Software Report [Windows Tips: DIY Windows Security Analysis Tool - 02/09/2005]

Discussion in 'Freeware' started by Ablang, Feb 10, 2005.

  1. Ablang

    Ablang Guest

    February 9th, 2005

    Windows Tips: DIY Windows Security Analysis Tool

    Contributing Editor Scott Dunn

    These days, security is on everyone's mind--as well as on everyone's
    computer screen. Security warnings pop up in your Web browser, your
    e-mail, your antivirus software, your network settings, and all your
    other apps. But tracking every nook and cranny where Windows hides its
    security settings--and choosing the correct ones--can be a full-time

    Fortunately, Windows XP Professional and 2000 contain the building
    blocks of a comprehensive security analysis and configuration tool.
    (If you have XP Home, the security built into Service Pack 2 should
    meet your needs.) But you have to assemble the components into a
    security suite yourself. I'll show you how to put the utility
    together, use it to analyze your system, and decide what actions to
    take based on the results. While Windows' Security Configuration and
    Analysis utility does not address security for e-mail and other apps,
    it lets you assign all of Windows' system-level security settings in
    one place.

    Changes to security settings can affect your network and Internet
    connections, your applications, and Windows' own Registry settings, so
    back up your system before embarking on any serious tweaking. Read
    "Care and Feeding of the Windows Registry" from Stan Miastkowski's May
    2002 Step By Step column:

    After each change of setting, test your applications and network
    connection to make sure they're working properly. If a problem crops
    up, restore your Registry as explained in Lincoln Spector's April 2003
    Answer Line column, "How Do I Restore My Windows Registry?"

    Build Your Software

    To create your custom security tool, log in as an administrator,
    choose Start, Run, type mmc, and press Enter. In Windows XP, choose
    File, Add/Remove Snap-in. In Windows 2000, click Console, Add/Remove
    Snap-in from the Console1 main menu. In both versions, click Add,
    select Security Configuration and Analysis, click Add again, and then
    Close and OK.

    The little Console Root icon in the window now has a subicon, but no
    other real branches to its tree. To add a subentry for the icon,
    create a database of your settings: Right-click Security Configuration
    and Analysis and choose Open Database. In the "File name" box, type
    the name of your database--for example, my security settings--and
    press Enter to be prompted to import a template. (If you don't see
    this dialog, or if you cancel it accidentally, right-click Security
    Configuration and Analysis and choose "Import template.")

    The templates range from the default Windows settings (setup
    security.inf) to very high security (hisecws.inf). Unless you are a
    network-management or security expert, or you believe another template
    applies to your system, select "setup security" and click Open (the
    file appears as "setup security.inf" if your system is set to show
    file extensions).

    Save your newly created tool so you can access it again without
    retracing all these steps. Choose Console, Save As (in Windows 2000)
    or File, Save As (in XP), and select a location. If you save the
    utility in the Administrative Tools folder on your Start menu (the
    default option), you can launch it by choosing its icon from the
    Start, Program, Administrative Tools menu (or the All Programs,
    Administrative Tools menu). If the icon is missing, right-click Start,
    select Properties, Start Menu, Customize, Advanced, and at the bottom
    of the "Start menu items" list, choose a display option. The path for
    this folder is usually C:\Documents and Settings\All Users\Start
    Menu\Programs\Administrative Tools (change the default path if you
    don't want all users who log on to the machine to see this item). Type
    a name, such as Security Analyzer, and then press Enter.

    Do a Security Check

    To analyze your system and compare its settings to those in your
    template, right-click Security Configuration and Analysis and choose
    Analyze Computer Now. Type a path for the log file, or just click OK
    to accept the default path.

    When the analysis is done, the pane on the left should show new
    branches. To see how your PC's settings compare to the template, click
    any + sign until one or more branches have no more subbranches. Click
    an icon at the end of a branch to view that category's settings in the
    right pane.

    The icons for many of the entries will tell you how your PC's settings
    compare to the template database. The chart "Security Template
    Scorecard" explains these icons (Windows 2000 shows only the first

    The columns in the right pane show how your system diverges from the
    template you loaded. The Account Policies and Local Policies sections
    have three columns that tell the whole story--Policy (the type of
    setting), Computer Setting (your system's configuration), and Database
    Setting (the setting in the template).

    Tweak Your Settings

    If all or nearly all of the settings you look at have a green check
    mark, then your system's security essentially matches that recommended
    by the template database. Relax and have a cuppa joe. But what if you
    see many discrepancies--such as those marked with an X in a red
    circle? You have several choices.

    Do Nothing: If your system is running the way you like and you have no
    reason to believe that you are susceptible to security breaches, just
    walk away. If it ain't broke, what's to fix? This is the safest
    approach, and the one I recommend unless you have some basis for
    thinking that you do have a security problem.

    Get a Different Template: An abundance of discrepancies may indicate
    that the template you chose is not suited to your system. To find a
    better match in Windows XP, choose Start, Help and Support. In the
    search box, type Predefined security templates and press Enter. Click
    "Predefined security templates" in the left pane to view the
    nitty-gritty on these templates in the right pane. In Windows 2000,
    click the question-mark Help icon at the far right of the security
    utility's toolbar. With the Contents tab in front, select Security
    Configuration and Analysis, Advanced Topics, Predefined templates. The
    info you need is in the right pane.

    If you find a better template fit, select Security Configuration and
    Analysis in the left pane and choose Action, Import Template (or
    right-click the icon and choose Import Template from the context
    menu). In the Import Template dialog box, check "Clear this database
    before importing" to replace the current template. Otherwise, you'll
    end up with a composite of settings from multiple templates. Select
    the desired template, click Open, and repeat the analysis as explained

    Tweak Individual Settings: If you're the supercautious type and just
    can't leave well enough alone, inspect the settings that diverge from
    the template database and decide one by one whether and how to change
    them. The safest way to do this is to use an entirely different tool
    for the analysis than you used to create the template. For example, if
    the settings you want to change are in the Account Policies or Local
    Policies sections of your new tool, choose Start, Programs,
    Administrative Tools, Local Security Policy (in XP it's Start, All
    Programs, Administrative Tools, Local Security Policy), or choose
    Start, Run, type secpol.msc /s, and press Enter.

    With the Local Security Policy tool (Local Security Settings in
    Windows 2000), only the settings you change get applied to your
    system; but with the Security Configuration and Analysis tool, you
    risk applying dozens of unknown template settings. In this case, limit
    use of the latter utility to determining which items to adjust via the
    Local Security Policy tool.

    Windows XP describes each icon in the Account Policies or Local
    Policies sections of the Local Security Policy and Security
    Configuration and Analysis tools. To access these descriptions, choose
    Start, Help and Support, type Account and local policies in the search
    box, and press Enter. In the Search Results pane, select Full-text
    Search Matches and click "Account and local policies." Use the text
    and links on the right to locate the information you need. Windows
    2000 lacks this information, but you can click the Help icon at the
    far right of the toolbar and select Contents, Security Configuration
    and Analysis, Advanced Topics for some guidance.

    Go for Broke: If you are used to tinkering with your system's advanced
    settings, you can use the Security Configuration and Analysis tool to
    apply some or all of a template's settings. To make only selected
    changes to your machine's current configuration, double-click an icon
    in the right pane whose settings you think you should change (such as
    one with an X in a red circle). Then check or uncheck the desired
    boxes in the Database Setting column (in the dialog boxes where it
    appears), or adjust other settings in the dialog box.

    When you have finished making your changes, click OK and choose File,
    Save. To apply the changes to your PC, select Security Configuration
    and Analysis in the left pane and choose Action, Configure Computer
    Now. Either type a path for the log file, or click OK to accept the
    default path. When the tool finishes applying the settings, repeat the
    analysis. You should now see fewer red circles with X's, since your
    system settings should match those in your current database.

    Test your network and Internet connections, as well as your e-mail and
    any other applications that may have been affected by the change. If
    any problems occur, restore the Registry and try again.

    For tips on optimizing Windows, read "Windows Rejuvenated!":

    Send Windows-related questions and tips to Scott Dunn at:

    Read Scott Dunn's regularly published "Windows Tips" columns:

    "I never charge the mound. I'd rather wait til after the game and beat the f@ck out of him when he has no idea it's coming."
    -- Jason Giambi
    Ablang, Feb 10, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Greg Eshleman

    Software Calculator for DIY Home Improvement

    Greg Eshleman, Oct 8, 2003, in forum: Freeware
    Oct 9, 2003
  2. Joep
  3. Ablang
  4. Ablang
    Apr 13, 2005
  5. Ablang
    My Name
    May 6, 2005
  6. Ablang
    Oct 4, 2005
  7. Ablang
  8. Alpha
    Dec 30, 2005