HOW TO: Use the Secedit.sdb Database to Perform a Security Analysis in Windows Server 2003 (816119)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
For a Microsoft Windows 2000 version of this article, see Q318711

IN THIS TASK

SUMMARY

This step-by-step article describes how to use the Secedit.sdb database to analyze your security settings. This analysis can identify security holes that may exist in your current configuration, and can also identify changes that will occur if you use a security template to configure your computer.

You can analyze your current settings against a baseline template at any time. This analysis is useful for several reasons:
  • To identify security holes that may exist in a current configuration.
  • To identify the changes that a security policy may make before you actually deploy the security policy.
  • To identify deviations from a policy that is currently imposed on a computer.


back to the top

How to Start the Security Configuration and Analysis Snap-In

  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the Console menu, click File, click Add\Remove Snap-in, and then click Add.
  3. In the list of available stand-alone snap-ins, click Security Configuration and Analysis, and then click Add.
  4. In the list of available stand-alone snap-ins, click Security Templates, and then click Add.
  5. Click Close, and then click OK.


back to the top

How to Perform the Security Analysis

You can use the Secedit.sdb database to compare local security settings against Group Policy settings that are downloaded from a domain:
  1. Start Windows Explorer, and then open the WINDOWS\Security\Database folder.
  2. Make a copy of the Secedit.sdb database.

    That database contains local security settings.
  3. Quit Windows Explorer, and then switch to the Microsoft Management Console (MMC) window.
  4. Right-click Security Configuration and Analysis, and then click Open Database.
  5. Click the copy of the Secedit.sdb file that you created in the WINDOWS\Security\Database folder, and then click Open.

    Note that you receive an error message if you try to load the original Secedit.sdb file.
  6. Right-click Security Configuration and Analysis, and then click Analyze Computer Now.
  7. In the Error log file path box, type C:\WINDOWS\Security\Logs\Mysecure.log.

    NOTE: If Windows Server 2003 is installed in a folder other than the C:\WINDOWS folder, modify the path that you type to match your installation.
  8. Click OK. After the analysis is complete, the security areas are available under the Security Configuration and Analysis node.


back to the top

How to View the Results

  1. In the left pane, expand the Security Configuration and Analysis node.
  2. Click the Description bar to expose the database with which you are working. If the Description bar is not visible, click Customize on the View menu, and then click to select the Description bar check box.
  3. Expand the Local Policies node, and then click Security Options .

    Notice that both the database setting and the actual system setting are displayed in the right pane for each object.
    • Differences are marked with a red flag.
    • Consistencies are marked with a green check mark.
    • If there is no flag or check mark, the security setting is not specified in the security database.


    You can double-click any setting to investigate differences.


back to the top
Modification Type:MajorLast Reviewed:11/19/2003
Keywords:kbSecurityServices kbinfo kbhowto KB816119
©2003 Microsoft Corporation. All rights reserved.