A new feature in Server 2003 security lets you easily reapply the default security settings if you’ve made changes. There are two ways to do this:
- With the graphical interface
- At the command line
To reapply the settings with the GUI, you use the Security Configuration and Analysis tool (create a custom MMC and add the Security Configuration and Analysis snap-in). Log on with the appropriate administrative privileges (local administrator to reapply default settings to the local computer or domain or enterprise admin privileges to reapply settings to a domain computer). You must import the appropriate template (DC security template for domain controllers or the setup security template for non-domain controllers), then do the following:
- Check the Clear this database before importing checkbox.
- Click Open.
- Right click Security Configuration and Analysis in the console tree and select Configure Computer Now.
- Specify a file path for the error log or accept the default path.
- Click OK to perform the configuration.
You can also use the secedit command to reapply default settings for specific areas instead of applying the entire setup security template.
NOTE: For more information about how to use the command line to reapply settings, see secedit /configure in the Windows Server 2003 Help files.
Are the Defaults Still Not Locked Down Enough?
Proponents of a strict “principle of least privilege” security philosophy are pleased that Microsoft has taken steps to provide a more locked down environment out of the box for Windows Server 2003, but argue that they haven’t gone far enough. The question is, as always: how much accessibility are users and administrators will to trade for more security?
In my previous career, I was a police academy trainer and taught defensive tactics to young recruits. A question that always came up with rookie police officers was that of the “security holster” – these were designed to make it more difficult for a bad guy to take away the police officer’s gun. The only problem was that, with many of these high security holsters, we found in firearms training exercises that the officer him/herself wasn’t able to draw the weapon when it was needed – yes, Virginia, maybe there is such a thing as too much security.
Similarly, we’re already hearing complaints from web administrators about IIS 6.0 – so many features are “turned off” by default that the functionality of the application is impaired. At the academy, we advised those who chose to use high security holsters that the price they had to pay was much more practice to learn to use them. The same holds true for new high security operating systems and applications: the learning curve is going to be greater. This is not necessarily a bad thing, but it’s important that this tradeoff be understood upfront. Security comes with a price, and that price is accessibility. In today’s dangerous world (both online and off), it is often an acceptable price.
Summary
Windows Server 2003 includes many new security features, and default settings that provide tighter security (and less accessibility) than in previous versions of Windows is one of those features. In this two-part article, we took a look at how the new default settings make Windows Server 2003 the most secure Microsoft server operating system yet.
About Deb Shinder
Debra LittleJohn Shinder(MCSE) is a technology consultant, trainer and writer who has written a number of books on networking, including Computer Networking Essentials, published by Cisco Press and Scene of the Cybercrime, published by Syngress Media. She is co-author, with her husband Dr. Thomas Shinder, of Troubleshooting Windows 2000 TCP/IP and the best-selling Configuring ISA Server 2000, both published by Syngress Media, as well as the new ISA Server and Beyond. Deb tech edited Syngress’s Security + Study Guide and was a major contributor to Que’s TruSecure ICSA Certified Security Associate exam guide. Deb lives and works in the Dallas-Ft Worth area and can be contacted at deb@shinder.net or via the website at www.shinder.net.