HOW TO: Use the Secedit.sdb Database to Perform a Security Analysis in Windows 2000 (318711)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
This article was previously published under Q318711 SUMMARY
This step-by-step article describes how to use the Secedit.sdb database to analyze your security settings. This analysis can identify security holes that may exist in your current configuration, and can also identify changes that will take place if you use a security template to configure your computer.
You can analyze your current settings against a baseline template at any time. This analysis is useful for several reasons:
- To identify security holes that may exist in a current configuration.
- To identify the changes that a security policy may make before you actually deploy the security policy.
- To identify deviations from a policy that is currently imposed on a computer.
back to the top
How to Start the Security Configuration and Analysis Snap-in- Click Start, and then click Run.
- In the Open box, type mmc, and then click OK.
- On the Console menu, click Add\Remove Snap-in, and then click Add.
- In the list of available standalone snap-ins, click Security Configuration and Analysis, and then click Add.
- In the list of available standalone snap-ins, click Security Templates, and then click Add.
- Click Close, and then click OK.
back to the top
How to Perform the Security Analysis
You can use the Secedit.sdb database to compare local security settings against group policy settings that are downloaded from a domain:
- Start Windows explorer, and then open the Winnt\Security\Database folder.
- Make a copy of the Secedit.sdb database. That database contains local security settings.
- Quit Windows Explorer, and then switch to the Microsoft Management Console (MMC) window.
- Right-click Security Configuration and Analysis, and then click Open Database.
- Click the copy of the Secedit.sdb file that you created in the Winnt\Security\Database folder, and then click Open. Note that you receive an error message if you try to load the original Secedit.sdb file.
- Right-click Security Configuration and Analysis, and then click Analyze Computer Now.
- In the Error log file path box, type C:\Winnt\Security\Logs\Mysecure.log.
NOTE: If Windows 2000 is installed in a folder other than the C:\Winnt folder, modify the path that you type to match your installation. - Click OK.
After the analysis is complete, the security areas are available under the Security Configuration and Analysis node.
back to the top
How to View the Results- In the left pane, expand the Security Configuration and Analysis node.
- Click the Description bar to expose the database with which you are working. If the Description bar is not visible, click Customize on the View menu, and then click to select the Description bar check box.
- Expand the Local Policies node, and then click Security Options.
Both the database setting and the actual system setting are displayed in the right pane for each object. Discrepancies are marked with a red flag. Consistencies are marked with a green check mark. If there is no flag or check mark, the security setting is not specified in the database. This means that the security setting is not configured in the template that was imported.
You can double-click any setting to investigate discrepancies.
back to the top
Modification Type: | Major | Last Reviewed: | 11/20/2003 |
---|
Keywords: | kbhowto kbHOWTOmaster KB318711 kbAudITPro |
---|
|