The Microsoft Windows 2000 Server Resource Kit comes with the Security Configuration and Analysis utility. The tool consists of two components: IIS templates and a Microsoft Management Console (MMC) snap-in. The Security Configuration and Analysis IIS templates analyze and configure the security settings for an IIS server. These security settings aren't IIS settings but rather OS security settings that apply to a server on which you've installed IIS. The MMC Security Templates snap-in (sectemplates.msc), also called the Security Templates editor, lets you review and edit the templates.
Making sure that OS security settings are standardized across all IIS servers—even in installations with one IIS server and a backup server—is a daunting task for any IIS administrator. However, the Security Configuration and Analysis tool lets you create standard templates for analyzing and setting security for a particular server. You can then copy and apply the standard templates to multiple servers.
Preparing to Use the IIS Templates
The two IIS templates the resource kit installation loads are secureinternet
webserver.inf and secureintranetwebserver.inf. According to the resource kit's Tools Help, by default, these templates reside in \windir\security\templates (unless you've changed the default installation directory). In reality, they reside in the C:\program files\resource kit folder. Drag the IIS templates from the Resource Kit folder to the \windir\security\templates folder because the Security Templates editor looks for them in that folder. The Security Templates editor also looks for the standard templates in the \windir\security\templates folder.
To use the IIS templates and template utilities, open the Security Templates snap-in. Secureinternetwebserver.inf and secureintranetwebserver.inf appear in the left pane. Now, you can add the Security Configuration and Analysis tool as an MMC snap-in. To add the Security Configuration and Analysis tool, follow these steps:
- From the Security Templates snap-in, click Console, then click Add/Remove Snap-in.
- In the Add Standalone Snap-in dialog box, which Figure 1 shows, click Add.
- Scroll to the Security Configuration and Analysis snap-in, then double-click it.
- Close the Add Standalone Snap-in dialog box, then click OK.
Save the console settings. You now have the Security Templates editor and Security Configuration and Analysis tool loaded in one console. If you haven't previously used the Security Configuration and Analysis tool, click it once in MMC and follow these steps to create a new database:
- Right-click the Security Configuration and Analysis snap-in, then select Open Database.
- Enter a new database name, then click Open.
- Select a security template to import, then click Open.
Using Templates
Now, you can use the IIS templates to create new standard templates for analyzing and setting security servers. Before you use any template, review its settings before applying it. Blindly applying a template can have disastrous consequences, such as making a server stop working or requiring you to reestablish security settings manually. When you have the test database with your new templates, you can use it for testing and as a backup. The easiest way to check and tune a new template is to use the Security Templates editor to review and modify it. This tool shows you the template in a Windows Explorer-type view so that you can peruse and modify settings.
To use the editor, you simply select the template to change in the left pane, then expand an entry and select the category of items to change. The items within the category appear in the right pane, as Figure 2, page 15, shows. To change an item, double-click it in the right pane. (If you place new files in the \windir\security\templates folder while you have the editor open, right-click the path, then select Refresh to display them.)
After you've made your changes, close the Security Templates snap-in and click Yes to save the changes to the template. Now, you can use the updated IIS template by following these steps:
- Open the Security Configuration and Analysis snap-in.
- Right-click the Security Configuration and Analysis item, then select Import Template.
- In the Template dialog box, select the new template you want to import.
To audit your computer against the policies in the template you just loaded, right-click the Security Configuration and Analysis item, then click Analyze Computer Now. The process takes a few minutes, and the results appear in the right pane of the tool for each folder. Figure 2 shows an example of the Audit Policy folder after analysis. You can see both the setting from the database (loaded from the template) and the current system setting. Now, you can either modify the template and apply it or make the changes manually.
For More Information
The Security Configuration and Analysis tool is a welcome utility for checking and analyzing server security. Unfortunately, the documentation on this tool in Win2K Help is nonexistent. You can find a good white paper about using the Security Configuration and Analysis tool at http://www.microsoft.com/windows2000/library/howitworks/security/sctoolset.asp. You can also find a step-by-step guide for the tool at http://www.microsoft.com/windows2000/library/planning/security/secconfsteps.asp. Searching the Microsoft site for the phrase Security Configuration and Analysis yields several articles related to the tool and its use.
Note that the Security Configuration and Analysis tool doesn't let you work against remote servers. To use templates on different servers, you must copy the templates to those servers before you use them, which is somewhat limiting. To work around this drawback, you can use the secedit.exe command-line tool from a batch file to automate system analysis or configuration. The white paper I mentioned includes parameters and examples for using the command-line tool.
