n this article we will look at demystifying
the simple analysis of a Windows Server 2003's security posture. Too
many times, administrators seem confused about how to do an initial
security analysis test on a newly minted Windows Server 2003. (Or 2000
for that matter) In this article we will look at how to perform this
very quickly, very easily with Windows Server 2003. This article will
cover the steps needed to create the Security Database and perform the
analysis on your Windows Server 2003 system.
Security Configuration and Analysis MMC
With Windows Server 2003, you can create a mew MMC that enables
Security Analysis functionality. Before we begin, we should ensure you
understand what an MMC is. The MMC (Microsoft Management Console) should
be something you are familiar with as it was introduced way back in
Windows NT - with older versions of IIS. Since then, Windows 2000 and
2003 have been utilizing this console for just about every service
available within Windows. You can make a new console by going to the Run
dialog box in the Start menu and typing:
mmc
This will open a new Console. You can also open it in author mode by adding an
mmc /a to the command. You can see this in Figure 1.
Figure 1
In figure 2, you can see that the new MMC has been opened and is ready for you to populate.
Figure 2
Once you have the MMC open, you only need to add the
Security Configuration and Analysis tool. Before we do, lets go over it
briefly.
Security Configuration and Analysis Snap in
Now you can set up the Security Configuration and Analysis in the
Microsoft Management Console (MMC) to analyze and to configure security
on a computer that is running Windows Server 2003. What the Security
Configuration and Analysis does is compare the current security
configuration with a security configuration that is stored in a
database. To break this down into simplistic terms:
-
Run the tool
-
It checks you settings against a template in its database
-
It reports to you where you have weaknesses
-
You fix them
-
Run the tool again to check
Simple right? Ok, now that you know this, lets look at some more details and how to set it up and run it.
In Microsoft terms, you can create a database that contains a
preferred level of security and then run an analysis that compares the
current configuration to the settings in the database. Again, this is
simple as it just checks your system to verify its locked down and
hardened.
Security Configuration and Analysis includes the following features:
To analyze the security configuration of your computer, you must perform the following two steps:
In this article we will look at these steps in great detail so that
you completely know how to run this tool and get your security analysis
information.
Create the Security Database
Lets look at the steps required to create the initial security
database. We still need to connect the Security Configuration and
Analysis tool, so lets look at finishing that up:
In figure 3, you can see that once you open up a new MMC, you will
have the option to add in snap ins. To do this, go to the MMC's File
menu and select the Add/Remove Snap-In… option.
Figure 3
Once opened, you can click on the Add button so that you can get figure 4 up so you can add your analysis tool.
Figure 4
Once you open the Add Standalone Snap-in, you can select
the Security Configuration and Analysis tool as seen in figure 4. Next,
highlight it and click on Add. Nothing will happen as you can see, so
click Close, and then you will see in Figure 5, the Security
Configuration and Analysis tool has been added and ready to use. Click
Ok and proceed to this will bring you back to the MMC.
Figure 5
Figure 6 shows you the snap in added and ready to use. Directions are
provided in the contents pane of the MMC. To create a database to use,
you need to right click the Security Configuration and Analysis tool and
select, Open Database… as seen in figure 6.
Figure 6
Once you open the database, you will be shown the Open Database dialog box as seen in figure 7.
Figure 7
As you see in figure 7, I name logs and databases so that I
can reference back to them intelligently so here, I simply use the date
the database was created. Once you are done, click Open, and this will
invoke Figure 8.
Figure 8
Figure 8 is the security template that will be applied against your
current configuration… and in this instance; I selected securedc.inf
because I want to check security on my Domain Controller. Once you
select the right template, click Open.
Note: You do not have to click 'Clear this database
before importing' because there are no entries in the database yet! If
there were, then you can select this so that it runs clear.
Now, you have just set up your MMC to run the Security Configuration
and Analysis tool against your DC with the securedc.inf security
template. This is where the analysis phase comes in now that your
database has been completed.
Analyze System Security
Now that you have made the database, you need to analyze the system
to populate it with all the cool information you will use to analyze the
security posture of your Windows Server 2003 system.
To compare system security with the settings in the security
database, follow these steps: In the left pane, right-click Security
Configuration and Analysis, and then click Analyze Computer Now as seen
in figure 9.
Figure 9
Once you kick off the analysis, you will be promoted with a location
for the security log. Note the location of the error log file, and then
click OK.
Figure 10
Figure 11 shows you the process of the scan, it should not take more than a minute of two to perform this scan.
Figure 11
Once you have completed your scan, you will be presented
with what looks like figure 12. Figure 12 shows the analysis that was
done hierarchically.
Figure 12
Now, we need to dig into the analysis done to see what we need to do.
Although it will take you awhile to sift through all the information,
lets explain to you what it is you are looking at so you can read the
analysis and work through what it is telling you.
Figure 13 shows you the Security Options in the MMC. There are quite a
few symbols shown to you and if you are to analyze this properly, you
will need to know what they stand for.
Figure 13
Table 1 gives you the explanations for the symbols you see:
Table 1
Symbol |
Explanation |
Red X |
The entry is defined in the analysis database and on the system, but the security setting values do not match |
Green check mark |
The entry is defined in the analysis database and on the system, and the setting values match |
Question mark |
The entry is not defined in the analysis database and was not
analyzed. If an entry is not analyzed, the entry may not be defined in
the analysis database, or the user who is running the analysis may not
have permissions to perform analysis on a specific object or area |
Exclamation point |
The entry is defined in the analysis database, but does not exist on
the actual system. For example, there may be a restricted group that is
defined in the analysis database but does not actually exist on the
system that you are analyzing |
No symbol |
If no symbol appears, the entry is not defined in the analysis database or on the system |
Now that you understand these entries, take a good look at
figure 13 again, or look at your own analysis for your server. In figure
14, there is another look at these symbols. In figure 14, you can see
that there are question marks near Account lockout duration and Rest
account lockout counter after, and on both, this simply means that the
entry is not defined in the analysis database and was not analyzed. You
can see that there is a red X on the Account lockout threshold. This
means that this setting (on the Windows Server 2003 system) does not
match that in the database and needs to be analyzed by you. See how easy
that was?
Figure 14
Add Settings to the Database
In the case of the missing entries in the database you can
add them pretty effortlessly. If a setting is not contained in the
database, you can add it very easily. To do so, Right-click an entry
that is not defined in the database, and then click Properties. You can
see this in figure 15. Remember, this only affects the database and
analysis, you are not turning on any services, or so on when you do
this, just set the database to look at this setting as well.
Figure 15
That’s it! You have successfully set up the Security Configuration
and Analysis tool, built a database, performed a scan and learned how to
alter it. Now, you can expand on this knowledge by looking through all
the settings and whatever the Security Configuration and Analysis tool
flagged, you should check out.
Note: Before you close the Security Configuration and Analysis
tool and MMC, make sure that you save the console or you will close the
MMC and have to re-add the Security Configuration and Analysis tool and
so on.