The birth of a comprehensive security configuration and analysis tool in NT
When you manage an operating system's (OS's) security, you face two basic tasks: securing the system and making sure the system remains secure. For Windows NT administrators, the first task--configuring the security parameters of an NT system--hasn't been easy. Administrators have needed to employ the User Manager, NT Explorer, and a registry editor to adjust various aspects of overall system security. And even after administrators finally configure security just the way they want it, to ensure that the system remains secure, they've needed to manually inspect the system with the same three utilities, or with a third-party add-on tool.
Although you can use NT's built-in utilities to manage security, the task is tedious because NT lacks a centralized security configuration interface. Security settings in NT are spread far and wide, and many tools are necessary to adjust and review each setting. However, Microsoft now has a solution to these security configuration woes in Security Configuration Editor (SCE) for NT 4.0. SCE is a Microsoft Management Console (MMC) snap-in in Service Pack 4 (SP4) that consolidates most of NT's sensitive basic security settings in one simple interface, virtually eliminating the need to use separate administration tools. By rolling several utility functions into one snap-in, Microsoft has created the strong beginning of a comprehensive security configuration and analysis tool. Although MMC is already part of NT 4.0, SCE is slated to ship in SP4 for NT 4.0 (SP4 remains in beta at press time) and will be standard in NT 5.0 when Microsoft releases that OS.
A Template for Security
SCE's overall concept is simple. SCE is a template-based security editor capable of three basic functions: configuring security templates, applying a security template's settings to an NT system, and inspecting the security settings of an NT system by comparing those settings to the contents of a security template. SCE does not introduce new NT security parameters but instead organizes existing security parameters (including most of those introduced through service packs and hotfixes) into one easy-to-use interface for speedy configuration and analysis. SCE acts as both a security configuration tool and a check-and-balance analysis tool. Using SCE, you can configure a security template, then apply that template to the system. Templates contain most of the sensitive system settings you'd usually adjust, and you save the templates to disk in a secured directory SCE uses.
Microsoft predefines template contents, which are static and contain an almost complete set of security parameters that cover most aspects of basic NT security. I say almost complete, because the SCE version I tested is an early beta copy and is not feature-complete. For example, in the SCE beta version, the user rights you usually find under User Manager are listed in SCE for easy editing; however, the SCE list doesn't contain all the advanced rights you usually find in User Manager. In addition, the SCE templates don't contain all the specialized changes you might make to an NT system that is exposed to the Internet: for instance, blocking NetBIOS ports 137, 138, and 139 on the Internet-exposed network interface.
As you can see in the SCE Console in Screen 1, SCE has two top-level trees: Last Configuration/Inspection and Configuration/Inspection Templates. The Last Configuration/Inspection tree reveals all the current security configuration settings. After SCE performs an inspection, the Last Configuration/Inspection tree clearly identifies which settings do not match a particular security template.
The Configuration/Inspection Templates tree is a list of security templates and their associated settings, which you use for configuring and inspecting system security. You set system security by adjusting each item in a template, then instructing SCE to reconfigure NT by applying that template to the system. I'll walk you through step-by-step configuration and analysis shortly. First, let's examine SCE templates.
What's in a Template, Anyway?
An SCE template is a collection of system security parameters (which, as I've already noted, you usually view and change by using Explorer, User Manager, and a Registry editor) that NT arranges as a hierarchical tree containing various nodes, subnodes, and items. SCE nodes are Account Policies, Local Policies, Event Log, Restricted Groups, System Service, Registry, and File System. Both the Last Configuration/Inspection and Configuration/Inspection Templates
trees contain these nodes. Each SCE node contains a variety of associated subnodes and items that you can adjust as necessary. Let's take a quick look at each of these nodes and their basic overall contents.
The Account Policies node contains two subnodes--Password Policies and Lockout Policies--that are usually found within User Manager. Local Policies contains the subnodes Audit Policies, User Rights Assignment, and Security Options. You usually find Audit Policies and User Rights Assignments within User Manager, and you find Security Options as individual Registry keys when you use a registry editor. The Event Log node contains the subnode Log Settings, which you usually adjust using Event Viewer.