Configure local computer security

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To configure local computer security

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open Security Configuration and Analysis.

  2. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.

    Where?

    • ConsoleRoot/Security Configuration and Analysis
  3. In Open database, do one of the following:

    • To create a new database, in File name, type a file name, and then click Open.

    • To open an existing database, click a database, and then click Open.

  4. If you are creating a new database, in Import Template, click a template, and then click Open.

  5. In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now.

  6. Do one of the following:

    • To use the default log in Error log file path, click OK.

    • To specify a different log, in Error log file path, type a valid path and file name.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Security Configuration and Analysis, click Start, click Run, type mmc, and then click OK. On the File menu, click Open, click the console that you want to open, and then click Open. In the console tree, click Security Configuration and Analysis.

  • To check the log file, right-click Security Configuration and Analysis, and then click View Log File.

  • The default path for the log file is:

    systemroot\Documents and Settings\UserAccount\My Documents\Security\Logs\

Using a command line

  1. Open Command Prompt.

  2. Type:

    secedit/configure/DBFileName [/CFG FileName][/overwrite][/areas Area1 Area2...] [/log LogPath] [/quiet]

Argument Description

/DBFileName

Specifies the database used to perform the security configuration.

/CFG FileName

Specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.

/overwrite

Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated in the database. If this parameter is not specified and there are conflicting settings in the database and the template that is being imported, the template settings take precedence.

/areasArea1 Area2...

Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings that are defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:

SECURITYPOLICY - Includes account policies, audit policies, event log settings, and security options.

GROUP_MGMT - Includes Restricted Group settings.

USER_RIGHTS - Includes user rights assignment.

REGKEYS - Includes registry permissions.

FILESTORE - Includes file system permissions.

SERVICES - Includes system service settings.

/log LogPath

Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file, which is located in the %windir%\Security\Logs folder.

/quiet

Specifies that the configuration process should take place without prompting the user.

Examples:

  • secedit /configure /db hisecws.sdb /cfg

  • hisecws.inf /overwrite /log hisecws.log

Notes

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • The default path for the log file is:

    %windir%\Security\Logs\Scesrv.log

  • Secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Gpupdate.

  • To view the complete syntax for this command, at a command prompt, type:

    secedit /?

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Automating security configuration tasks
Command-line reference A-Z