Microsoft KB Archive/216735

= Methods Used to Apply Security Settings Throughout an Enterprise =

Article ID: 216735

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q216735





SUMMARY
Windows provides administrators with several different utilities that can be used for configuring computer security throughout an enterprise. This article discusses the following utilities and provides some usage guidelines:


 * Security Configuration and Analysis Microsoft Management Console (MMC) snap-in
 * Security Templates snap-in
 * Secedit.exe
 * Security Settings snap-in to the Group Policy Editor snap-in



Security Templates Snap-in
The Security Templates snap-in is used to create security template files. Security template files are text-based files that describe the security settings for each security area. These security areas include:


 * Account Policies
 * Local Policies
 * Event Log
 * Restricted Groups
 * System Services
 * Registry
 * File System

This snap-in provides a powerful graphical interface in which an administrator can simply hierarchically navigate within each area to specific security attributes, and choose a specific setting.

Once created, an administrator can apply security template files to specific users using the methods detailed. Microsoft provides several pre-configured security template files that can serve as guides to administrators. By default, these sample templates are available directly within the snap-in.

Security Configuration and Analysis Snap-in
The Security Configuration and Analysis snap-in provides administrators with a single graphical utility that can be used to configure and analyze virtually every aspect of a system that relates to security.

An administrator first analyzes a system against a pre-defined security template. The results of this analysis are stored in a security configuration database. Once this step is taken, the administrator can view the discrepancies between security on the local computer and that dictated by the security template, and roll out configuration changes to the computer from the database.

The key to this utility is that it runs locally; its focus cannot be pointed at a remote computer. Therefore, it is not the ideal utility for setting security configuration throughout an enterprise.

Security Settings Extension to the Group Policy Editor Snap-in
Group Policy is the successor to Microsoft Windows NT 4.0 system policies. With Group Policy, an administrator can choose a vast array of configuration settings throughout an enterprise, which are applied against users and computers based on the following membership hierarchy:


 * Local
 * Site
 * Domain
 * Organizational Unit

Security settings within Group Policy can be manipulated by editing or creating a new Group Policy Object (GPO) from within an MMC snap-in that contains both the Group Policy Editor and the Security Settings extension. The security settings available depend on the type of object to which the group policy is linked (for example, domain objects and local objects do not have all the same settings).

Most security settings in Group Policy are available by double-clicking Administrative Tools in Control Panel, double-clicking Computer Management, double-clicking System Tools, double-clicking Group Policy, double-clicking Computer Configuration, double-clicking Windows Settings, and then double-clicking Security Settings. An administrator can manually define attribute settings or import an existing security template.

An administrator can use Group Policy to easily configure security settings that apply throughout an enterprise from one central location.

The Secedit.exe Utility
The Secedit.exe utility is a command-line version of the Security Configuration and Analysis utility. It can be utilized to analyze and configure computers based on security template settings.

An administrator can use the Secedit.exe utility to craft a logon script solution that facilitates remote analysis and configuration of workstations within an enterprise. This is a far less elegant but more powerful approach to security configuration than using Group Policy.

Keywords: kbinfo KB216735

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.