- /log log_filename-specifies a file in which to log the status of the import process.
If not specified, the import-processing information is logged in the scesrv.log file
which is located in the %windir%\security\logs directory.
/quiet-specifies that the import process should take place without prompting the
user for any confirmation.
Secedit /export-allows you to export security settings stored in the database. The syntax
of this command is:
secedit /export /db db_filename [tablename] /cfg cfg_filename [/areas
area1 area2...] [/log log_filename]
/db db_filename-specifies the database used to perform the security configuration.
/cfg cfg_filename-specifies a security template to export the database contents to.
tablename-specifies the table to export data from. If no argument is
specified, the configuration table data is exported.
/areas-specifies the security areas to export. If this parameter is not specified, all
security settings defined in the database are exported. To export specific areas,
separate each area by a space. The following security areas are exported:
SECURITYPOLICY-Account Policies, Audit Policies, Event Log Settings
and Security Options.
GROUP_MGMT-Restricted Group settings
USER_RIGHTS-User Rights Assignment
FILESTORE-File System permissions
SERVICES-System Service settings
/log log_filename-specifies a file in which to log the status of the export process. If
not specified, the export-processing information is logged in the scesrv.log file
which is located in the %windir%\security\logs directory.
Secedit /generaterollback-allows you to generate a rollback template with respect to a
configuration template. The syntax of this command is:
secedit /generaterollback /cfg cfg_filename /rbk filename [/log log_filename]
/db db_filename-specifies the database used to perform the rollback.
/cfg cfg_filename-specifies a security template with respect to which a rollback
template is generated. Security templates are created using the Security Templates
/rbkfilename-specifies a security template into which the rollback information is
written. Security templates are created using the Security Templates snap-in.
- /log log_filename-specifies a file in which to log the status of the rollback process.
If not specified, the rollback-processing information is logged in the Scesrv.log
file, which is located in the %windir%\security\logs directory.
/quiet-specifies that the rollback process should take place without prompting the
user for any confirmation.
In addition, secedit.exe can be used to apply a single node from a security template. Thus,
to reapply your preferred file permissions, you can use a single command-line command.
To reapply your preferred registry permissions, you can use another line. Put both
commands in a batch file or write a simple script, and you can reapply both file
permissions and registry permissions across multiple servers. And you can use the
scheduling service (schtasks.exe) to periodically refresh these settings without any
replication burden. After testing the statements, you can schedule a periodic refresh by
putting both commands (or the combination line) in a batch file. Test the batch file. If
successful, use the task scheduler or schtasks.exe to schedule the refresh. Table 9.1
provides an explanation of the most useful schtasks.exe command-line switches;
additional switches are available.
Table 9.1: The Switches for schtasks.exe
/create Create a task
/tn The name of the new task
/tr The name of the batch file or command to run
/sc When to schedule the repetitive event (once, every n times a month, every month,
every n times a day, at this time every day, and so on)
/d Which day of the week; Monday is the default, so I could have left out this switch
in the example; /d * runs the process every day
/ru Under whose authority; if a user account name is entered here (use the
domainname\username format), the password is entered using the /rp switch; to
use a local computer account use the \machine switch and \u and \p parameters
(when the SYSTEM account is used, no password is entered)
The Most Important Registry Keys that Need Protection
Microsoft officially recommends that system administrators restrict user access to certain
subkeys under HKEY_LOCAL_MACHINE\SOFTWARE. The purpose of this restriction
is to prevent unauthorized access to the software settings.
Note Microsoft officially recommends that system administrators restrict user access to
- the following registry keys:
For all earlier versions of Windows NT-based systems, including Windows 2000, it
is recommended that the user restrict the Everyone group (note that in Windows XP
and Windows Server 2003 the Everyone group has been restricted by default). For
the Everyone group, it's sufficient to have the Query Value, Enumerate Subkeys,
Notify, and Read Control rights to the
NT\CurrentVersion registry key and the following subkeys under this key:
AeDebug, Compatibility, Drivers, Embedding, Font Drivers, FontCache,
FontMapper, Fonts, FontSubstitutes, GRE_Initialize, MCI, MCI Extensions, Ports
(and all its subkeys), Type 1 Installer, Windows 3.1 MigrationStatus (and all its
subkeys), WOW (and all its subkeys).
The same set of access rights (Query Value, Enumerate Subkeys, Notify, and Read
Control) needs to be assigned to the Everyone group for the Uninstall, Run, and
RunOnce subkeys under
Microsoft also recommends that you restrict user access to the
NT\CurrentVersion\Perflib key that stores the data, which governs system performance.
In Windows NT 4.0, the Everyone group by default has Read access to this key (it's
recommended that you delete this group from the Perflib ACL). As shown in Fig. 9.15, in
Windows Server 2003, the Everyone group by default has no access to this key.
- Figure 9.15: Restricting access to the
NT\CurrentVersion\Perflib registry key
The Everyone group has restricted access rights (only Query Value, Enumerate Subkeys,
Notify, and Read Control) to other registry keys, including HKEY_CLASSES_ROOT
root key and all its subkeys, and for the HKEY_USERS\.DEFAULT key. By protecting
these keys, you protect important system settings from changes (for example, this will
prevent users from changing the filename extension associations or specifying new
security settings for Internet Explorer).
Furthermore, it's necessary to restrict the Everyone group access to keys such as
es and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS. The
Everyone group only needs the following rights to these keys: Query Value, Enumerate
Subkeys, Notify and Read Control. By setting these restrictions, you'll prevent
unauthorized access to shared system resources and to using the ImagePath setting under
the UPS key for starting undesirable software. Only the operating system (System) and
members of the Administrators group need Full Control access to these keys.
Finally, it is necessary to provide a tip, universal for all Windows NT-based systems. Pay
close attention to the Run, RunOnce, and RunOnceEx registry keys under
example, the system runs all the programs listed under the RunOnceEx key only once,
and then deletes the settings specifying the starting parameters for these programs. It's
easy to see that these registry settings may allow users to run undesirable software on the
local computer. Thus, Full Control access to this key should only be provided to the
operating system (System) and members of the Administrators group. The list of registry
- keys, which are used most often for installing worms, viruses, and Trojans, is provided
Therefore, if you suspect that your computer is infected, these registry keys must be
checked first. Furthermore, the list of such keys is constantly being supplemented. Since
recently, the following keys have been included into this list:
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\drivers.desc
HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions
Note It's necessary to mention one more registry key, which is also very important in
terms of security. When you work with the Remote Access Service (RAS), the
system sometimes displays dialogs prompting you to enter a login name and
password. These dialogs often contain checkboxes, which allow you to save the
password (for example, Save This Password or Remember This Password).
Although this feature is very convenient for end users, it can possibly be very
dangerous, because the passwords are stored in such a way that they can be easily
retrieved by the system (and, for that matter, by anyone else). This is especially
important for those of you working with laptops and other portable computers,
because if your machine is lost or stolen, the person who finds (or steals) it will
have access to all your networks.
The easiest way to protect yourself against this risk is to disable the feature for saving
RAS passwords on RAS clients. Open the
meters key and add the REG_DWORD setting named DisableSavePassword. Now the
system won't prompt you to save your RAS password.