PC Review

Thread Tools Rate Thread

Software Report [Windows Tips: DIY Windows Security Analysis Tool - 02/09/2005]

Posts: n/a
      10th Feb 2005
February 9th, 2005

Windows Tips: DIY Windows Security Analysis Tool

Contributing Editor Scott Dunn

These days, security is on everyone's mind--as well as on everyone's
computer screen. Security warnings pop up in your Web browser, your
e-mail, your antivirus software, your network settings, and all your
other apps. But tracking every nook and cranny where Windows hides its
security settings--and choosing the correct ones--can be a full-time

Fortunately, Windows XP Professional and 2000 contain the building
blocks of a comprehensive security analysis and configuration tool.
(If you have XP Home, the security built into Service Pack 2 should
meet your needs.) But you have to assemble the components into a
security suite yourself. I'll show you how to put the utility
together, use it to analyze your system, and decide what actions to
take based on the results. While Windows' Security Configuration and
Analysis utility does not address security for e-mail and other apps,
it lets you assign all of Windows' system-level security settings in
one place.

Changes to security settings can affect your network and Internet
connections, your applications, and Windows' own Registry settings, so
back up your system before embarking on any serious tweaking. Read
"Care and Feeding of the Windows Registry" from Stan Miastkowski's May
2002 Step By Step column:

After each change of setting, test your applications and network
connection to make sure they're working properly. If a problem crops
up, restore your Registry as explained in Lincoln Spector's April 2003
Answer Line column, "How Do I Restore My Windows Registry?"

Build Your Software

To create your custom security tool, log in as an administrator,
choose Start, Run, type mmc, and press Enter. In Windows XP, choose
File, Add/Remove Snap-in. In Windows 2000, click Console, Add/Remove
Snap-in from the Console1 main menu. In both versions, click Add,
select Security Configuration and Analysis, click Add again, and then
Close and OK.

The little Console Root icon in the window now has a subicon, but no
other real branches to its tree. To add a subentry for the icon,
create a database of your settings: Right-click Security Configuration
and Analysis and choose Open Database. In the "File name" box, type
the name of your database--for example, my security settings--and
press Enter to be prompted to import a template. (If you don't see
this dialog, or if you cancel it accidentally, right-click Security
Configuration and Analysis and choose "Import template.")

The templates range from the default Windows settings (setup
security.inf) to very high security (hisecws.inf). Unless you are a
network-management or security expert, or you believe another template
applies to your system, select "setup security" and click Open (the
file appears as "setup security.inf" if your system is set to show
file extensions).

Save your newly created tool so you can access it again without
retracing all these steps. Choose Console, Save As (in Windows 2000)
or File, Save As (in XP), and select a location. If you save the
utility in the Administrative Tools folder on your Start menu (the
default option), you can launch it by choosing its icon from the
Start, Program, Administrative Tools menu (or the All Programs,
Administrative Tools menu). If the icon is missing, right-click Start,
select Properties, Start Menu, Customize, Advanced, and at the bottom
of the "Start menu items" list, choose a display option. The path for
this folder is usually C:\Documents and Settings\All Users\Start
Menu\Programs\Administrative Tools (change the default path if you
don't want all users who log on to the machine to see this item). Type
a name, such as Security Analyzer, and then press Enter.

Do a Security Check

To analyze your system and compare its settings to those in your
template, right-click Security Configuration and Analysis and choose
Analyze Computer Now. Type a path for the log file, or just click OK
to accept the default path.

When the analysis is done, the pane on the left should show new
branches. To see how your PC's settings compare to the template, click
any + sign until one or more branches have no more subbranches. Click
an icon at the end of a branch to view that category's settings in the
right pane.

The icons for many of the entries will tell you how your PC's settings
compare to the template database. The chart "Security Template
Scorecard" explains these icons (Windows 2000 shows only the first

The columns in the right pane show how your system diverges from the
template you loaded. The Account Policies and Local Policies sections
have three columns that tell the whole story--Policy (the type of
setting), Computer Setting (your system's configuration), and Database
Setting (the setting in the template).

Tweak Your Settings

If all or nearly all of the settings you look at have a green check
mark, then your system's security essentially matches that recommended
by the template database. Relax and have a cuppa joe. But what if you
see many discrepancies--such as those marked with an X in a red
circle? You have several choices.

Do Nothing: If your system is running the way you like and you have no
reason to believe that you are susceptible to security breaches, just
walk away. If it ain't broke, what's to fix? This is the safest
approach, and the one I recommend unless you have some basis for
thinking that you do have a security problem.

Get a Different Template: An abundance of discrepancies may indicate
that the template you chose is not suited to your system. To find a
better match in Windows XP, choose Start, Help and Support. In the
search box, type Predefined security templates and press Enter. Click
"Predefined security templates" in the left pane to view the
nitty-gritty on these templates in the right pane. In Windows 2000,
click the question-mark Help icon at the far right of the security
utility's toolbar. With the Contents tab in front, select Security
Configuration and Analysis, Advanced Topics, Predefined templates. The
info you need is in the right pane.

If you find a better template fit, select Security Configuration and
Analysis in the left pane and choose Action, Import Template (or
right-click the icon and choose Import Template from the context
menu). In the Import Template dialog box, check "Clear this database
before importing" to replace the current template. Otherwise, you'll
end up with a composite of settings from multiple templates. Select
the desired template, click Open, and repeat the analysis as explained

Tweak Individual Settings: If you're the supercautious type and just
can't leave well enough alone, inspect the settings that diverge from
the template database and decide one by one whether and how to change
them. The safest way to do this is to use an entirely different tool
for the analysis than you used to create the template. For example, if
the settings you want to change are in the Account Policies or Local
Policies sections of your new tool, choose Start, Programs,
Administrative Tools, Local Security Policy (in XP it's Start, All
Programs, Administrative Tools, Local Security Policy), or choose
Start, Run, type secpol.msc /s, and press Enter.

With the Local Security Policy tool (Local Security Settings in
Windows 2000), only the settings you change get applied to your
system; but with the Security Configuration and Analysis tool, you
risk applying dozens of unknown template settings. In this case, limit
use of the latter utility to determining which items to adjust via the
Local Security Policy tool.

Windows XP describes each icon in the Account Policies or Local
Policies sections of the Local Security Policy and Security
Configuration and Analysis tools. To access these descriptions, choose
Start, Help and Support, type Account and local policies in the search
box, and press Enter. In the Search Results pane, select Full-text
Search Matches and click "Account and local policies." Use the text
and links on the right to locate the information you need. Windows
2000 lacks this information, but you can click the Help icon at the
far right of the toolbar and select Contents, Security Configuration
and Analysis, Advanced Topics for some guidance.

Go for Broke: If you are used to tinkering with your system's advanced
settings, you can use the Security Configuration and Analysis tool to
apply some or all of a template's settings. To make only selected
changes to your machine's current configuration, double-click an icon
in the right pane whose settings you think you should change (such as
one with an X in a red circle). Then check or uncheck the desired
boxes in the Database Setting column (in the dialog boxes where it
appears), or adjust other settings in the dialog box.

When you have finished making your changes, click OK and choose File,
Save. To apply the changes to your PC, select Security Configuration
and Analysis in the left pane and choose Action, Configure Computer
Now. Either type a path for the log file, or click OK to accept the
default path. When the tool finishes applying the settings, repeat the
analysis. You should now see fewer red circles with X's, since your
system settings should match those in your current database.

Test your network and Internet connections, as well as your e-mail and
any other applications that may have been affected by the change. If
any problems occur, restore the Registry and try again.

For tips on optimizing Windows, read "Windows Rejuvenated!":

Send Windows-related questions and tips to Scott Dunn at:

Read Scott Dunn's regularly published "Windows Tips" columns:

"I never charge the mound. I'd rather wait til after the game and beat the f@ck out of him when he has no idea it's coming."
-- Jason Giambi
Reply With Quote

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Q: Automate the Fourier Analysis - Data Analysis Tool pinkpanther Microsoft Excel Discussion 0 14th Jan 2011 05:04 PM
A useful tool, a useful tool, a useful tool, a useful tool... Hilton Microsoft Dot NET Compact Framework 2 11th Jul 2007 11:19 PM
Any performance analysis tools can easily to read & analysis CSV data come from Windows Performance Monitor? =?Utf-8?B?QWxleGFuZGVyIEJyb3du?= Microsoft Windows 2000 2 30th Jan 2004 04:30 AM
Software Calculator for DIY Home Improvement Greg Eshleman Freeware 3 9th Oct 2003 11:48 PM
Logon message text truncated when using Security Configuration and Analysis Tool David Dougherty Windows XP Security 0 13th Aug 2003 03:39 AM




All times are GMT +1. The time now is 01:32 AM.