For Win XP security analysis and configuration 2004-8-18 Author: Liu Hui Source: NEW YORK Network Security Once the appropriate security template is changed, it can be configured through the security analysis and security configuration and analysis components or command-line tool. This process can be performed when the security template is applied to the local system. Warning: Applying security templates for Windows XP systems may cause loss of performance and functionality. To load security configuration and analysis components to MMC To load secure configuration and analysis components in MMC: Run Microsoft Management Console (MMC.exe) Select Console - Add / Remove Components Click Add Select Security Configuration and Analysis Click Add Click Turn off Click OK To avoid reloading required components while using MMC next time, we can save the console settings: In the Console menu, select Save. By default, files will be saved in the current login user's management tool menu. Enter the name of the console you want to save From this time, you can directly access the saved console directly from the start-all programs - management tools. Note: Multiple different components can be loaded in the MMC, for example, security templates also have security configurations and analysis templates to load MMC together and save it later. Safety Configuration Database Security Configuration and Analysis Components Use Database Save Analysis or Configuration Settings, to open an existing or new database using the GUI: In the MMC, click the mouse button on the security configuration and analysis node to select Open Database Enter or The name of the newly created database Click to open Note: It is recommended to create a new database every time you do new configurations and analysis. Profiles can be imported into the database by using the following methods: If the name of the new database has been entered when the database is turned on, the user will automatically require the input configuration file to import, otherwise: on the security configuration and analysis node of the left panel of the MMC Click on the right mouse button to select the Import Template dialog box, select the imported INF file selection to import the imported database option to delete any data saved in the database, see Figure 10 Figure 10 Note: The import operation may be attached or Database information imported prior imported, the default is additional. If the user does not want to integrate the configuration information several times, the import template is selected before the imported ahead Clear Database option. Warning: To avoid confusion and mixing of the configuration file, it is recommended to select this option each time you do new analysis and configuration. Click to open the secondit command line options Secedit.exe, which has been introduced in Chapter 2, is a useful tool for security analysis and configuration through command line or batch and / or planned tasks. The parameters available when systematic analysis and configuration with SECEDIT are: successdit {/ analyze | / configure} [/ cfg filename] [/ db filename] [/ log logPath] [/ verbose] [/ quiet] [/ overwrite] [/ Areas Areas] Table 15 explains all running parameters of SECEDIT.EXE. Parameter Description / Analyze Takes an Analysis / Configure to configure / cfg filename Path / DB FileName to be attached to the database before analyzing / DB FileName To use SecCEDIT to make a secure analysis target database path. If this parameter is not specified, the last configuration / analysis database will be used by default. If you have not used any databases, the default% systemroot% / security / Database / SECEDIT.SDB will be used. Note: It is recommended to create a new database every time a new security analysis and configuration.
The path of the / logPath log file, if not specified, the process will be displayed in the console. Note: The log information is attached to the specified log file. If no log file is created yet, the user must enter a log file name. / verbose Specifies Display Detailed Processing Information / Quiet Cancel Screen Display and Log Output / OverWrite Document The existing database is replied using the specified configuration information. Note: The profile may be attached or replicated by the database information previously created, and the default is additional. Use the / overwrite parameter to reply the current database. Warning: To avoid confusion and mixing of the configuration file, it is recommended to select this option each time you do new analysis and configuration. / allaS Areas only appears after using / configure parameters, specify the security area to process. Available security zones include: SecurityPolicy - Systems of local policies and domain policies, including account policies, audit policies, etc. Group_MGMT - restricted group policies USER_RIGHTS - User power assignment DSObjects - Directory Object Security RegKeys - Local Registry Key Security Permissions FILESTORE - Local File System Security Permissions Services - All Services Security Configuration Definition Table 15 SECEDIT Command Line Parameters Note: Secedit / RefreshPolicy Parameters (for Force Group Policy Updates) can be used for Windows NT and Windows 2000, but can no longer be used in Windows XP. This parameter is replaced by the GPUPDATE.EXE command line tool. A safety analysis security analysis is based on the database, and pour the baseline determined by the profile of the database. The security settings in the configuration file are compared to the security settings of the current system, and save the results obtained back to the database. The baseline setting is based on the current system, and the configuration information can also be modified as the result of the analysis. Modified configuration information can be exported to the configuration file for other purposes. Safety analysis by command line tools To perform security analysis through the command line, you can do the following command in the command line window: successdit / analyze [/ cfg filename] [/ db filename] [/ log logpath] [/ verbose] [/ quiet ] [/ overwrite] [>> results_file] resultS_file is a file name that contains the analysis results, which is especially important to see the analysis result. If >> Results_file is empty, the output information will be displayed on the screen. Safety Analysis Figure 11 via the GUI Figure 11 shows an example of security analysis through the system configuration and analysis component, using the GUI to perform the following operations: Figure 11 Click the right mouse button on the database node to select the current analysis computer ... Enter the file path of the error log Note: The log information is attached to an existing log file, so if you want to write a log to a new file, you want to specify the name of the new file. Click OK Configure the system In the configuration process, the error may result in some specific files or registry keys existing in the INF profile or the registry key is not saved to the system. But don't worry, the INF file automatically attempts to restore the part of the system that is not compliant with the configuration file. Configuring the system through the command line tool to configure all available security options at a time: successdit / configure [/ cfg filename] [/ dB filename] [/ log logen] [/ verbose] [/ quiet] [/ overwrite] [ / allas allas: WARNING: Enter a new database name before configuring an error or use the / overwrite parameter to cause unpredictable behavior. For example, the imported profile may be mixed with other files and report some expected analysis results.
