Analyze system security

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To analyze system security

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open Security Configuration and Analysis.

  2. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.

    Where?

    • ConsoleRoot/Security Configuration and Analysis
  3. In Open database, do one of the following:

    • To create a new database, in File name, type a file name, and then click Open.

    • To open an existing database, click a database, and then click Open.

  4. If you are creating a new database, in Import Template, click a template, and then click Open.

  5. In the details pane, right-click Security Configuration and Analysis, and then click Analyze Computer Now.

  6. Do one of the following:

    • To use the default log, in Error log file path, click OK.

    • To specify a different log, in Error log file path, type a valid path and file name, and then click OK.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Security Configuration and Analysis, click Start, click Run, type mmc, and then click OK. On the File menu, click Open, click the console that you want to open, and then click Open. Then, in the console tree, click Security Configuration and Analysis.

  • Security Configuration and Analysis displays the different security areas as they are analyzed. Once this is complete, you can check the log file or review the results. For more information on reviewing the analysis results, see Related Topics.

  • To view the log file, in the console tree, right-click Security Configuration and Analysis, and then click View Log File.

  • The default path for the log file is:

    systemroot\Documents and Settings\UserAccount\My Documents\Security\Logs\DatabaseName.log

Using a command line

  1. Open Command Prompt.

  2. Type:

    secedit /analyze /db FileName.sdb [/cfg FileName] [/overwrite] [/log FileName] [/quiet]

ArgumentDescription

/db FileNameSpecifies the database used to perform the analysis.

/cfg FileNameSpecifies a security template to import into the database prior to performing the analysis. Security templates are created using the Security Templates snap-in.

/log FileNameSpecifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in Scesrv.log, which is located in the %windir%\Security\Logs folder.

/quietSpecifies that the analysis process should take place without further comments.

Example: secedit /analyze /db hisecws.sdb

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To view the complete syntax for this command, at a command prompt, type:

    secedit /?

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Add Security Configuration and Analysis to an MMC console
Analyzing security and viewing results
Import a security template
Configure local computer security
Working with MMC console files
Automating security configuration tasks