Applying security templates

G

Guest

1) In Windows 2000, there are 2 ways to apply a security template --
use the Security Configuration and Analysis snap-in or use the
secedit.exe command. Does anyone know if these 2 tools use the same
code to apply a template? Basically what I want to know is this: if
some bugs exist in the Security Configuration and Analysis tool for
applying templates, will those same bugs be present in the secedit.exe
command (or vice versa)?

2) There is a template called "setup security.inf" that Windows 2000
uses to apply the default security settings during installation. How
exactly does Windows 2000 apply the "setup security.inf" template
during installation? Does it call secedit.exe or does it use some
other mechanism?
 
R

Roger Abell [MVP]

1) In Windows 2000, there are 2 ways to apply a security template --
use the Security Configuration and Analysis snap-in or use the
secedit.exe command. Does anyone know if these 2 tools use the same
code to apply a template? Basically what I want to know is this: if
some bugs exist in the Security Configuration and Analysis tool for
applying templates, will those same bugs be present in the secedit.exe
command (or vice versa)?
Click to expand...

I have not examined the code for this, but I would be very
surprised if these two are not using the same underneith.
2) There is a template called "setup security.inf" that Windows 2000
uses to apply the default security settings during installation. How
exactly does Windows 2000 apply the "setup security.inf" template
during installation? Does it call secedit.exe or does it use some
other mechanism?
Click to expand...

Well, setup security.inf as I understand it is not really so much
a template that is applied during setup as it is a log recording
what was done during setup.
 
G

Guest

I have not examined the code for this, but I would be very
surprised if these two are not using the same underneith.


Well, setup security.inf as I understand it is not really so much
a template that is applied during setup as it is a log recording
what was done during setup.
Click to expand...

You're right... I found this good article that talks about that (and
also how the setup security.inf file doesn't contain all of the
default settings):

http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/

That article also says that the defltwk.inf template is applied to
workstations during installation. Do you have any idea if Windows
2000 calls secedit.exe to apply that template or if it uses a
different mechanism?

Another question I have is this: Registry keys seem pretty similar to
files/folders in terms of the permission settings that can be applied
to them. Do you know if the Security Configuration and Analysis and
Secedit.exe tools use the same code to apply permissions to registry
keys that they use to apply permissions to files/folders? I ask that
question because I want to know if there is a bug with applying
permissions to files/folders, will the same bug exist with applying
permissions to registry keys (or vice versa)?
 
R

Roger Abell [MVP]

You're right... I found this good article that talks about that (and
also how the setup security.inf file doesn't contain all of the
default settings):

http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/

That article also says that the defltwk.inf template is applied to
workstations during installation. Do you have any idea if Windows
2000 calls secedit.exe to apply that template or if it uses a
different mechanism?
Click to expand...

No, I have no idea what W2k did in this regard.
Another question I have is this: Registry keys seem pretty similar to
files/folders in terms of the permission settings that can be applied
to them. Do you know if the Security Configuration and Analysis and
Secedit.exe tools use the same code to apply permissions to registry
keys that they use to apply permissions to files/folders? I ask that
question because I want to know if there is a bug with applying
permissions to files/folders, will the same bug exist with applying
permissions to registry keys (or vice versa)?
Click to expand...

I can only guess. The APIs used to manipulate reg entry ACLs
are separate from those used to manipulate NTFS ACLs. At the
point in time when that code was written one obtained the SD
(security descriptor) picked up the ACL and walked it to make
ACE changes, and I do not recall seeing in that timeframe any
generic public API to which one would feed an ACL and info
on what ACE add/remove/alter.
From that I would guess that the two use pretty separate code
paths, or where/if they converge that common part is pretty
error free (we would be in deep water otherwise, right?).

Roger
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SECURITY TEMPLATES XP EMBEDDED 1
Applying a security template: one setting not saved to secedit.sdb 0
security templates are missing 7
server 2003 gp templates in 2000 domain 4
basicwk.inf vs. defltwk.inf vs. setup security.inf 0
scripting local system policy on a standalong Windows 2000 Server 1
Security templates applied locally vs applied through group policy 1
Secedit.sdb not enough storage space is available to process this 0

Top