====================================================================== Security Configuration Editor ====================================================================== (c) Copyright Microsoft Corporation, 1998 ======= Preface ======= In addition to installation information, this readme.txt file provides information on the basic use of SCE. It is recommended that you print this readme.txt file and follow the steps in section 4.0, Using SCE. ======== Contents ======== 1.0 Introduction 2.0 Requirements 3.0 Installation 3.1 To Install the SCE GUI and Command Line Tool 3.2 To Install the SCE Command Line Tool only 4.0 Using SCE 4.1 To load the SCE MMC Snap-in 4.2 To Edit a predefined SCE Configuration File 4.3 To Configure a system from the SCE UI 4.4 To Perform a security analysis 4.5 Using the SCE Command Line Tool 5.0 The Predefined SCE Configuration Files 5.1 Compatible 5.2 Secure 5.3 High Secure 5.4 Basic 5.5 MS Office 97 - SR1 6.0 Further Information 7.0 Feedback ================ 1.0 Introduction ================ Service Pack 4 includes support for the Microsoft Security Configuration Editor (SCE). SCE allows system administrators to consolidate all security related system settings into a single configuration file. These security settings may then be applied to any number of Windows NT machines. Sample configuration files which implement different levels of security are also included. SCE supports both a graphical user interface (GUI) and a command line tool. The SCE GUI allows an administrator to o create and edit security configuration files o apply a security configuration to a system o perform a security analysis o graphically review the analysis results The SCE command line tool is all that is needed to o apply a security configuration to a Windows NT system o perform a security analysis - This analysis may then be reviewed graphically from a Windows NT machine that has the SCE GUI. ================ 2.0 Requirements ================ The SCE GUI and command line tool require: o NT4-SP4. The SCE GUI requires: o Microsoft Internet Explorer 3.02 or higher o Microsoft Management Console 1.0 or higher ================ 3.0 Installation ================ SCE is included as an optional component of Service Pack 4, thus updating to Service Pack 4 does not automatically install SCE. --------------------------------------------------------- 3.1 To install the SCE GUI and command line tool --------------------------------------------------------- 1. Install Internet Explorer 3.02 or Higher - IE 3.02 is available on Windows NT Service Pack 3 - IE 4.01-SP1 is available on Windows NT Service Pack 4 - Installation of IE optional components is not necessary. 2. Install Windows NT Service Pack 4 - Refer to the SP4 README.TXT file in the root of the SP4 CD. 3. Install SCE. - SCE is available on the SP4 CD in \MSSCE\ - Run MSSCE.EXE - Answer Yes to install MMC as part of the SCE installation. --------------------------------------------- 3.2 To install the SCE command line tool only --------------------------------------------- 1. Install SP4 - Refer to the SP4 README.TXT file in the root of the SP4 CD. 2. Install SCE command line tool only. - SCE is available on the SP4 CD in \MSSCE\ - Run MSSCE.EXE /C Note, that a silent install is also available via the /S option. ============= 4.0 Using SCE ============= *********** * WARNING * ************************* ------- ******************************* * THE PREDEFINED SECURITY CONFIGURATION FILES DESCRIBED IN THIS * * USAGE SCENARIO SHOULD NOT BE APPLIED TO PRODUCTION SYSTEMS * * WITHOUT PASSING COMPREHENSIVE QUALITY ASSURANCE TESTS. * ***************************************************************** ------------------------------- 4.1 To load the SCE MMC Snap-in ------------------------------- 1. Run the Microsoft Management Console. - MMC.Exe 2. Add the Security Configuration Manager Snap-in. - From the Console pull-down menu, Click Add/Remove Snap-in - Click Add - Select Security Configuration Manager - OK ----------------------------------------------- 4.2 To Edit a predefined SCE Configuration File ----------------------------------------------- 1. Expand the Security Configuration Manager node This reveals the following folders: - Database: Not Loaded - Configurations 2. Expand the Configurations node 3. Expand the Default configuration file directory - %windir%\security\templates - The following configuration files should be revealed: Configuration File Security Level Platform ------------------ -------------- -------- Basicwk.inf Default NT4 Wksta Basicsv.inf Default NT4 Server Basicdc.inf Default NT4 DC Compws4.inf Compatible NT4 Wksta\Server Compdc4.inf Compatible NT4 DC Securws4.inf Secure NT4 Wksta\Server Securdc4.inf Secure NT4 DC Hisecws4.inf High Security NT4 Wksta\Server Hisecdc4.inf High Security NT4 DC Off97SR1.inf w/ Compatible NT4 Wksta\Server 4. Expand a specific configuration file - For example: securws4 - There are seven security areas such as account policies and File System settings which can be configured. 5. Highlight a specific security area - For example: Local Policies\Security Options - The configurable parameters are exposed in the result pane. 6. Double Click on a security object in the result pane - For Example: Message text for users attempting to log on 7. Customize the security setting for your environment - Enter a text string that is customized for your environment - OK 8. Save the customized configuration file - Right Click on the configuration file in the scope pane (securws4.inf) - Save or Save As to save any changes. ------------------------------------------ 4.3 To configure a system from the SCE UI: ------------------------------------------ 1. Click on the node Database: None - This activates the default database (secedit.sdb) - All configurations and analyses are performed against a database. 2. Right click on Database: Secedit.SDB 2. Select Import Configuration 3. Select the configuration you are interested in applying - Check the Overwrite existing configuration in database box to remove any previous settings stored in the database. The default is to append to the selected database. - Open 4. Right click on Database: Secedit.SDB 5. Select Configure System Now... 6. Enter the name of a file to log processing information to - OK WARNING: Applying a secure configuration to an NT System may result in a loss of performance and functionality. For example, many applications expect that all users will have Change (Read, Write, Execute, Delete) permissions on the root, systemroot, and systemroot\system32 directories because this is the default Windows NT configuration. Along with many other changes, the secure configuration files restrict these default access rights and may cause applications, which previously ran correctly, to fail. ---------------------------------- 4.4 To perform a security analysis ---------------------------------- Before implementing the following steps, violate the security policy applied in the previous step to see how the analysis engine highlights the violation. For example: - Change the password policy using User Manager. 1. Right Click on Database: Secedit.SDB 2. Select Analyze System Now... 3. Enter the name of a file to log processing information in - OK A progress dialog displays the security areas being analyzed. When the analysis has completed, the result pane highlights mismatches between actual system settings and the settings defined in securws4.inf. ----------------------------------- 4.5 Using the SCE Command Line Tool ----------------------------------- SP4 also includes a command line tool (secedit.exe) for applying configuration files. Typing secedit with no command line arguments exposes the syntax for the command line tool. The command line tool is useful for applying predefined configuration files to many systems using distributed systems management tools such as Microsoft Systems Management Server. As an example, secedit /configure /cfg securws4.inf /areas REGKEYS FILESTORE would apply the file system and registry security settings specified in the securws4.inf configuration file to the Windows NT System where the program is run. ========================================== 5.0 The Predefined SCE Configuration Files ========================================== System administrators can use the supplied configuration files to test and customize for their specific environments. These configurations should not be implemented in production environments without passing comprehensive quality assurance measures. The predefined security configuration files define three levels of security beyond the default settings. These predefined security levels are described as follows: ---------------------------- 5.1 Compatible Configuration ---------------------------- An improvement over the default security settings, the compatible configuration errs on the side of applications when making a tradeoff between functionality and security. ------------------------ 5.2 Secure Configuration ------------------------ An improvement over the compatible security settings, the secure configuration errs on the side of security when making a tradeoff between functionality and security. ----------------------------- 5.3 High Secure Configuration ----------------------------- The High Security configuration enforces ideal security settings for a Windows NT system without consideration for application functionality. Most existing applications will not function adequately under the High Secure configuration. The intent of the High Secure configuration is to promote the development of future "security conscious" applications. ----------------------- 5.4 Basic Configuration ----------------------- The basic configuration files are provided as a means to "undo" the application of a more secure configuration. The Basic configuration applies the Windows NT default settings, but does not reset the following User Rights as they are commonly modified by application setup programs: - Logon as a service - Act as part of the operating system It is important to note that applying the basic (default) configuration does not "rollback" the application of a secure configuration. The default configuration files simply apply a different set of security settings than the secure configuration files. -------------------- 5.5 MS Office 97-SR1 -------------------- The MS Office 97-SR1 configuration file is meant to be used in conjunction with the compatible configuration. It must be applied AFTER Microsoft Office 97-SR1 is installed and provides exceptions to the compatible configuration that allow MS Office 97-SR1 to run successfully under a non-administrative context. ======================= 6.0 Further information ======================= Updated information related to SCE and the predefined configuration files will be made availabe at http://www.microsoft.com/security/ntprod.htm as it becomes available. ======================= 7.0 Feedback ======================= The version of SCE available on NT4-SP4 is a backport of technology that will ship in NT 5.0. To help make improvements for NT 5.0, please send your feedback to scefeed@microsoft.com