Security Configuration Engine Architecture

  • Article

Applies To: Windows Server 2008

The security configuration engine provides local computer and Group Policy–based configuration and analysis of security settings. The security configuration engine also supports the creation of security policy files. The security configuration engine processes security policies, in the form of .inf files, and configures or analyzes the system accordingly. Security configuration engine operations include the following:

  • Import and export security templates to and from a configuration database.

  • Configure system security with the contents of the database.

  • Perform a security analysis based on the contents of the database.

The following architecture diagram shows components of the security configuration engine that interact to process security settings and policies. The function of each component in the diagram is described in the table that follows.

Security configuration engine and related functional components

Component Description

Security policy management tools

These tools include the following:

  • Security Configuration and Analysis snap-in

  • Security Templates snap-in

  • Local Security Policy (Administrative Tools)

  • Local Group Policy Editor

Wsecedit.dll implements the Security Configuration and Analysis snap-in, Security Templates snap-in, and Group Policy. It is also referred to as the Security Settings Editor.

Local Security Policy and the Local Group Policy Editor are additional tools that interact with the security configuration engine to configure security settings.

Command-line tool

Secedit.exe is the command-line version of the Security Configuration and Analysis snap-in.

Scecli.dll

This is the client-side interface to Scesrv.dll. Scecli.dll is loaded into Wsecedit.dll (Security Settings Editor) to support Microsoft Management Console (MMC) snap-in user interfaces (UIs). It is used by system setup to configure default system security and security of files, registry keys, and services installed by the setup application programming interface (API) .inf files. It also performs the following functions:

  • Scecli.dll implements the command-line version of the Security Configuration and Analysis snap-in, Secedit.exe.

  • Scecli.dll implements the client-side extension for Group Policy. Client-side extensions are the components running on the client computer that process and apply the Group Policy settings to that system. The Security Settings client-side extension is Gptmpl.inf.

  • Scesrv.dll uses Scecli.dll to download applicable Group Policy files from Sysvol.inf in order to apply Group Policy security settings to the local computer.

  • Scecli.dll logs the application of security policy into Windows Management Instrumentation (WMI).

  • The Scesrv.dll policy filter uses Scecli.dll to update the Default Domain Controller Policy Group Policy object (GPO) when changes are made to the Security Accounts Manager (SAM) and the Local Security Authority (LSA).

Scesrv.dll

This .dll file is hosted in Services.exe and runs under the local system context. Scesrv.dll provides core settings configuration, such as importing, configuring, analyzing, and propagating policies.

Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.

Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over lightweight remote procedure call (LRPC) and fails the call if it is not.

On domain controllers, Scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process (INProc) Scecli.dll template modification APIs.

The security policy database is synchronized with other changes made to LSA or SAM without using Group Policy by policy filters integrated with LSA and SAM. Policy filters should detect any security policy changes made through LSA APIs or SAM APIs and store the changes in the policy database. Password policies and account lockout policies are filtered in the SAM filter. Audit policy and user rights are filtered in the LSA filter. Security options in the registry are filtered in the registry delay filter.

Userenv.dll

The Group Policy engine is in Userenv.dll, which runs inside the Group Policy client service, which is hosted in Svchost.exe. The Group Policy engine is the framework that handles common functionalities across registry-based settings and client-side extensions.

Svchost.exe is the host process name for services that run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services that are part of the registry to construct a list of services that it must load.

Secedit.sdb (security settings database)

This is a permanent system database used for policy propagation (in %Windir%\Security\Database) including a table of persistent settings for rollback purposes.

The security settings database consists of .inf files that are created by using the Security Templates snap-in. The files are loaded into this database before configuration or analysis by the Security Configuration and Analysis snap-in or Secedit.exe.

User databases

A user database is any database other than the system database created by administrators to configure or analyze security policy.

Template .inf files

These are text files that contain declarative security settings. They are loaded into Secedit.sdb before configuration or analysis. Templates created with the Security Templates snap-in are .inf files.

Group Policy security policies are stored in .inf files in the Sysvol folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation.

Optional component .inf files

Optional component .inf files are initialized at the end of graphical user interface (GUI) setup (syscomp.inf).

WMI

WMI is a management infrastructure that supports the monitoring and controlling of system resources through a common set of interfaces and provides a logically organized, consistent model of Windows operation, configuration, and status.

WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information.

System

  • LSA

  • SAM

  • Registry

  • Service Control Manager (SCM)

  • File System

  • Auditing

System refers to various resource managers. Kerberos policy and audit policies are stored in LSA. Password and account lockout policies are stored in SAM. Event log settings and security options are stored in the registry. The security configuration engine calls to SAM APIs, LSA APIs, and registry APIs to configure and analyze these security attributes. The SCM and file system set access control lists (ACLs) on services and files.

Sysvol .inf files

Sysvol is a set of folders containing important domain information that is stored in the file system. By default, the Sysvol folder is stored in a subfolder of the systemroot folder (%systemroot%\sysvol\sysvol) and is automatically created when a server is promoted to a domain controller. Sysvol contains the largest part of a GPO: the Group Policy template, which includes Administrative templates–based policy settings, security settings, script files, and information regarding applications that are available for software installation. It is replicated through the File Replication Service (FRS) between all domain controllers in a domain.