Question for Roger Abell

[Guest]

Hi Roger,

I've seen some old posts from you in which you mention that the
Security Templates and Security Configuration and Analysis snap-ins
are fairly buggy. I've already encountered one problem (I mentioned
it a few weeks ago -- the SCaA does not always apply the "inherit from
parent" permission on some folders). And in one of your posts you say
that sometimes a security template will not be saved (even if you tell
it to save) until after you close the MMC. Do you remember what other
problems there are?

I'm going thru the Windows 2000 Security Hardening Guide, and it
recommends the use of the SCaA to apply some of the included security
templates. Do you know if the problems you are aware of have been
fixed? If so, have they been fixed only for Windows XP, or have they
been fixed for Windows 2000 as well?

Thanks!

 

[Roger Abell [MVP]]

Hi void,

You know, there is a power in newsgroup archives, and a
flaw when it comes to things like issues with Windows in
that what was a problem can get fixed.

It really depends on the precise versions of the tools in
use (OS rev and whether one did both to download the
updated adminpak and support tools, which have often
not been included with the service pack but released in
a separate download).

Most of the issues with the Template editor seem to be
cleared at this point if one is using post-W2k fully updated.
The big one seemed to be that attempting to adjust Services
settings was being handled incorrectly for quite a while.
(KBs available on this)
I recall your post on the inheritance issue depending on how
the SDDL was stated, which was a new one on me.
I have not had the non-save issue for quite a long time, so
I am not sure now what OS rev's it impacted. There seems
to be an issue with the export capability of secedit that does
apparently remain today. Also, the analysis for the filesystem
is sort of skewed in how it bubbles up conflicts and their counts;
it does give the correct info at the leaves, but the parental nodes
are not always marked in a sensible way (I think the algorithm
used is just plain incorrect).

Anyway, I would suggest you make a post over in the group
policy newsgroup, perhaps crossposted to a couple other
likely newsgroups, with well choosen title, soliciting people
to relate the errors they have seen in current releases.
Things have gotten better and may further with the tools release
for the Vista generation.

Roger

 

[Guest]

Thank you for the reply, Roger. It sounds like Windows 2000 may not
have gotten some of the latest fixes.

Regarding the Template editor problems... are those solved by just
closing MMC after saving the template? Or could things be saved
incorrectly even after closing MMC?

Regarding the SCaA problems... if I were to do an Analysis after
doing a Configure, and the Analysis looked good, then would it be safe
to assume that the Configure worked perfectly?

 

[Roger Abell [MVP]]

Thank you for the reply, Roger. It sounds like Windows 2000 may not
have gotten some of the latest fixes.

No problem. And yes, W2k is probably in the least proper condition
this regard.

Regarding the Template editor problems... are those solved by just
closing MMC after saving the template? Or could things be saved
incorrectly even after closing MMC?

I have not seen the fail to save of a template issue for some time
now. It does not seem to be an issue with XP at current service
level nor with W2k3. When it was, what I found was that when
saved it did save correctly, and closing with an unsaved resulted
in a prompting to save.

Regarding the SCaA problems... if I were to do an Analysis after
doing a Configure, and the Analysis looked good, then would it be safe
to assume that the Configure worked perfectly?

Yes, that has been my experience. The problem I mention is only
a reporting issue with how an analysis of the filesystem section is
displayed.

 

[Guest]

I have not seen the fail to save of a template issue for some time
now. It does not seem to be an issue with XP at current service
level nor with W2k3. When it was, what I found was that when
saved it did save correctly, and closing with an unsaved resulted
in a prompting to save.

Your last sentence is confusing. That sounds like the correct
behavior?

Yes, that has been my experience. The problem I mention is only
a reporting issue with how an analysis of the filesystem section is
displayed.

Hopefully if any problems do occur with the template editor or SCaA,
they will be obvious or unharmful ones, and not subtle ones that leave
my system in an unexpected state.

 

[Roger Abell [MVP]]

Your last sentence is confusing. That sounds like the correct
behavior?

When it would save, it would save correctly.
Right clicking on it in Templates mmc would not save it,
just act like it did. Closing Templates without attempting
to save it first would result in prompt to save changes and
that would save reliably.
Moot point in any case as the error seems to have been fixed.

Hopefully if any problems do occur with the template editor or SCaA,
they will be obvious or unharmful ones, and not subtle ones that leave
my system in an unexpected state.

Except for the issues with permissions being set wrong or wiped
out when using the Services section, yes, most were more of the
non-damaging but annoying type (the template save issue caused
loss of work, the analysis reporting causes still confusion and
makes one drill-in instead of believing the high-level view).
The issue with Services perms was however quite harmful
to enterprises.

Roger