Server Security Is A Snap-in

Microsoft's habit is to release not only bug fixes in Service Packs, but new features as well. Service Pack 4 is no exception, addressing known security issues while adding a new feature called the Security Configuration Manager (SCM).

SCM provides a single location to store all security-related settings for NT.Currently, to edit these settings, you need a variety of tools: User Manager for useraccounts and groups; Server Manager for shares; and Explorer for individual filepermissions. The SCM consolidates many settings onto a single set of screens, simplifyinga complex procedure.

SCM requires Internet Explorer 4.0 Service Pack 1 because it uses HTML. It's a snap-infor the Microsoft Management Console (MMC), Microsoft's extensible system managementinterface introduced in the NT Option Pack. MMC relies on snap-ins to add managementfunctionality.

Get used to the MMC. It's the primary management interface for NT 2000. Since itsupports third-party snap-ins, you'll be seeing more and more of it.

SCM follows the standard MMC scheme. By default, the scope pane contains two objects:Database and Configurations. The Database container shows the security configuration fileand settings currently in use. The Configurations container lists ten Microsoft-suppliedsecurity configurations and stores any new configurations.

Configurations are the real power of the SCM. You can create and save a configurationwith preferred network settings in the SCM. As you deploy new systems, use the SCM commandline version, secedit.exe, to apply the settings.

Configuration settings are organized into seven categories: Account Policies, LocalPolicies, Event Log, Restricted Groups, System Services, Registry and File System.Although this covers a lot, it helps to review them all in a single place.

The ten Microsoft-provided configuration templates are designed for machines playingvarious roles. For instance, domain controllers and workstations, with both basic and highsecurity settings. It can be very instructive to review the differences between some ofthe configurations such as password policies on domain controllers configured for high orbasic security.

The only setting on the basic configuration is password expiration in 42 days. In thehigh security version, minimum password length, password history and complexity are allenforced.

SCM features an analysis tool that compares the security settings you configure withthe actual settings for the machine. This analysis can be run from the MMC or from thecommand line. Using the command line, the analysis takes place at bootup; and the resultscan be e-mailed.

I like SCM, but there's room for improvement. Not every setting that can be configuredis checked. TCP/IP filters can't be set and it won't check BIOS passwords or locked outdiskettes. The analysis tool marks each setting not in compliance, but doesn't consolidateall the out of compliance setting on a single screen. You have to go through each screenlooking for problems.

Service Pack 4 is available at The SCM is an option anddoes not install automatically. It can be ftp'ed from

winnt-public/tools/SCM.            Ryan Maley


*The Security Configuration Manager in Service Pack 4 displays problems with thesecurity settings for a 2000 Server.