspection process.

As you can see in Screen 3, the SCE inspection found several user rights on my system that were not in compliance with my template settings. To correct the noncompliance, I reapplied my security template to the system, as step 4 on the list of instructions for configuring a template and applying it to the system describes.

Automatic inspection and configuration. Let's look at automating SCE security inspection and configuration by using a batch file and the Schedule service. Automating SCE inspection and configuration is useful for reviewing and enforcing static security policies on a system. For example, if users make unwanted changes, such as adding themselves to the Administrators group or changing file system security, an automated SCE configure operation will continually reset security parameters as you configured them in the security template you created.

You can operate SCE as a command-line utility by running the program secedit.exe, located in the %SYSTEMROOT%\System32 directory. Using the /? command-line switch reveals the complete list of available command-line switches.

To perform a complete system security inspection using secedit.exe from a batch file or the command line, use the following command. In this command, template.inf is the name of your security template and auto-sce.log is the name of your SCE log file, which is in the \winnt\security\logs directory:

secedit /analyze /scppath g:\winnt\security\templates\TEMPLATE.INF /log g:\winnt\security\logs\auto-sce.log

Similarly, to reconfigure security by applying a security template with SCE from the command line, use the following command:

secedit /configure /scppath g:\winnt\security\templates\TEMPLATE.INF /log g:\winnt\security\logs\auto-sce.log

With a small command-line mail program, such as POSTIE by Andrew Davison (freeware available with source code at http://www.ozemail.com.au/~adavison), you can email the SCE log file to yourself for timely review. In addition, POSTIE is capable of posting a message to a Network News Transfer Protocol (NNTP) news server, such as the Exchange Server NNTP connector.

To have POSTIE email an SCE log file, use the command line shown below, replacing your-mail-server, your-from-address, your-to-address, and "your-subject", as appropriate for your network:

postie -host: -from: -to: -s:"<your-subject>"<\winnt\security\logs\auto-sce.log

By inserting both the secedit.exe command line and the POSTIE command line in a batch file, you can automate the execution of security configuration and inspection so that they take place regularly and mail you the log. To create such a batch file, use Notepad to create a new file, and insert either the secedit.exe inspection command line or the secedit.exe configure command line listed previously. (Remember that the inspection command line inspects the current security settings, and the configure command line sets system security per the specified security template.) If you want SCE to mail the log to you, include the POSTIE command as the next line in the batch file.

To establish a scheduled event that will execute your batch file (after you've manually tested the batch file), first ensure that the Schedule service is running and set to start automatically. Next, open a DOS command shell and issue the following AT command to establish the scheduled batch file execution:

AT 00:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "g:\admin\sce-auto.bat"

Be sure to modify the run time and days to your preference, and adjust the batch filename and path to match your filename and path. This command assumes you've created a batch file called sce-auto.bat in a directory called G:\ADMIN and scheduled the file to run at 1 minute after midnight every day of the week.

My SCE Wish List
SCE is a long-overdue and much-needed addition to the NT platform. Although you can obtain more robust third-party security configuration and analysis tools (such as Internet Security Systems' Internet Scanner and Intrusion Detection's Kane Security Analyst), it's wonderful to see Microsoft providing such a handy security tool as a standard part of NT.

However, in its current beta version, SCE might leave you vulnerable even after you've configured templates and applied them to the OS. You'll be vulnerable because SCE doesn't let you analyze or configure several key aspects of NT security, including Routing and Remote Access Service (RRAS), Proxy Server, the built-in TCP/IP port filtering security, custom Registry key values, network bindings, and third-party add-on packages. It wouldn't hurt if SCE included built-in Simple Mail Transfer Protocol (SMTP) capability for mailing logs and some type of password-strength testing based on a predefined dictionary database.

I also see room for improvement in management of distributed networks. SCE isn't currently capable of directly performing analysis and configuration on remote systems. To use the SCE on remote systems, you must copy any necessary template files to the remote system, then run SCE locally on the remote system. If SCE is to gain enterprise network acceptance, it must incorporate more robust remote security management capabilities as soon as possible.

By the time you read this article, Microsoft might have at least integrated functionality for defining Registry key values. However, you probably won't see other features on this wish list in SCE's first release. If Microsoft beefs up SCE, adding all aspects of native Microsoft-based NT security configuration to the snap-in (as I expect will happen by the year 2000), you'll probably be able to forgo using most third-party security analysis tools. Of course, Microsoft isn't likely to include security analysis for third-party software packages, or for bugs related to third-party products, as do the Intrusion Detection and Internet Security Systems products. Don't be surprised to see these companies (among others) develop extensions for SCE.

Just What the Doctor Ordered?
If you haven't installed and tested SP4, you'll find SCE well worth the time and effort of doing so. And if you don't know a lot about NT security, SCE will give you a bird's-eye view of many features you might need to adjust to secure your NT systems in a given environment. At the least, SCE is a good learning tool for the security novice. It's a great addition to any NT professional's security toolkit. Give SCE a close look--I'm sure you'll enjoy the functionality.