How to analyze system security in Windows Server 2003

Article translations Article translations
Article ID: 816580 - View products that this article applies to.
For a Microsoft Windows 2000 version of this article, see 313203.
Expand all | Collapse all

On This Page

This step-by-step article describes how to use Security Configuration and Analysis in Microsoft Management Console (MMC) to analyze and to configure security on a computer that is running Windows Server 2003.

You can use Security Configuration and Analysis to compare the current security configuration with a security configuration that is stored in a database. You can create a database that contains a preferred level of security and then run an analysis that compares the current configuration to the settings in the database.

Security Configuration and Analysis includes the following features:
  • Security Templates
  • Security Configuration and Analysis
  • Secedit command-line command
To analyze the security configuration of your computer, you must perform the following two steps:
  1. Create the security database by using a security template.
  2. Compare the computer security analysis to the database settings.

Create the Security Database

  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Add/Remove Snap-in dialog box, click Add.
  4. Click Security Configuration and Analysis, click Add, click Close, and then click OK.
  5. In the left pane, expand Security Configuration and Analysis, and then read the instructions in the right pane.
  6. Right-click Security Configuration and Analysis, and then click Open Database.
  7. In the File name box, type the name of the database file, and then click Open.
  8. Click the Securedc.inf template, and then click Open.

    Note You do not have to click Clear this database before importing because there are no entries in the database at this time. If the database was used previously, you can click to select this check box to clear previous entries from the database.

Analyze System Security

No changes are made to the system when you analyze system security. The results of the security analysis indicate where there are differences between the settings in the template and the actual system settings.

To compare system security with the settings in the security database, follow these steps:
  1. In the left pane, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
  2. Note the location of the error log file, and then click OK.

    Note You can change the location of the error log file if you want to.
  3. When the security analysis is complete, expand all nodes in the left pane. Expand the Registry and File System node last because these nodes have complex hierarchies.
  4. View the entries in the right pane as you click each of the nodes.

    The entries in the right pane may be marked with various symbols to indicate their status. These symbols are defined in the following table:
    SYMBOL             DESCRIPTION
    --------------------------------------------------------------------------------------
    Red X               The entry is defined in the analysis database and on the system, 
                        but the security setting values do not match.
    
    Green check mark    The entry is defined in the analysis database and on the system, 
                        and the setting values match.
    
    Question mark       The entry is not defined in the analysis database and was not analyzed. 
                        If an entry is not analyzed, the entry may not be defined 
                        in the analysis database, or the user who is running the analysis 
                        may not have permissions to perform analysis on a specific 
                        object or area.
    
    Exclamation point   The entry is defined in the analysis database, but does not exist 
                        on the actual system. For example, there may be a restricted group 
                        that is defined in the analysis database but does not actually exist 
                        on the system that you are analyzing.
    
    No symbol           If no symbol appears, the entry is not defined in the analysis database or on the system.
  5. If a setting is not contained in the database, you can add it. To do so, follow these steps:
    1. Right-click an entry that is not defined in the database, and then click Properties.
    2. Click to select the Define this policy in the database check box, and then click to select the appropriate check boxes, and then click OK.
  6. To apply the database settings to the computer configuration, right-click Security Configuration and Analysis in the left pane, and then click Save.

Properties

Article ID: 816580 - Last Review: December 3, 2007 - Revision: 4.4
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Keywords: 
kbhowtomaster kbinfo KB816580

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com