1) In Windows 2000, there are 2 ways to apply a security template --
use the Security Configuration and Analysis snap-in or use the
secedit.exe command. Does anyone know if these 2 tools use the same
code to apply a template? Basically what I want to know is this: if
some bugs exist in the Security Configuration and Analysis tool for
applying templates, will those same bugs be present in the secedit.exe
command (or vice versa)?

2) There is a template called "setup security.inf" that Windows 2000
uses to apply the default security settings during installation. How
exactly does Windows 2000 apply the "setup security.inf" template
during installation? Does it call secedit.exe or does it use some
other mechanism?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> 1) In Windows 2000, there are 2 ways to apply a security template --
> use the Security Configuration and Analysis snap-in or use the
> secedit.exe command. Does anyone know if these 2 tools use the same
> code to apply a template? Basically what I want to know is this: if
> some bugs exist in the Security Configuration and Analysis tool for
> applying templates, will those same bugs be present in the secedit.exe
> command (or vice versa)?
>

I have not examined the code for this, but I would be very
surprised if these two are not using the same underneith.

> 2) There is a template called "setup security.inf" that Windows 2000
> uses to apply the default security settings during installation. How
> exactly does Windows 2000 apply the "setup security.inf" template
> during installation? Does it call secedit.exe or does it use some
> other mechanism?
>

Well, setup security.inf as I understand it is not really so much
a template that is applied during setup as it is a log recording
what was done during setup.

On Jun 12, 8:12 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> <void.no.spam....@gmail.com> wrote in message
>
> news:(E-Mail Removed)...
>
> > 1) In Windows 2000, there are 2 ways to apply a security template --
> > use the Security Configuration and Analysis snap-in or use the
> > secedit.exe command. Does anyone know if these 2 tools use the same
> > code to apply a template? Basically what I want to know is this: if
> > some bugs exist in the Security Configuration and Analysis tool for
> > applying templates, will those same bugs be present in the secedit.exe
> > command (or vice versa)?
>
> I have not examined the code for this, but I would be very
> surprised if these two are not using the same underneith.
>
> > 2) There is a template called "setup security.inf" that Windows 2000
> > uses to apply the default security settings during installation. How
> > exactly does Windows 2000 apply the "setup security.inf" template
> > during installation? Does it call secedit.exe or does it use some
> > other mechanism?
>
> Well, setup security.inf as I understand it is not really so much
> a template that is applied during setup as it is a log recording
> what was done during setup.

You're right... I found this good article that talks about that (and
also how the setup security.inf file doesn't contain all of the
default settings):

http://www.microsoft.com/technet/tec...SecurityMyths/

That article also says that the defltwk.inf template is applied to
workstations during installation. Do you have any idea if Windows
2000 calls secedit.exe to apply that template or if it uses a
different mechanism?

Another question I have is this: Registry keys seem pretty similar to
files/folders in terms of the permission settings that can be applied
to them. Do you know if the Security Configuration and Analysis and
Secedit.exe tools use the same code to apply permissions to registry
keys that they use to apply permissions to files/folders? I ask that
question because I want to know if there is a bug with applying
permissions to files/folders, will the same bug exist with applying
permissions to registry keys (or vice versa)?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Jun 12, 8:12 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
>> <void.no.spam....@gmail.com> wrote in message
>>
>> news:(E-Mail Removed)...
>>
>> > 1) In Windows 2000, there are 2 ways to apply a security template --
>> > use the Security Configuration and Analysis snap-in or use the
>> > secedit.exe command. Does anyone know if these 2 tools use the same
>> > code to apply a template? Basically what I want to know is this: if
>> > some bugs exist in the Security Configuration and Analysis tool for
>> > applying templates, will those same bugs be present in the secedit.exe
>> > command (or vice versa)?
>>
>> I have not examined the code for this, but I would be very
>> surprised if these two are not using the same underneith.
>>
>> > 2) There is a template called "setup security.inf" that Windows 2000
>> > uses to apply the default security settings during installation. How
>> > exactly does Windows 2000 apply the "setup security.inf" template
>> > during installation? Does it call secedit.exe or does it use some
>> > other mechanism?
>>
>> Well, setup security.inf as I understand it is not really so much
>> a template that is applied during setup as it is a log recording
>> what was done during setup.
>
> You're right... I found this good article that talks about that (and
> also how the setup security.inf file doesn't contain all of the
> default settings):
>
> http://www.microsoft.com/technet/tec...SecurityMyths/
>
> That article also says that the defltwk.inf template is applied to
> workstations during installation. Do you have any idea if Windows
> 2000 calls secedit.exe to apply that template or if it uses a
> different mechanism?

No, I have no idea what W2k did in this regard.

> Another question I have is this: Registry keys seem pretty similar to
> files/folders in terms of the permission settings that can be applied
> to them. Do you know if the Security Configuration and Analysis and
> Secedit.exe tools use the same code to apply permissions to registry
> keys that they use to apply permissions to files/folders? I ask that
> question because I want to know if there is a bug with applying
> permissions to files/folders, will the same bug exist with applying
> permissions to registry keys (or vice versa)?
>

I can only guess. The APIs used to manipulate reg entry ACLs
are separate from those used to manipulate NTFS ACLs. At the
point in time when that code was written one obtained the SD
(security descriptor) picked up the ACL and walked it to make
ACE changes, and I do not recall seeing in that timeframe any
generic public API to which one would feed an ACL and info
on what ACE add/remove/alter.
From that I would guess that the two use pretty separate code
paths, or where/if they converge that common part is pretty
error free (we would be in deep water otherwise, right?).

Roger