Security Configuration Editor

Service Pack 4 includes support for the Microsoft Security Configuration Editor (SCE).  SCE is a Microsoft Management Console (MMC) snap-in component that allows system administrators to consolidate all security related system settings into a single configuration file.  These security settings may then be applied to any number of Windows NT machines.  Sample configuration files are also included for securing a Windows NT system and for applying the default settings to a Windows NT System.

SCE is included as an optional component of Service Pack 4, thus updating to Service Pack 4 does not automatically install SCE.  

To install SCE from the SP4 CD, 
-------------------------------
- If it hasn't been done, install Service Pack 4. Refer to the SP4 README.TXT file in the root of the SP4 CD.

- Install Internet Explorer 4.01.  IE 4.01 is available on the SP4 CD in \MSIE401.SP1\i386 (An Alpha version is also available under \MSIE401.SP1\Alpha):
	
	1. IE4SETUP.EXE

- Install SCE.  The SCE Setup program is available on the SP4 CD in \MSSCE\I386 (An Alpha version is also available under \MSSCE\Alpha):

	2. MSSCE.EXE

To install the SCE MMC Snap-in:
-------------------------------

- Run the Microsoft Management Console.  At a command line, enter: 
	1. MMC.Exe
- Add the Security Configuration Editor Snap-in. 
	2. From the Console pull-down menu, Click ADD/REMOVE SNAP-INS
	3. Click ADD
	4. Select SECURITY CONFIGURATION EDITOR from the list of available Snap-ins.
	5. Click OK

Expand the Security Configuration Editor management node to reveal the following folders:
	1. Last Configuration/Inspection
		- For configuring or analyzing the security of the local machine.
	2. Configuration/Inspection Templates
		- For creating and modifying configuration files which can then be used for configuration or analysis.

To work with SCE Configuration Files, 
-------------------------------------

Expand the Configuration/Inspection Templates folder then expand the default configuration file path (C:\Winnt\Security\Templates)

SP4 includes four configuration files for you to experiment with:

	DefltDC4.Inf	- Specifies default Windows NT Domain Controller security settings.	

	DefltWS4.Inf	- Specifies default Windows NT Workstation\Server security settings.

	SecurDC4.Inf	- Specifies stronger security settings for Windows NT Domain Controllers including recommendations in the Securing Windows NT Installation whitepaper (http://www.microsoft.com/ntserver/guide/secure_ntinstall.asp).	

	SecurWS4.Inf	- Specifies stronger security settings for Windows NT Servers and Workstations including recommendations in the Securing Windows NT Installation whitepaper (http://www.microsoft.com/ntserver/guide/secure_ntinstall.asp).

NOTE: Work with the configuration files that correspond to the role of the machine you working on.  For example, if you are running SCE on an NT Workstation or Standalone Server, work with DefltWS4.inf and SecurWS4.inf configurations.  The reason for this is that these configuration files reference built in groups (e.g. Power Users) which do not exist on Domain Controllers.  Similarly the Domain Controller configuration files reference built in groups which do not exist on Workstations.

Expand a specific configuration to reveal the different security areas which can be configured.  Highlight a specific area to expose the security settings in the result pane.

Double clicking a security object in the result pane will allow you to configure the security settings for that object.

Right Click on a configuration file to save any changes.

To perform a security analysis against a base configuration file,
-----------------------------------------------------------------
	1. Right click on Last Configuration/Inspection
	2. Select Assign Configuration to specify the base configuration file
		- Sample configuration files are located in %windir%\security\templates
	3. Right click on Last Configuration/Inspection
	4. Select Perform Inspection

To configure a system from the SCE MMC UI:
------------------------------------------
	1. Right click on Last Configuration/Inspection
	2. Select Assign Configuration to specify the configuration you are interested in applying
		- Sample configuration files are located in %windir%\security\templates
	3. Right click on Last Configuration/Inspection
	4. Select Configure

WARNING: Applying a secure configuration to an NT System may result in a loss of performance and functionality.  For example, many applications expect that all users will have Change (Read, Write, Execute, Delete) permissions on the root, systemroot and systemroot\system32 directories because this is the default Windows NT configuration.  Along with many other changes, the secure configuration files restrict these default access rights and may cause applications, which previously ran correctly, to fail.

It is also important to note that applying a default configuration does not "rollback" the application of a secure configuration.  The default configuration files simply apply a different set of security settings than the secure configuration files.  The security settings of the default profiles are based on the default security settings that Windows NT applies during setup.

SCE Command Line Tool
-------------------------------
SP4 also includes a command line tool (secedit.exe) for applying configuration files.  Typing secedit with no command line arguments exposes the syntax for the command line tool:

secedit /configure [/scppath scppath ] [/areas areas] [/sadpath sadpath ] [/log logpath] [/verbose] [/quiet] [/append] [/validate scppath]

where:

	/configure 		- specifies that you want to apply security settings to the system.

	/scppath scppath	- specifies the path and filename of the security configuration file that is to be applied or appended.  If not specified, the configuration contained in the security configuration database is applied.

	/sadpath sadpath 	- specifies the path where the security configuration database should be created.  The default is %systemroot%\security\database\secedit.ese. This database is used primarily for performing security analysis. 

	/areas areas		- defines the security areas to be configured.  Supported areas include: SECURITYPOLICY, GROUP_MGMT, USER_RIGHTS, REGKEYS, FILESTORE, SERVICES.

	/log logpath 		- specifies the path and filename where errors will be logged.

	/verbose		- adds progress information to log

	/quiet			- suppresses console and log output.

	/append			- settings in the specified configuration file are appended to the current database configuration then applied.

	/validate scppath	- verifies the syntax of a configuration file

For example,

secedit /configure /scppath securws4.inf /areas REGKEYS FILESTORE

would apply the file system and registry security settings specified in the securws4.inf configuration file to the Windows NT System where the program is run.

For further information on SCE, please visit http://www.microsoft.com/security/ntprod.htm
