n this article we will look at demystifying
the simple analysis of a Windows Server 2003's security posture. Too
many times, administrators seem confused about how to do an initial
security analysis test on a newly minted Windows Server 2003. (Or 2000
for that matter) In this article we will look at how to perform this
very quickly, very easily with Windows Server 2003. This article will
cover the steps needed to create the Security Database and perform the
analysis on your Windows Server 2003 system.
This will open a new Console. You can also open it in author mode by adding an mmc /a to the command. You can see this in Figure 1.
In Microsoft terms, you can create a database that contains a preferred level of security and then run an analysis that compares the current configuration to the settings in the database. Again, this is simple as it just checks your system to verify its locked down and hardened.
Security Configuration and Analysis includes the following features:
In figure 3, you can see that once you open up a new MMC, you will have the option to add in snap ins. To do this, go to the MMC's File menu and select the Add/Remove Snap-In… option.
Note: You do not have to click 'Clear this database before importing' because there are no entries in the database yet! If there were, then you can select this so that it runs clear.
Now, you have just set up your MMC to run the Security Configuration and Analysis tool against your DC with the securedc.inf security template. This is where the analysis phase comes in now that your database has been completed.
To compare system security with the settings in the security database, follow these steps: In the left pane, right-click Security Configuration and Analysis, and then click Analyze Computer Now as seen in figure 9.
Figure 13 shows you the Security Options in the MMC. There are quite a few symbols shown to you and if you are to analyze this properly, you will need to know what they stand for.
Note: Before you close the Security Configuration and Analysis tool and MMC, make sure that you save the console or you will close the MMC and have to re-add the Security Configuration and Analysis tool and so on.
Security Configuration and Analysis MMC
With Windows Server 2003, you can create a mew MMC that enables Security Analysis functionality. Before we begin, we should ensure you understand what an MMC is. The MMC (Microsoft Management Console) should be something you are familiar with as it was introduced way back in Windows NT - with older versions of IIS. Since then, Windows 2000 and 2003 have been utilizing this console for just about every service available within Windows. You can make a new console by going to the Run dialog box in the Start menu and typing: mmcThis will open a new Console. You can also open it in author mode by adding an mmc /a to the command. You can see this in Figure 1.
Figure 1
In figure 2, you can see that the new MMC has been opened and is ready for you to populate.
Figure 2
Once you have the MMC open, you only need to add the
Security Configuration and Analysis tool. Before we do, lets go over it
briefly.
Security Configuration and Analysis Snap in
Now you can set up the Security Configuration and Analysis in the Microsoft Management Console (MMC) to analyze and to configure security on a computer that is running Windows Server 2003. What the Security Configuration and Analysis does is compare the current security configuration with a security configuration that is stored in a database. To break this down into simplistic terms:-
Run the tool
-
It checks you settings against a template in its database
-
It reports to you where you have weaknesses
-
You fix them
-
Run the tool again to check
In Microsoft terms, you can create a database that contains a preferred level of security and then run an analysis that compares the current configuration to the settings in the database. Again, this is simple as it just checks your system to verify its locked down and hardened.
Security Configuration and Analysis includes the following features:
-
Security Templates
-
Security Configuration and Analysis
-
Secedit command-line command
-
Create the security database by using a security template.
-
Compare the computer security analysis to the database settings.
Create the Security Database
Lets look at the steps required to create the initial security database. We still need to connect the Security Configuration and Analysis tool, so lets look at finishing that up:In figure 3, you can see that once you open up a new MMC, you will have the option to add in snap ins. To do this, go to the MMC's File menu and select the Add/Remove Snap-In… option.
Figure 3Once opened, you can click on the Add button so that you can get figure 4 up so you can add your analysis tool.
Figure 4
Once you open the Add Standalone Snap-in, you can select
the Security Configuration and Analysis tool as seen in figure 4. Next,
highlight it and click on Add. Nothing will happen as you can see, so
click Close, and then you will see in Figure 5, the Security
Configuration and Analysis tool has been added and ready to use. Click
Ok and proceed to this will bring you back to the MMC.
Figure 6 shows you the snap in added and ready to use. Directions are provided in the contents pane of the MMC. To create a database to use, you need to right click the Security Configuration and Analysis tool and select, Open Database… as seen in figure 6.Figure 5
Figure 6
Once you open the database, you will be shown the Open Database dialog box as seen in figure 7.
Figure 7
As you see in figure 7, I name logs and databases so that I
can reference back to them intelligently so here, I simply use the date
the database was created. Once you are done, click Open, and this will
invoke Figure 8.
Figure 8Figure 8 is the security template that will be applied against your current configuration… and in this instance; I selected securedc.inf because I want to check security on my Domain Controller. Once you select the right template, click Open.
Note: You do not have to click 'Clear this database before importing' because there are no entries in the database yet! If there were, then you can select this so that it runs clear.
Now, you have just set up your MMC to run the Security Configuration and Analysis tool against your DC with the securedc.inf security template. This is where the analysis phase comes in now that your database has been completed.
Analyze System Security
Now that you have made the database, you need to analyze the system to populate it with all the cool information you will use to analyze the security posture of your Windows Server 2003 system.To compare system security with the settings in the security database, follow these steps: In the left pane, right-click Security Configuration and Analysis, and then click Analyze Computer Now as seen in figure 9.
Figure 9Once you kick off the analysis, you will be promoted with a location for the security log. Note the location of the error log file, and then click OK.
Figure 10Figure 11 shows you the process of the scan, it should not take more than a minute of two to perform this scan.
Figure 11
Once you have completed your scan, you will be presented
with what looks like figure 12. Figure 12 shows the analysis that was
done hierarchically.
Now, we need to dig into the analysis done to see what we need to do. Although it will take you awhile to sift through all the information, lets explain to you what it is you are looking at so you can read the analysis and work through what it is telling you.Figure 12
Figure 13 shows you the Security Options in the MMC. There are quite a few symbols shown to you and if you are to analyze this properly, you will need to know what they stand for.
Figure 13
Table 1 gives you the explanations for the symbols you see:
Table 1
Symbol Explanation Red X The entry is defined in the analysis database and on the system, but the security setting values do not match Green check mark The entry is defined in the analysis database and on the system, and the setting values match Question mark The entry is not defined in the analysis database and was not analyzed. If an entry is not analyzed, the entry may not be defined in the analysis database, or the user who is running the analysis may not have permissions to perform analysis on a specific object or area Exclamation point The entry is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the system that you are analyzing No symbol If no symbol appears, the entry is not defined in the analysis database or on the system
Now that you understand these entries, take a good look at
figure 13 again, or look at your own analysis for your server. In figure
14, there is another look at these symbols. In figure 14, you can see
that there are question marks near Account lockout duration and Rest
account lockout counter after, and on both, this simply means that the
entry is not defined in the analysis database and was not analyzed. You
can see that there is a red X on the Account lockout threshold. This
means that this setting (on the Windows Server 2003 system) does not
match that in the database and needs to be analyzed by you. See how easy
that was?
Figure 14
Add Settings to the Database
In the case of the missing entries in the database you can
add them pretty effortlessly. If a setting is not contained in the
database, you can add it very easily. To do so, Right-click an entry
that is not defined in the database, and then click Properties. You can
see this in figure 15. Remember, this only affects the database and
analysis, you are not turning on any services, or so on when you do
this, just set the database to look at this setting as well.
That’s it! You have successfully set up the Security Configuration and Analysis tool, built a database, performed a scan and learned how to alter it. Now, you can expand on this knowledge by looking through all the settings and whatever the Security Configuration and Analysis tool flagged, you should check out.Figure 15
Note: Before you close the Security Configuration and Analysis tool and MMC, make sure that you save the console or you will close the MMC and have to re-add the Security Configuration and Analysis tool and so on.