Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Vista

Securing the Workstation : Applying the Castle Defense System (part 2) - Hardening the system - Local Security Policy and security configurations

7/11/2013 6:11:21 PM

3. Layer 3: Hardening the system

Layer 3 is where you can begin to rely on Vista's features to protect your systems. On this layer, you have access to several different methods for system protection. Vista does a great job of limiting attack surfaces, but you still need to apply additional protection configurations. At this layer, you need to work with the following Vista features:

  • Local Security Policy and Security Configurations

  • BitLocker Full Drive Encryption

  • User Account Control

  • USB Device Control

  • Windows Defender

  • Automatic Update Management

  • Wireless and Wired Network Configurations

Each of these items is part of the configuration of this layer. Of course, you also need to keep in mind your staging practices for the PC itself.

3.1 Local Security Policy and security configurations

One very good example of a system type where you would use multiple LSPs is the kiosk PC. This PC needs to be locked down when normal users work with it. Therefore, you apply the three LSPs in the following manner:

  1. Apply the LSP at the computer level to completely lock down the system. This LSP will apply to the public when they work with the kiosk PC.

  2. Apply the second LSP to users who are nonadministrators, but have an account in your network. These users may have a less restricted environment.

  3. Apply the final LSP to administrators, letting them modify settings and update the configuration of the PC.

In addition, you should apply GPOs to the system by using the Loopback feature to ensure that no matter who logs on, the system's settings will always reset to a locked-down environment after it is put back to public usage.

You can of course export and import individual settings from an LSP to another. But when you create a comprehensive configuration for a system and you want to apply this configuration to every system of this type as soon as it is built, you must go beyond the LSP. For this reason, Vista includes the ability to create Security Templates and apply these templates to any system through the Security Configuration and Analysis tool. Both tools are snap-ins that are assigned to custom Microsoft Management Consoles. To work with these tools, you must create your own console because one does not exist by default. 

To create your custom console, follow these steps:

  1. Choose Start Menu => Search to type mmc and press Enter.

  2. Accept the UAC prompt. Doing this opens a blank MMC console.

  3. Choose File => Add/Remove Snap-in, scroll down the list to the left, select Security Configuration and Analysis (SCA), and click Add. Repeat for the Security Templates snap-in. The two snap-ins should be listed in the selected snap-ins column as shown in Figure 1.

  4. Click OK. You should now have a new console with two items contained within it. Save the console.

  5. Choose File => Save and save it under your Documents folder (this will make it easier to find later on). Name it Security Console.

Figure 1. Adding the security snap-ins

Now you're ready to begin working with your security console. Security templates can include several settings from the LSP:

  • Account Policies

  • Local Policies

  • Event Log

  • Restricted Groups

  • System Services

  • Registry

  • File System

Each of these lets you configure how the elements it controls will be configured on the local system. Also, remember that when you apply an LSP, it will be overridden by the settings found in Group Policy because of the GPO application order. Therefore, you can use security templates in two different situations:

  • You can use templates to apply settings to standalone computers — computers that will not be part of a domain and will not receive GPO settings that may override the local settings.

  • You can use templates to apply settings that would not normally be applied by a GPO. This way, there are no conflicting settings, and the settings you apply locally will always remain the same.

The most common application of security templates, especially in a Vista environment, is the second one. And, as funny as it sounds, most often, administrators do not use the template to apply additional security, but rather to loosen security settings. That's because Vista has a very tight configuration by default. Windows Resource Protection (WRP), the system that protects core system files and registry keys, does a great job of locking down the system. But this great job often has a negative impact on legacy applications, applications that have not been designed for Vista and must write in some protected areas of the system.

Therefore, what you need to do is identify which files and registry keys an application needs access to and change its security settings. The best way to do this is to use two utilities FileMon and RegMon. FileMon scans the file system and captures any files that are accessed by the application during operation. RegMon does the same for registry keys. Basically, you run both tools, run the application, and perform as many operations with the application as possible. You capture the affected files and registry keys by outputting them from the two utilities. Once armed with the files and registry keys to change, you use your security console to generate a template that will modify the files and registry keys appropriately for the application to run with standard user rights. The resulting template you create can then be delivered and applied each time you install the application on a system, guaranteeing that the application will run on a locked-down Vista system.


FileMon and RegMon are both from Microsoft and can be found at www.microsoft.com/technet/sysinternals/utilities/filemon.mspx and www.microsoft.com/technet/sysinternals/utilities/regmon.mspx. Microsoft has also released a new tool called Process Monitor which integrates the functionality of FileMon and RegMon. You can use Process Monitor if you prefer to perform the same task. Find Process Monitor at www.microsoft.com/technet/sysinternals/Utilities/processmonitor.mspx.

You can also rely on templates provided by other organizations to tighten security on your systems. For example, the Vista Security Guide includes templates and GPOs for additional security. But Microsoft is not the only source of templates. The National Security Agency (NSA) and the Center for Internet Security (CIS) also offer templates that help you secure systems. You can download and use these templates to secure your own systems. Finally, you can also obtain security templates from third-party vendors.


Obtain NSA templates from www.nsa.gov/snac/ and CIS templates from www.cisecurity.org.

What's really nice is that the Security Configuration and Analysis snap-in lets you run these templates in analysis mode so that you can simply view what settings would be changed, letting you understand the content of the templates before adding them.

Whether you want to tighten or loosen security settings, the operations will be the same. Do the following:

  1. Return to your security console. Expand the Security Templates section until you see the search path. Templates are automatically loaded into this console when they are found. By default this search path is %UserProfile%\Documents\Security\Templates. If you obtain new templates from an external source, place them in this folder to automatically view their contents. You can change this folder location by selecting New Template Search Path from the context menu of the Security Templates item.

  2. If you don't have a third-party template, select New Template by right-clicking on the Search Path. Name the template and give it a description and click OK.

  3. To ensure that your settings will not be modified by Group Policy, restrict your own changes to the Registry and the File System items. To modify either, first expand the template, then right-click on the item and select Add Key for registry settings or Add File for files. After the file or setting is selected, a security dialog box appears.

  4. Apply appropriate settings and click OK.

  5. As shown in Figure 2, you now need to decide if you want to Propagate inheritable permissions, Replace permissions or Block permission replacement on this object. Click OK when done.

  6. Repeat for each of the files or registry settings you want to change.

  7. Save the changes to the template by right-clicking the template name and selecting Save.

There it is. Your first template is created. Now you use the Security Configuration and Analysis tool or its command line equivalent to apply it or you can apply it to a GPO and assign it appropriately.

Figure 2. Applying Propagation Settings to objects

  1. Use the Security Configuration Analyzer (SCA) to analyze your computer and compare its settings to those in the template. Click on the SCA to change the focus of the console and then right-click SCA and select Open database.

  2. Find a database if one exists or type in a new database name; then click OK. Like the templates, the databases are stored in %UserProfile%\Documents\Security\Databases.

  3. Now select the template you want to test and click OK. The Details pane now displays the next steps, as shown in Figure 3.

    Figure 3. Preparing to analyze a computer
  4. To analyze your computer, right-click SCA and choose Analyze Computer Now. Doing this opens a dialog box requesting the location of the log file for the analysis.

  5. Type in the name and click OK.

  6. The analysis is performed. To view differences between the template and the system, move to the setting you wish to view in the Tree pane. Differences will be displayed in the Details pane. Items that are changed include a small question mark on their icon.

  7. If you want to update the database setting by using a setting originating from the computer, double-click it and select Define this policy in the database; modify the setting and click OK.

  8. Choose Save from the SCA context menu to save your changes.

  9. Select Configure Computer Now from the SCA context menu. Identify the log file and click OK. Doing this applies the changes and saves the database when done.

  10. If you want to create a template from a preconfigured computer, then repeat the steps to generate the database, name a new template, analyze the computer, and then select Export Template from the SCA context menu.

Preconfiguring a system and then capturing the template from it may be easier than generating a template manually and doing the reverse. You can also analyze and configure computers from the command line. Use the following command to configure computers automatically:

secedit /configure /db filename.sdb /log filename.log

Make sure that you create these templates and then use the secedit command to apply them at computer setup. You can use the Runonce command to automatically apply your security templates after the system reboots the first time once Vista is installed.

Other -----------------
- Participating in Internet Newsgroups : Setting News Options - Options for Newsgroups and Messages, Options for Individual Newsgroups
- Participating in Internet Newsgroups : Filtering Newsgroup Messages, Rating Posts
- Participating in Internet Newsgroups : Notes on Working with Newsgroup Messages, Following Up a Message, Posting a New Message
- Participating in Internet Newsgroups : Downloading Messages
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 3) - Kernel Loading Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 2) - Windows Boot Manager Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 1) - Power-on Self Test Phase, Initial Startup Phase
- Participating in Internet Newsgroups : Setting Up a News Account, Working with Newsgroups in Windows Mail
- Participating in Internet Newsgroups : Some Usenet Basics
- Configuring Startup and Troubleshooting Startup Issues : What’s New with Windows Vista Startup
- Managing Client Protection : Microsoft Forefront Client Security
- Managing Client Protection : Using Windows Defender (part 2)
- Managing Client Protection : Using Windows Defender (part 1)
- Securing the Workstation : Beginning with Basic Security
- Managing Client Protection : User Account Control (part 4) - How to Configure User Account Control
- Managing Client Protection : User Account Control (part 3) - UAC Virtualization, UAC and Startup Programs, Compatibility Problems with UAC
- Managing Client Protection : User Account Control (part 2) - UAC User Interface, How Windows Vista Determines Whether an Application Needs Administrative Privileges
- Managing Client Protection : User Account Control (part 1) - UAC for Standard Users, UAC for Administrators
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Maintaining Desktop Health : Using Task Scheduler (part 4) - Managing Tasks
Most view of day
- Microsoft Dynamics GP 2010 : Preventing Errors in Dynamics GP - Ensuring proper year-end closing by checking Posting Types
- Sharepoint 2013 : Expanding My Tasks settings
- System Center Configuration Manager 2007 : Desired Configuration Management - Configurations
- Microsoft Visio 2010 : Creating and Using Shape Data Fields (part 5) - Shape Data Labels versus Names
- SharePoint 2010 : Configuring Search Settings and the User Interface - Web Parts (part 2)
- Developing with SharePoint 2010 (part 4) - Developer Toolbar
- Windows Server 2008 R2 file and print services : Administering Distributed File System Services (part 2) - Configuring and administering DFS Replication
- Games and Windows 7 : Using the Games Explorer (part 3) - Rating Your System's Performance
- Designing and Configuring Unified Messaging in Exchange Server 2007 : Unified Messaging Shell Commands
- Local Continuous Replications in Exchange Server 2007
Top 10
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 3) - Debugging Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 2) - TodoService, TodoItemViewModel
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 1) - TodoItem,TodoDataContext
- Windows Phone 8 : Scheduled Tasks - Using Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - Background Agent Types
- Windows Phone 8 : Windows Phone Toolkit Animated Page Transitions - Reusing the Transition Attached Properties
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro