Applying security templates

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

1) In Windows 2000, there are 2 ways to apply a security template --
use the Security Configuration and Analysis snap-in or use the
secedit.exe command. Does anyone know if these 2 tools use the same
code to apply a template? Basically what I want to know is this: if
some bugs exist in the Security Configuration and Analysis tool for
applying templates, will those same bugs be present in the secedit.exe
command (or vice versa)?

2) There is a template called "setup security.inf" that Windows 2000
uses to apply the default security settings during installation. How
exactly does Windows 2000 apply the "setup security.inf" template
during installation? Does it call secedit.exe or does it use some
other mechanism?
 
1) In Windows 2000, there are 2 ways to apply a security template --
use the Security Configuration and Analysis snap-in or use the
secedit.exe command. Does anyone know if these 2 tools use the same
code to apply a template? Basically what I want to know is this: if
some bugs exist in the Security Configuration and Analysis tool for
applying templates, will those same bugs be present in the secedit.exe
command (or vice versa)?
Click to expand...

I have not examined the code for this, but I would be very
surprised if these two are not using the same underneith.
2) There is a template called "setup security.inf" that Windows 2000
uses to apply the default security settings during installation. How
exactly does Windows 2000 apply the "setup security.inf" template
during installation? Does it call secedit.exe or does it use some
other mechanism?
Click to expand...

Well, setup security.inf as I understand it is not really so much
a template that is applied during setup as it is a log recording
what was done during setup.
 
I have not examined the code for this, but I would be very
surprised if these two are not using the same underneith.


Well, setup security.inf as I understand it is not really so much
a template that is applied during setup as it is a log recording
what was done during setup.
Click to expand...

You're right... I found this good article that talks about that (and
also how the setup security.inf file doesn't contain all of the
default settings):

http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/

That article also says that the defltwk.inf template is applied to
workstations during installation. Do you have any idea if Windows
2000 calls secedit.exe to apply that template or if it uses a
different mechanism?

Another question I have is this: Registry keys seem pretty similar to
files/folders in terms of the permission settings that can be applied
to them. Do you know if the Security Configuration and Analysis and
Secedit.exe tools use the same code to apply permissions to registry
keys that they use to apply permissions to files/folders? I ask that
question because I want to know if there is a bug with applying
permissions to files/folders, will the same bug exist with applying
permissions to registry keys (or vice versa)?
 
You're right... I found this good article that talks about that (and
also how the setup security.inf file doesn't contain all of the
default settings):

http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/

That article also says that the defltwk.inf template is applied to
workstations during installation. Do you have any idea if Windows
2000 calls secedit.exe to apply that template or if it uses a
different mechanism?
Click to expand...

No, I have no idea what W2k did in this regard.
Another question I have is this: Registry keys seem pretty similar to
files/folders in terms of the permission settings that can be applied
to them. Do you know if the Security Configuration and Analysis and
Secedit.exe tools use the same code to apply permissions to registry
keys that they use to apply permissions to files/folders? I ask that
question because I want to know if there is a bug with applying
permissions to files/folders, will the same bug exist with applying
permissions to registry keys (or vice versa)?
Click to expand...

I can only guess. The APIs used to manipulate reg entry ACLs
are separate from those used to manipulate NTFS ACLs. At the
point in time when that code was written one obtained the SD
(security descriptor) picked up the ACL and walked it to make
ACE changes, and I do not recall seeing in that timeframe any
generic public API to which one would feed an ACL and info
on what ACE add/remove/alter.
From that I would guess that the two use pretty separate code
paths, or where/if they converge that common part is pretty
error free (we would be in deep water otherwise, right?).

Roger
 
Back
Top