What Is Security Settings Extension?
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section
Security Settings Extension Overview
Securing Distributed Systems
Security settings policies are rules that administrators configure on a computer or multiple computers for the purpose of protecting resources on a computer or network. The Security Settings extension of the Group Policy Object Editor snap-in allows you to define security configurations as part of a Group Policy object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and enable administrators to manage security settings for multiple computers from any computer joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients and other resources in your organization.
Security settings can control:
User authentication to a network or computer.
The resources that users are permitted to access.
Whether to record a user’s or group’s actions in the Event log.
Membership in a group.
Security Settings Extension Overview
Administrators can use the Security Settings extension to specify the security configuration of a Group Policy object. This in turn affects all the computers in the Active Directory container to which the Group Policy object is linked. All security policies are computer-based policies.
To manage security configurations for multiple computers, you can use one of the following options:
Edit specific security settings in a GPO.
Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template to a Group Policy object. A security template is a file that represents a security configuration, and can be imported to a GPO, or applied to a local computer, or can be used to analyze security.
The Security Settings extension of Group Policy Object Editor includes the following types of security policies:
Accounts Policies. These polices are defined on computers; they affect how user accounts can interact with the computer or domain. Accounts policies include the following types of policies:
Password Policy. These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
Account Lockout Policy. These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
Kerberos Policy. These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
Local Policies. These policies apply to a computer and include the following types of policy settings:
Audit Policy. Specifies whether to log security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
User Rights Assignment. Specify the users or groups that have logon rights or privileges on a computer.
Security Options. Specify security settings for the computer such as Administrator and Guest Account names, access to floppy disk drive and CD-ROM drive, installation of drivers, logon prompts and so on.
Event Log. Specifies settings for the application, security, and system logs.
Restricted Groups. Controls membership in a security-sensitive (restricted) group, and specifies the groups to which a restricted group should belong. Restricted Groups policy states that only the members that you have added can belong to that group.
System Services. Specifies startup options for system services, and define access permissions.
Registry. Specifies access permissions (on discretionary access control lists (DACLs) and audit settings (on system access control lists (SACLs)) for registry keys.
File System. Specifies access permissions and audit settings for file system objects.
Securing Distributed Systems
Organizations are faced with the complex, costly, and time-consuming task of securing and managing network systems, and keeping their desktops and servers protected with up-to-date security updates.
Administrators' tasks include:
Keeping desktops and servers up-to-date with the latest security patches.
Ensuring that the corporate security policies are enforced across desktops and servers.
Monitoring systems for potential security compromises.
Organizations need efficient ways to maintain network security and manage updates, while reducing total costs for security management.
Policy-Based Security Settings Management
Windows Server 2003, Windows 2000, and Windows XP provide an integrated policy-based management infrastructure to help administrators manage and enforce their security policies.
Windows Server 2003 and Windows 2000, through Group Policy and Active Directory, enable IT administrators to define and apply security settings policies to users, groups, and network servers and clients. A group of servers with the same functionality can be created (for example, a Microsoft Internet Information Services (IIS) server), and then Group Policy objects can be used to apply common security settings to the group. If more servers are added to this group later, many of the common security settings are automatically applied, reducing deployment and administrative labor.
Using security settings policies simplifies and centralizes security configuration and management for computers running Windows Server 2003. Security policies can help reduce administrative tasks by automating some processes for applying security to servers. Computers running Windows Server 2003 that are members of a domain periodically access Active Directory; if they detect that a new policy exists or that an existing one has been changed, they automatically download the policy and apply it locally.
Common Scenarios for Using Security Settings Policies
Security Settings policies are used to manage the following aspects of security: accounts policy, local policy, user rights assignment, registry values, file and registry Access Control Lists (ACLs), and service startup modes.
As part of your security strategy, you can create GPOs with security settings policies configured specifically for the various computer roles in your organization, such as domain controllers, file servers, member servers, clients, and so on.
You can create an organizational unit (OU) structure that groups computers according to their roles. Using OUs is the best method for separating specific security requirements for the different computer roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new Group Policy object (GPO) for each of the OUs, and then import the security template (.inf file) into the new GPO.
Importing a security template to a Group Policy object ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed every 90 minutes, and on a domain controller, this process occurs every 5 minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
By using Group Policy-based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future.
Dependencies on Other Operating System Components
For computers that are members of a Windows Server 2003 or Windows 2000 Server domain, Security Settings policies depend on the following components:
The Windows-based directory service, Active Directory, stores information about objects on a network and makes this information available to administrators and users. By using Active Directory, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
The infrastructure within Active Directory that enables directory-based configuration management of user and computer settings on computers running Windows Server 2003, Windows 2000, and Windows XP Professional operating systems. By using Group Policy, you can define configurations for groups of users and computers, including policy settings for Windows Server 2003 registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
Domain Name System (DNS).
A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query the DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
A component of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a Graphical Identification and Authentication dynamic-link library (DLL), and any number of network providers.
Security configuration interacts with the operating system setup process during a clean installation or upgrade of Windows Server 2003 or Windows 2000 Server.
Security Accounts Manager (SAM).
A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
Local Security Authority (LSA).
A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
Windows Management Instrumentation (WMI).
A component of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
Resultant Set of Policy (RSoP).
An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to determine easily the combination of policy settings that apply to, or will apply to, a user or computer.
Service Control Manager (SCM).
Used for configuration of service startup modes and security.
Used for configuration of registry values and security.
Used for configuration of security.
File system conversions.
Security is set when an administrator converts a file system from FAT to NTFS.
Microsoft Management Console (MMC).
The user interface for the Security Settings tool is an extension of the Group Policy Object Editor MMC snap-in.
Security Settings Policies and Group Policy
The Security Settings extension of Group Policy Object Editor is part of the Windows Server 2003 Security Configuration Manager tool set. The following components are associated with Security Settings: a configuration engine; an analysis engine; a template and database interface layer; setup integration logic; and the secedit.exe command line tool. The security configuration engine runs on computers running Windows Server 2003, Windows 2000 and Windows XP and is responsible for handling security configuration editor-related security requests for the system on which it runs. The analysis engine analyzes system security for a given configuration and saves the result. The template and database interface layer handles reading and writing requests from and to the template or database (for internal storage). The Security Settings extension of Group Policy Object Editor handles Group Policy from a domain-based or local computer. The security configuration logic integrates with Windows Server 2003 and Windows 2000 setup and manages system security for a clean installation or upgrade of Windows Server 2003 and Windows 2000 systems. Security information is stored in templates (.inf files) or in the Secedit.sdb database.
The following figure shows Security Settings and related components, including:
Scesrv.dll. Provides the core security engine functionality.
Scecli.dll. Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policies (RsoP).
Wsecedit.dll. The Security Settings extension of Group Policy Object Editor. Scecli.dll is loaded into Wsecedit.dll to support the Security Settings user interface.
Gpedit.dll. The Group Policy Object Editor MMC snap-in.
Security Settings Policies and Related Components
The following resources contain additional information that is relevant to this section.