Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Methods Used to Apply Security Settings Throughout an Enterprise
Article ID: 216735 - View products that this article applies to.
This article was previously published under Q216735
Windows provides administrators with several different utilities that can be used for configuring computer security throughout an enterprise. This article discusses the following utilities and provides some usage guidelines:
Security Templates Snap-inThe Security Templates snap-in is used to create security template files. Security template files are text-based files that describe the security settings for each security area. These security areas include:
Once created, an administrator can apply security template files to specific users using the methods detailed. Microsoft provides several pre-configured security template files that can serve as guides to administrators. By default, these sample templates are available directly within the snap-in.
Security Configuration and Analysis Snap-inThe Security Configuration and Analysis snap-in provides administrators with a single graphical utility that can be used to configure and analyze virtually every aspect of a system that relates to security.
An administrator first analyzes a system against a pre-defined security template. The results of this analysis are stored in a security configuration database. Once this step is taken, the administrator can view the discrepancies between security on the local computer and that dictated by the security template, and roll out configuration changes to the computer from the database.
The key to this utility is that it runs locally; its focus cannot be pointed at a remote computer. Therefore, it is not the ideal utility for setting security configuration throughout an enterprise.
Security Settings Extension to the Group Policy Editor Snap-inGroup Policy is the successor to Microsoft Windows NT 4.0 system policies. With Group Policy, an administrator can choose a vast array of configuration settings throughout an enterprise, which are applied against users and computers based on the following membership hierarchy:
Most security settings in Group Policy are available by double-clicking Administrative Tools in Control Panel, double-clicking Computer Management, double-clicking System Tools, double-clicking Group Policy, double-clicking Computer Configuration, double-clicking Windows Settings, and then double-clicking Security Settings. An administrator can manually define attribute settings or import an existing security template.
An administrator can use Group Policy to easily configure security settings that apply throughout an enterprise from one central location.
The Secedit.exe UtilityThe Secedit.exe utility is a command-line version of the Security Configuration and Analysis utility. It can be utilized to analyze and configure computers based on security template settings.
An administrator can use the Secedit.exe utility to craft a logon script solution that facilitates remote analysis and configuration of workstations within an enterprise. This is a far less elegant but more powerful approach to security configuration than using Group Policy.