Appendix A: Security Tools and Formats
Published: December 31, 2003 | Updated: April 26, 2006
It can be a challenge to create, test, deploy, and manage a complete set of policy and templates for your organization. This appendix provides an overview of the available Microsoft tools and the formats that security policies may come in.
The following tools are available either with the Windows Server™ 2003 operating system or as free downloads from the Microsoft Web site.
Security Configuration Wizard
The Security Configuration Wizard (SCW) was introduced in Windows Server 2003 SP1. Unlike Group Policy, it is not integrated with the Active Directory® directory service, so it cannot be used to configure the domain-level policies. However, it does provide a consistent role-based hardening methodology that uses wizards, which makes it easy to create secure policies.
With SCW, you can quickly and easily create prototype policies for multiple server roles that are based on the latest guidance and best practices from Microsoft. SCW will automatically manage service settings, registry settings, Windows Firewall exceptions, and more. It includes the ability to remotely profile target computers, deploy policies, and roll back policies. The command-line tool Scwcmd allows SCW and Group Policy to be used together to deploy policies to groups of computers or convert policies to GPOs.
Security Configuration Editor
The Security Configuration Editor (SCE) tools are used to define security policy templates that can be applied to individual computers or to groups of computers through Active Directory Group Policy. The SCE first appeared as an add-on for Windows NT® 4.0 and has become an integral part of Group Policy.
The SCE is no longer a separate component and is used in the following Microsoft Management Console (MMC) snap-ins and administrative utilities:
Because all of these tools use the SCE, Windows administrators enjoy a consistent, powerful interface to create and edit policies whether they are intended for a stand-alone computer or will be deployed as a GPO.
You can find more information about SCE from Windows Help.
Active Directory Users and Computers
The MMC Active Directory Users and Computers snap-in provides the primary GUI to create and manage organizational units (OUs) within the domain. You can link GPOs and OUs, control policy order and inheritance, and launch the Group Policy Object Editor as a separate process to edit GPOs. However, the snap-in does not offer a consistent, integrated way to inventory, author, and manage your Group Policies.
You can find more information about the MMC Active Directory Users and Computers snap-in from Windows Help.
Group Policy Management Console
The Group Policy Management Console (GPMC) was produced by Microsoft in response to feedback from customers who needed a better way to control Group Policy in a large environment. The GPMC must be run on Windows XP with SP1 or Windows Server 2003 and consists of an MMC snap-in and a set of scriptable interfaces that can be used to manage Group Policy. It can manage both Windows 2000 Server and Windows Server 2003 domains.
The GPMC provides:
The Group Policy Management Console with Service Pack 1 is available as a free download for all Windows Server 2003 customers at www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en.
Security File Formats
Security policies can be created and stored in a variety of formats. The following sections detail the common file formats that are used by Windows Server 2003:
SCW Policy (.xml)
SCW introduces a new file format that is based on XML. Native SCW policies are saved with an extension of .xml. These XML policy files have no official schema, but can be identified by the <SecurityPolicy Version="1.0"> element.
The SCW policy file is actually a complete manifest of several different types of settings:
Also, SCW policies can be linked to one or more policy templates to provide additional functionality that is not native to SCW, such as system service or registry access control lists (ACLs).
Policy Template (.inf)
Policy templates are text files that follow a standard format for Windows data files: one or more sections that are set off by special square bracket-enclosed keywords, which are followed by one or more attribute/value pairs.
Policy templates can contain one or more sections that define the following types of data:
Policy templates are supported by almost all of the tools that are listed earlier in this appendix, and the same template format can be used for both local computer policies and Active Directory Group Policies. Before they can be used, the templates must be imported by the appropriate tool.
Group Policy Objects
GPOs are policy data that is stored both in Active Directory and as a collection of files within special directories on domain controllers. These policy files represent computer policies and user policies and are not usually manipulated directly. You can use a tool such as the GPMC to modify the settings or export the GPO into a policy template.
You can export or back up a GPO from within GPMC to save all the information that is stored inside the GPO to the file system. GPO backups that are created in this way keep the following information:
However, this backup does not save any of the data that is external to the GPO. In particular, this file will not contain link information for sites, domains, or OUs and it will not contain the actual WMI filters or IP security policies.