Checklist: Automate security administration for standalone PCs

In a workgroup environment, you may use security templates, Local Group Policy, the Security Configuration and Analysis tool and the secedit command to automate security for a single computer or many computers. This checklist explains how to use the Security Templates and Security Configuration and Analysis snap-ins to automate security configuration and refresh one computer at a time. The next checklist will provide secedit steps to help you automate security for multiple Windows systems. (These tools are available for Windows 2000, Windows XP Professional and Windows Server 2003.)

You may download a printer-friendly version.

Checklist: Automate security administration for standalone computers

Step 1: Load the Security Templates snap-in in a Microsoft Management Console (MMC)

To open the MMC, click the Start button, then Run, enter MMC and click OK. Next, from the File menu, select "Add/Remove snap-in", then click Add and select Security Templates

from the list. Click Add, then Close and then click OK to open the snap-in in the MMC.

Step 2: Study security settings to understand what they can do

The Security Templates snap-in provides a number of templates, each with its own security settings. Each template includes security setting configuration details, including

password length, disabled services, event log management and set security for files and registry keys. Spend some time reviewing these options. To understand their meanings,

download Microsoft's Threats and Countermeasures, which talks about settings in the Windows server/domain arena. Most of the same settings are available for configuring

security on a standalone computer.

Step 3: Determine which settings should be enabled to fulfill your small business security policy

There are many security templates, each with different security settings. Which one is right for you? There is no easy answer. Security should be managed, but the correct choices for

one company are not necessarily the correct choices for another. The templates are only meant as samples. You must determine what is best for your organization and create

a template that fulfills that policy.

Step 4: Create your own custom security template and back it up

Once you know the level of security you wish to apply, create your own template and make sure the settings reflect your decisions. To create a template, go to the Security Templates

console you created, right click one of the existing templates and select "Save as". Then enter a name for your template and click "Save". It will be saved to the

<system root >\security\templates folder by default. Your template should appear in the console. Open the template and change the settings to those desired. Changing settings

does not apply the settings. You must complete step 5 and then 6 below in order to do so. To backup your template, save it again after configuring it, copy the file to a CD-ROM or

floppy disk and store in a safe place.

Step 5: Load the Security Configuration and Analysis snap-in

Using the MMC console you created for Security Templates, from the File menu, add the Security Configuration and Analysis snap-in. Use this tool to apply a Security Template.

Step 6: Apply your security template to configure security for the computer

Right click the Security Configuration and Analysis node and select Open Database. Enter a name for the database and then click OK. Select your security template and then click Open.

This step adds your template to the database. The computer's security configuration is not changed by this step.

Right click on Security Configuration and Analysis and select "Configure computer now". The settings in the Security Template will be applied to the computer.

You can copy your template to another computer and use step 5 and 6 to load and apply the template. Make sure you use a template created on Windows XP to update Windows XP,

and one created on Windows 2000 to update Windows 2000, and so on. You can also use Security Configuration and Analysis to determine if security settings have been changed.

To do so, use the "analyze" command instead of the "configure" step. To automatically apply security, you'll need to use the secedit command -- the topic of our next checklist.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.

ABOUT THE AUTHOR:   Go back to Checklists

Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker. Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail the editor. Copyright 2004

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows XP security issues, updates and alerts Strategies for troubleshooting Windows XP errors Managing single sign-on security burdens in Windows A Windows security checklist for IT managers Unauthenticated vs. authenticated security testing Enhancing patch management with NAP Why Windows Vista is superior to XP How to exploit two common Windows vulnerabilities Windows security in the enterprise: Tutorials Windows security testing: Five tips for the summer Identity and Access Management Security School Securing Windows legacy operating systems Run legacy applications with Windows Vista security How to Bypass BIOS Passwords Security concerns of unattended, automatic installations How 'limited' malcode pulled off the year's biggest attack Taking over the domain How to get an attacker out of your network Checklists: Harden access control settings Freeware tool for password tracking and storage Manual vs. automated patch tracking Protect desktop files and folders from inside snoops RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.