Download (direct link):
* SECUREWS is for a high-security workstation.
The Security Configuration and Analysis snap-in
The Security Configuration and Analysis snap-in has two jobs: first, to compare the PC's current configuration against a security template, and second, to apply a template to a local PC (or Group Policy object, in a networked environment).
To compare the PC's current configuration against a security template, right-click the Security Configuration and Analysis node in the console's tree pane and choose Open Database. If this is a new database, Windows prompts you to specify a security template to load into the database. For example, if you want to see how your system stacks up against a secure workstation configuration, you'd choose SECUREWS.
After you open the database, perform the analysis by right-clicking Security Configuration and Analysis and choosing Analyze Computer Now. When the utility finishes its evaluation, it presents a results display. A green check mark by a setting means that your PC's setting matches the one in the database; a red 'X' means that your PC is less secure than the setting in the database would make it.
Microsoft supplies a command-line tool, SECEDIT.EXE, which performs most of the same tasks that the console snap-ins perform, but from a batch file or script - handy if you want to put a SECEDIT command into a system-wide logon script, for example. With SECEDIT, you can create templates, apply templates, and analyze security.
Remember The exam is likely to quiz your knowledge of the various SECEDIT command qualifiers, which include the following:
* /analyze analyzes the current system's security, and uses the /DB and /CFG parameters.
* /configure configures the current system's security, and uses the /DB and /CFG parameters.
* /export exports a template from a security database to an INF template file, and uses the /DB and /CFG parameters.
* /DB <filename> specifies the database containing a stored configuration against which the analysis will be made (with the /analyze option) or into which a template will be imported (with the /configure option).
* /CFG <filename> specifies the path to the security template that SECEDIT will use to analyze or configure the database specified in /DB.
* /validate <filename> checks the syntax of a security template.
Auditing Object Access
Object access auditing means that Windows XP can monitor accesses (both successful and unsuccessful) to files, folders, the Registry, and printers, and record those accesses in the Security event log (which you can view with the Event Viewer snap-in to the Computer Management console). The details that Windows XP records include the action performed, who performed it, when it occurred, and whether it succeeded or failed.
If you're having some trouble with file corruption, file system performance, Registry errors, or potential cybervandalism, object access auditing may help you figure out who's trying to gain access to what. (For logon auditing, please see Chapter 10's section entitled 'Auditing User Activities.')
Activating object access auditing
Auditing is always off by default because of its system overhead. To activate object access auditing on your PC, open the Local Security Policy console (it's in the Administrative Tools folder of Control Panel). In the left pane, under Local Policies, click Audit Policy. All the various quantities that you can audit appear in the right pane. Double-click Audit Object Access (or, alternatively, single-click it and choose Action?Security) and choose whether you want to track successful events, unsuccessful ones, or both. (Careful here - file system reads occur frequently, and can easily swamp the event log, creating both disk space and performance problems for your system.) Restart the machine to make your changes take effect.
Remember Auditing successful actions is a good way to do some capacity planning and performance analysis. Auditing failed actions is a good way to zero in on potential security problems.
Choosing what to audit
Activating object auditing simply turns the feature 'on' - you must tell Windows XP which specific objects you want it to audit.
Instant Answer Use Windows Explorer to identify files and folders to audit. Use REGEDIT to identify Registry keys to audit.
File and folder auditing
On an NTFS volume, Windows XP can audit access to files and folders. To tell Windows XP which ones to track, simply open Windows Explorer (for example, by right-clicking My Computer and choosing Explore), right-click the file or folder to audit, and choose Properties. Then, click the Security tab and the Advanced button. Finally, click the Auditing tab to display a dialog box that looks like the one in Figure 11-10.
Figure 11-10: Set auditing on an NTFS folder.
Note the two check boxes at the bottom of the Auditing dialog box:
* Inherit from parent the auditing entries that apply to child objects. The default behavior is for auditing settings to propagate downward in the file structure; that is, if you enable auditing for a folder, you automatically enable auditing for all subfolders contained therein. Clearing this check box defeats this inherited behavior for the selected folder.