======================================================================
Security Configuration Editor
======================================================================
(c) Copyright Microsoft Corporation, 1998
=======
Preface
=======
In addition to installation information, this readme.txt file provides
information on the basic use of SCE. It is recommended that you print
this readme.txt file and follow the steps in section 4.0, Using SCE.
========
Contents
========
1.0 Introduction
2.0 Requirements
3.0 Installation
3.1 To Install the SCE GUI and Command Line Tool
3.2 To Install the SCE Command Line Tool only
4.0 Using SCE
4.1 To load the SCE MMC Snap-in
4.2 To Edit a predefined SCE Configuration File
4.3 To Configure a system from the SCE UI
4.4 To Perform a security analysis
4.5 Using the SCE Command Line Tool
5.0 The Predefined SCE Configuration Files
5.1 Compatible
5.2 Secure
5.3 High Secure
5.4 Basic
5.5 MS Office 97 - SR1
6.0 Further Information
7.0 Feedback
================
1.0 Introduction
================
Service Pack 4 includes support for the Microsoft Security
Configuration Editor (SCE). SCE allows system administrators to
consolidate all security related system settings into a single
configuration file. These security settings may then be applied to
any number of Windows NT machines. Sample configuration files which
implement different levels of security are also included.
SCE supports both a graphical user interface (GUI) and a command line tool.
The SCE GUI allows an administrator to
o create and edit security configuration files
o apply a security configuration to a system
o perform a security analysis
o graphically review the analysis results
The SCE command line tool is all that is needed to
o apply a security configuration to a Windows NT system
o perform a security analysis
- This analysis may then be reviewed graphically
from a Windows NT machine that has the SCE GUI.
================
2.0 Requirements
================
The SCE GUI and command line tool require:
o NT4-SP4.
The SCE GUI requires:
o Microsoft Internet Explorer 3.02 or higher
o Microsoft Management Console 1.0 or higher
================
3.0 Installation
================
SCE is included as an optional component of Service Pack 4, thus
updating to Service Pack 4 does not automatically install SCE.
---------------------------------------------------------
3.1 To install the SCE GUI and command line tool
---------------------------------------------------------
1. Install Internet Explorer 3.02 or Higher
- IE 3.02 is available on Windows NT Service Pack 3
- IE 4.01-SP1 is available on Windows NT Service Pack 4
- Installation of IE optional components is not necessary.
2. Install Windows NT Service Pack 4
- Refer to the SP4 README.TXT file in the root of the SP4 CD.
3. Install SCE.
- SCE is available on the SP4 CD in \MSSCE\<platform>
- Run MSSCE.EXE
- Answer Yes to install MMC as part of the SCE installation.
---------------------------------------------
3.2 To install the SCE command line tool only
---------------------------------------------
1. Install SP4
- Refer to the SP4 README.TXT file in the root of the SP4 CD.
2. Install SCE command line tool only.
- SCE is available on the SP4 CD in \MSSCE\<platform>
- Run MSSCE.EXE /C
Note, that a silent install is also available via the /S option.
=============
4.0 Using SCE
=============
***********
* WARNING *
************************* ------- *******************************
* THE PREDEFINED SECURITY CONFIGURATION FILES DESCRIBED IN THIS *
* USAGE SCENARIO SHOULD NOT BE APPLIED TO PRODUCTION SYSTEMS *
* WITHOUT PASSING COMPREHENSIVE QUALITY ASSURANCE TESTS. *
*****************************************************************
-------------------------------
4.1 To load the SCE MMC Snap-in
-------------------------------
1. Run the Microsoft Management Console.
- MMC.Exe
2. Add the Security Configuration Manager Snap-in.
- From the Console pull-down menu, Click Add/Remove Snap-in
- Click Add
- Select Security Configuration Manager - OK
-----------------------------------------------
4.2 To Edit a predefined SCE Configuration File
-----------------------------------------------
1. Expand the Security Configuration Manager node
This reveals the following folders:
- Database: Not Loaded
- Configurations
2. Expand the Configurations node
3. Expand the Default configuration file directory
- %windir%\security\templates
- The following configuration files should be revealed:
Configuration File Security Level Platform
------------------ -------------- --------
Basicwk.inf Default NT4 Wksta
Basicsv.inf Default NT4 Server
Basicdc.inf Default NT4 DC
Compws4.inf Compatible NT4 Wksta\Server
Compdc4.inf Compatible NT4 DC
Securws4.inf Secure NT4 Wksta\Server
Securdc4.inf Secure NT4 DC
Hisecws4.inf High Security NT4 Wksta\Server
Hisecdc4.inf High Security NT4 DC
Off97SR1.inf w/ Compatible NT4 Wksta\Server
4. Expand a specific configuration file
- For example: securws4
- There are seven security areas such as account policies
and File System settings which can be configured.
5. Highlight a specific security area
- For example: Local Policies\Security Options
- The configurable parameters are exposed in the result pane.
6. Double Click on a security object in the result pane
- For Example: Message text for users attempting to log on
7. Customize the security setting for your environment
- Enter a text string that is customized for your environment - OK
8. Save the customized configuration file
- Right Click on the configuration file in the scope pane (securws4.inf)
- Save or Save As to save any changes.
------------------------------------------
4.3 To configure a system from the SCE UI:
------------------------------------------
1. Click on the node Database: None
- This activates the default database (secedit.sdb)
- All configurations and analyses are performed against a database.
2. Right click on Database: Secedit.SDB
2. Select Import Configuration
3. Select the configuration you are interested in applying
- Check the Overwrite existing configuration in database
box to remove any previous settings stored in the database.
The default is to append to the selected database.
- Open
4. Right click on Database: Secedit.SDB
5. Select Configure System Now...
6. Enter the name of a file to log processing information to - OK
WARNING: Applying a secure configuration to an NT System may result
in a loss of performance and functionality.
For example, many applications expect that all users will have Change
(Read, Write, Execute, Delete) permissions on the root, systemroot,
and systemroot\system32 directories because this is the default Windows NT
configuration. Along with many other changes, the secure configuration files
restrict these default access rights and may cause applications, which
previously ran correctly, to fail.
----------------------------------
4.4 To perform a security analysis
----------------------------------
Before implementing the following steps, violate the security policy applied
in the previous step to see how the analysis engine highlights the violation.
For example:
- Change the password policy using User Manager.
1. Right Click on Database: Secedit.SDB
2. Select Analyze System Now...
3. Enter the name of a file to log processing information in - OK
A progress dialog displays the security areas being analyzed. When the
analysis has completed, the result pane highlights mismatches between actual
system settings and the settings defined in securws4.inf.
-----------------------------------
4.5 Using the SCE Command Line Tool
-----------------------------------
SP4 also includes a command line tool (secedit.exe) for applying
configuration files. Typing secedit with no command line arguments
exposes the syntax for the command line tool.
The command line tool is useful for applying predefined configuration
files to many systems using distributed systems management tools such
as Microsoft Systems Management Server.
As an example,
secedit /configure /cfg securws4.inf /areas REGKEYS FILESTORE
would apply the file system and registry security settings specified
in the securws4.inf configuration file to the Windows NT System
where the program is run.
==========================================
5.0 The Predefined SCE Configuration Files
==========================================
System administrators can use the supplied configuration files to
test and customize for their specific environments. These
configurations should not be implemented in production environments
without passing comprehensive quality assurance measures.
The predefined security configuration files define three levels of
security beyond the default settings. These predefined security
levels are described as follows:
----------------------------
5.1 Compatible Configuration
----------------------------
An improvement over the default security settings,
the compatible configuration errs on the side of applications when
making a tradeoff between functionality and security.
------------------------
5.2 Secure Configuration
------------------------
An improvement over the compatible security settings, the secure
configuration errs on the side of security when making a tradeoff
between functionality and security.
-----------------------------
5.3 High Secure Configuration
-----------------------------
The High Security configuration enforces ideal security settings for a
Windows NT system without consideration for application functionality.
Most existing applications will not function adequately under the
High Secure configuration. The intent of the High Secure configuration
is to promote the development of future "security conscious" applications.
-----------------------
5.4 Basic Configuration
-----------------------
The basic configuration files are provided as a means to "undo" the
application of a more secure configuration. The Basic configuration
applies the Windows NT default settings, but does not reset the following
User Rights as they are commonly modified by application setup programs:
- Logon as a service
- Act as part of the operating system
It is important to note that applying the basic (default)
configuration does not "rollback" the application of a secure
configuration. The default configuration files simply apply a
different set of security settings than the secure configuration files.
--------------------
5.5 MS Office 97-SR1
--------------------
The MS Office 97-SR1 configuration file is meant to be used in conjunction
with the compatible configuration. It must be applied AFTER Microsoft
Office 97-SR1 is installed and provides exceptions to the compatible
configuration that allow MS Office 97-SR1 to run successfully under a
non-administrative context.
=======================
6.0 Further information
=======================
Updated information related to SCE and the predefined configuration files
will be made availabe at http://www.microsoft.com/security/ntprod.htm as
it becomes available.
=======================
7.0 Feedback
=======================
The version of SCE available on NT4-SP4 is a backport of technology that
will ship in NT 5.0. To help make improvements for NT 5.0, please send
your feedback to scefeed@microsoft.com