Appendix A: Security Tools and Formats

Published: December 31, 2003   |   Updated: April 26, 2006

It can be a challenge to create, test, deploy, and manage a complete set of policy and templates for your organization. This appendix provides an overview of the available Microsoft tools and the formats that security policies may come in.

Security Tools

The following tools are available either with the Windows Server™ 2003 operating system or as free downloads from the Microsoft Web site.

Security Configuration Wizard

The Security Configuration Wizard (SCW) was introduced in Windows Server 2003 SP1. Unlike Group Policy, it is not integrated with the Active Directory® directory service, so it cannot be used to configure the domain-level policies. However, it does provide a consistent role-based hardening methodology that uses wizards, which makes it easy to create secure policies.

With SCW, you can quickly and easily create prototype policies for multiple server roles that are based on the latest guidance and best practices from Microsoft. SCW will automatically manage service settings, registry settings, Windows Firewall exceptions, and more. It includes the ability to remotely profile target computers, deploy policies, and roll back policies. The command-line tool Scwcmd allows SCW and Group Policy to be used together to deploy policies to groups of computers or convert policies to GPOs.

Security Configuration Editor

The Security Configuration Editor (SCE) tools are used to define security policy templates that can be applied to individual computers or to groups of computers through Active Directory Group Policy. The SCE first appeared as an add-on for Windows NT® 4.0 and has become an integral part of Group Policy.

The SCE is no longer a separate component and is used in the following Microsoft Management Console (MMC) snap-ins and administrative utilities:

  • MMC Security Configuration and Analysis snap-in
  • MMC Security Templates snap-in
  • Group Policy Editor snap-in (used for the Security Settings portion of the Computer Configuration tree)
  • Local Security Settings tool
  • Domain Controller Security Policy tool
  • Domain Security Policy tool

Because all of these tools use the SCE, Windows administrators enjoy a consistent, powerful interface to create and edit policies whether they are intended for a stand-alone computer or will be deployed as a GPO.

You can find more information about SCE from Windows Help.

Active Directory Users and Computers

The MMC Active Directory Users and Computers snap-in provides the primary GUI to create and manage organizational units (OUs) within the domain. You can link GPOs and OUs, control policy order and inheritance, and launch the Group Policy Object Editor as a separate process to edit GPOs. However, the snap-in does not offer a consistent, integrated way to inventory, author, and manage your Group Policies.

You can find more information about the MMC Active Directory Users and Computers snap-in from Windows Help.

Group Policy Management Console

The Group Policy Management Console (GPMC) was produced by Microsoft in response to feedback from customers who needed a better way to control Group Policy in a large environment. The GPMC must be run on Windows XP with SP1 or Windows Server 2003 and consists of an MMC snap-in and a set of scriptable interfaces that can be used to manage Group Policy. It can manage both Windows 2000 Server and Windows Server 2003 domains.

The GPMC provides:

  • A user interface that focuses on Group Policy use and management.
  • The ability to quickly back up, restore, import, export, copy, and paste GPOs.
  • Simplified management of Group Policy-related security.
  • Report capabilities for GPO and Resultant Set of Policy (RSoP) data.
  • Scriptable GPO operations.

The Group Policy Management Console with Service Pack 1 is available as a free download for all Windows Server 2003 customers at www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en.

Security File Formats

Security policies can be created and stored in a variety of formats. The following sections detail the common file formats that are used by Windows Server 2003:

SCW Policy (.xml)

SCW introduces a new file format that is based on XML. Native SCW policies are saved with an extension of .xml. These XML policy files have no official schema, but can be identified by the <SecurityPolicy Version="1.0"> element.

The SCW policy file is actually a complete manifest of several different types of settings:

  • System services startup mode
  • Windows Firewall exceptions
  • Selected computer roles
  • Selected computer tasks
  • Registry settings
  • Policy settings
  • Audit policies

Also, SCW policies can be linked to one or more policy templates to provide additional functionality that is not native to SCW, such as system service or registry access control lists (ACLs).

Policy Template (.inf)

Policy templates are text files that follow a standard format for Windows data files: one or more sections that are set off by special square bracket-enclosed keywords, which are followed by one or more attribute/value pairs.

Policy templates can contain one or more sections that define the following types of data:

  • Password policies
  • Lockout policies
  • Kerberos authentication protocol policies
  • Audit policies
  • Event log settings
  • Registry values
  • Service startup modes
  • Service permissions
  • User rights
  • Group membership restrictions
  • Registry permissions
  • File system permissions

Policy templates are supported by almost all of the tools that are listed earlier in this appendix, and the same template format can be used for both local computer policies and Active Directory Group Policies. Before they can be used, the templates must be imported by the appropriate tool.

Group Policy Objects

GPOs are policy data that is stored both in Active Directory and as a collection of files within special directories on domain controllers. These policy files represent computer policies and user policies and are not usually manipulated directly. You can use a tool such as the GPMC to modify the settings or export the GPO into a policy template.

You can export or back up a GPO from within GPMC to save all the information that is stored inside the GPO to the file system. GPO backups that are created in this way keep the following information:

  • The GPO's globally unique identifier (GUID) and domain
  • GPO settings
  • The discretionary access control list (DACL) on the GPO
  • The WMI filter link, if there is one (but not the filter itself)
  • Links to IP Security policies, if any
  • XML report of the GPO settings, which can be viewed as HTML from within GPMC
  • Date and time stamp of when the backup was taken
  • User-supplied description of the backup

However, this backup does not save any of the data that is external to the GPO. In particular, this file will not contain link information for sites, domains, or OUs and it will not contain the actual WMI filters or IP security policies.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Download

Get the Windows Server 2003 Security Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions