System Audit: Windows

In this document we will introduce the concepts for performing a technical audit of Microsoft Windows systems. The following topics will be discussed Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Basic System Information Gathering Tools Patch Levels Network-based and Local services Installed Software Security Configuration Group Policy Management

Though the first step in every audit is to always define the scope, this chapter covers broad topics so it would be up to the auditor to determine which ones are relevant with what he/she wants to test. Basically, the audit of Windows or any other system would boil down to, first obtaining basic information, then checking for the patch levels, services that are running, applications that are installed, and lastly looking at how the security is implemented. Afterwards, researching for standards and guidelines for conducting the audit of Windows, as well as materials on generally accepted practices for properly configuring and securing Windows system, and obtaining any existing policy of the organisation on system specifications would then help the auditor to put together an audit checklist or a methodology that he/she can use. The standards that we can obtain, for example, ISACAs CObIT or audit-related documents from US National Institute of Standards and Technology (NIST) would provide with the framework or high-level audit goals. It would also aid us in looking at the non-technical issues that should not be overlooked when auditing Windows or any system. These non-technical issues include concepts such as separation of duties and least privilege, and procedures on account setup, password change, back-ups and configuration management, as security does not solely rely on technology but on people and processes as well. For the low-level Windows-specific guidance, we would need to use tools and techniques, which could either be features that are available in Windows itself (Local Security Policy/Group Policy, Security Configuration Analysis, Event Viewer, Support Tools, etc) or in the web (Windows Resource Kit) or available in the market (third party tools such as DumpSec of Somarsoft, Belarc Advisor, etc). Lastly, auditing of Windows or any other system would not only involve auditing it at a point in time to see whether it is properly configured and secured and meets the business requirement, but more so would cover how the system is being monitored and maintained overtime.

Chapter 1 - Basic System Information Gathering Tools

We suppose that all we know is that the system is running on Windows. Our audit would obviously start with knowing the basic things or aspects about the host or domain that we are auditing. Things such as the OS version, patch levels, system info, basic hardware, and file system in use should first be obtained before we can determine how secure the system is.

1.1

Windows System Information

Microsoft Windows comes with a tool that can be used to obtain basic information of the local host. It can be accessed via Start/Programs/Accessories/System Tools/System Information. Below is a sample output:

Another way of obtaining basic information and other security related things (permissions, users, policies, rights, services, etc) would be by using tools that are available in the market or provided by third parties. Here we will discuss how to use tools, namely DumpSec, Hyena, and Belarc Advisor, in obtaining System Information of a Windows environment. Most of the tools are made for administration and will require that we have administratorlevel access to the system that we are auditing.

1.2

Somarsoft DumpSec

Somarsoft DumpSec (formerly known as DumpAcl) is a security auditing program for Microsoft Windows. It dumps or obtains the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable listbox format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information, policies, as well as services (Win32) and kernel drivers that are available and their current status (running or stopped) in the Windows environment. DumpSec can be downloaded for free from http://www.systemtools.com/somarsoft. After installation, the next thing to do is to specify the computer that you want to run DumpSec on by going to Report, then Select Computer. The default computer is however the local one. To run DumpSec on the other machines using the local computer, you can either specify the Name or the IP address of the computer.

Below is a screen shot of the items that DumpSec could provide a dump of. To get a dump of any of these items in DumpSec, go to Report and choose the item that you want to get information of. DumpSec will automatically provide the dump of the information on the screen.

A sample of an output, a dump of Policies is presented below:

To save the output of DumpSec, you can either use File, then Save Report As and then chose Fixed width cols for format type.

Another way to save the output is by going to Edit and then Copy all items or Ctrl C.

However, there could be distortions to the tab formatting of the result when an output which has numerous columns is copied to a MS Word file for instance. Thus, the first option of saving the output is more preferable. One of the capabilities of DumpSec is to look at the permissions settings. Windows contains the mechanisms for providing strong system security, using permissions to control access to files, registry keys, printers, shares and other securable items and auditing to log successful and failed access attempts. DumpSecs makes it easy to verify that permissions are set properly, by grouping files and directories with equivalent permissions. This enables the owner, administrator or auditor to quickly identify files that have inconsistent of exceptional permissions. One cause of why permissions get set inconsistently is because permissions are retained when a file is moved to a new directory but when a file is copied, permissions are inherited from the permissions of the destination directory.

1.3

Somarsoft Hyena

Hyena (http://www.systemtools.com/hyena), a tool for day-to-day administration brings together all of the administrative tools from Windows such as User Manager, Server Manager, and File Manager/Explorer, and many of the MMC components into a single, easyto-use, centralised program. It arranges all system objects, such as users, servers, and groups, in a hierarchical tree for easy and logical system administration. It uses an Explorerstyle interface for all operations, including right mouse click pop-up context menus for all objects. Management of users, groups (both local and global), shares, domains, computers, services, devices, events, files, printers and print jobs, sessions, open files, disk space, user rights, messaging, exporting, job scheduling, processes, and printing are all supported. Below is a screen shot of Hyena:

If it can be used by a system administrator, we can also use it to obtain heaps of information on the Windows system that we are auditing. The following are some of Hyena's capabilities (assuming the user of Hyena is granted with the permission and rights to do so): Create, modify, delete, and view users, groups, and group membership Modify single or multiple user properties, including terminal server and Exchange mailbox settings Automatically create home directory and home shares for users, including full security configuration Export delimited text files of users, groups, printers, computers, group members, services, scheduled tasks, disk space, registry, and Active Directory information for your entire network. Browse all server shares, copy and delete files without drive mappings View events, sessions, shares, processes, and open files for any server View and control services and drivers for one or more computers Manage share and file permissions, including creating new shares and viewing all share access rights at the same time Remotely schedule, delete, and manage jobs for multiple computers at the same time Remotely shutdown and reboot any single or group of computers View remaining disk space for multiple computers at the same time

We can easily view the objects in the network using Hyena. By using right mouse click for each object, we can see various options/items/information that may be relevant to our audit. Corresponding information for items such as Properties, Account Policy, Audit Policy, Services, Devices, Events, Disk Space, and many others.

For instance, when we choose the item Properties, the window below will appear providing us with heaps of additional information such as General Information (Name of the object, OS, Service Pack, Roles, and Time), Hotfix, Software, System, Environment and Network. As long as the access rights that we have would allow, Hyena will enable us to obtain or even update/change whatever system parameters that we want to look into.

We can export the information that we need using the Tools utilities of Hyena. We go to Tools (shown below), then the various methods of exporting information would appear. We can either use Run Exporter or Exporter Pro. We will present how to use Exporter Pro/Export Selected Objects as an example of how to use Hyena in exporting system information.

Hyenas Export Utility

First step is to choose the objects in the network that we want to get information of, by highlighting them. We can choose one or multiple objects in the Hyena screen, as shown below:

Choose the objects by highlighting them

After choosing the objects, we go to Tools and then Exporter Pro/Export Selected Objects. The dialogue box below will prompt asking as for the configuration name to use, the default being that of Hyenas. We can create our own configuration that we can use anytime by clicking New

Creating a new configuration setting to use

We can even edit the existing configuration settings (click the drop down arrows) by clicking Settings. Let us create a new configuration name to use called BDO Audit by typing the BDO Audit in the second dialogue box above. The Configuration Properties box below would prompt.

Click this to edit the configuration settings

To edit the Configuration Properties, click the Export Properties button above and the Export Properties box will appear. In the Export Properties box, we can set the details of the output that we want to generate. For instance, we can export Services info of the objects that we specified. Click Export Services box at the left corner, specify the Service Type and Service State. We can also specify the location of the output and the filename that we want in the Output File Name.

Click to specify Output location

After all the items in the Export Properties have been set, just click OK and then close the Configuration Properties box called BDO Audit. The dialogue box below will prompt. Click Start Export.

Click this to start exporting info

Click Ok and then the Exporter window below would appear showing the progress of exporting information by Hyena.

The Output can be found on the location that we specified.

1.4

Belarc Advisor

Belarc Advisor (http://www.belarc.com/free_download.html) is the easiest to use but the software is free only if it is to be run on a personal PC. It should not be used for commercial purposes, i.e. to run it on the corporate network. However, Belarc has a wide array of security audit software products for commercial use such as BelManage and BelSecure. Belarc Advisor conducts a full analysis of the host computer. It lists all the hardware and software that is installed and builds a detailed profile of the computer, including the basic system information that you may need, missing Microsoft hotfixes and antivirus. The results are given by the Belarc Advisors default web browser and can be printed off. The html

format report also includes results of Belarc Advisors benchmarking against CIS (Center for Internet Security) benchmarks (no result if Windows Vista is running on the host as there is no CIS benchmark yet for Vista). Below is an example of the output when we run Belarc Advisor in the local machine:

Belarc Advisors output is very detailed and is saved on the c:\Program Files\Belarc\Advisor\System\tmp\(COMPUTERNAME).html in the host computer.

Chapter 2 Patch Levels

Aside from basic information, one of the most important audit steps is to inquire whether the operating system and its critical components are regularly updated with the appropriate service packs, security patches, hotfixes, etc. We will present tools (MBSA, QFE and Hotfix reports) that we can use to check on any missing patches or hotfixes in the system though Belarc Advisor software is also able to identify missing patches or hotfixes.

2.1

Microsoft Baseline Security Analyzer (MBSA)

MBSA is a free security scanner for Microsoft operating systems and products which analyses a computer or a group of computers for missing patches/updates and common security misconfigurations. MBSA also provides a checklist of configuration problems and missing updates/patches. MBSA will report missing updates marked as critical security updates in Microsoft Update for the following products: Microsoft Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003 Internet Information Server (IIS) 4.0, 5.0, and 6.0 SQL Server 7.0, SQL Server 2000 (including Microsoft Data Engine 1.0 and 2000) Internet Explorer 5.01 and later Windows Media Player 6.4 and later Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003 (including Exchange Admin Tools) Microsoft Data Access Components (MDAC) 2.5 2.8 Microsoft Virtual Machine (VM) MSXML 2.5, MSXML 2.6, MSXML 3.0, MSXML 4.0 Content Management Server 2001 and 2002 Commerce Server 2000 and 2002 BizTalk Server 2000, 2002, and 2004 SNA Server 4.0, Host Integration Server 2000, Host Integration Server 2004 Microsoft Office suite Aside from the above, MBSA also checks the following: file system type(s) on hard drives if the Auto Logon feature is enabled if the pre-installed Guest account is active determines the number of local Administrator accounts blank or simple (not complex) local user account passwords if unnecessary services are enabled and running if Internet Connection Firewall is enabled if Automatic Updates is enabled Internet Explorer security zone settings for each identified local user if Internet Explorer Enhanced Security Configuration is enabled for Administrators and non -Administrators the Office products security zone settings for each local user MBSA is available from http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

How to scan for patch levels using MBSA

To perform MBSA on a single computer, click on Scan a computer (or Pick a computer to scan at the left pane). Identify the computer you wish to scan either by its computer name (the hosts computer name is displayed by default) or its IP address. Several scanning options are available. If you wish a comprehensive report, leave the ticked defaults on. Since we are concerned about the hosts patch levels make sure that Check for security updates is ticked. Once all the options have been set, click on Start scan.

MBSA will start downloading security update information from the Microsoft website which it will use to query the computer.

Once it has downloaded the information, it will proceed with the scan.

When the scan completes, the results are shown in a detailed report.

For every issue identified, separate reports are available via the " What was scanned", "Result details" and "How to correct this" links. Clicking on the Result details or How to correct this brings up another window such as the one below:

Links to missing updates or security patches are made available to be downloaded from the Microsoft website. How to interpret the MBSA scan reports MBSA uses different colored icons to represent vulnerabilities (scores) found on the scanned machine. For the security update checks - a red X indicates that a security update is missing from the scanned computer. - a yellow X is used for warning messages (for example, the computer does not have the latest service pack or update rollup) - a blue star is used for informational messages indicating that an update is not available to the computer For the administrative vulnerability checks, - a red X is used when a critical check failed (as when a user has a blank password).

- a yellow X is used when a non-critical check failed (as when an account has a password that does not expire). - a green checkmark is used when no issues were found for that particular check. - a blue asterisk is used for best practice checks (for example, checking if auditing is enabled), and - a blue informational icon is used for checks that simply provide information about the computer being scanned such as the operating system version of the scanned computer or the number of shared folders.

2.2

Qfecheck and hotfix reports

Qfecheck is a command-line tool released by Microsoft that enumerates all of the installed fixes by Microsoft Knowledge Base article number. Running Qfecheck enables users to verify whether hotfixes for the current operating system and service pack have been installed properly. Downloading and Installing Qfecheck Qfecheck is available for download from http://www.microsoft.com/downloads/details.aspx? FamilyID=155c7c58-102e-47b0-a12a-bfab8cfccc03&DisplayLang=en Upon visiting the website above, the user is prompted that an Active X program needs to be installed to perform a check whether the computer is using a genuine Microsoft windows operating system. After passing the check, the download can proceed. Installing Qfecheck is as simple as double-clicking on the downloaded file and agreeing on the terms and conditions of use. System Requirements Different versions of Qfecheck are available for: Windows 9x Windows 2000 Windows XP Home Windows XP Professional Using Qfecheck Qfecheck works by checking the hosts registry and reading the information about installed hotfixes stored in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates key. It then compares the values store about installed hotfixes with the file versions actually residing on

the machine. If Qfecheck finds an invalid version or cant find a file associated with a key, it will generate an error. The output can be generated on screen (default) or to a log file. Unlike MBSA or Belarc Advisor, Qfecheck does not check if a required update is missing. It simply checks if an update has been properly installed on the system. It's still up to the user to determine if and when an update is needed for a particular situation. It is recommended that Qfecheck be run in a command environment. At the command prompt, running Qfecheck without any switches causes the program to check for all the installed hotfixes and the output to be displayed on screen.

The next screenshot describes the available options for Qfecheck.

The /l option displays the output to the screen and saves a log of the scan to the \windows\system32\ folder. The /l:[location] is the same as above, except that the [location] enables the user to specify the folder where the log file will be saved. The /v option (verbose) is the default, while /q displays only the errors on screen.

Chapter 3 Network-based and Local Services

On Microsoft Windows operating systems, a Windows service is a long-running executable or process that performs specific functions and which does not require user intervention. Windows services can be configured to run upon startup and continue to run in the background as long as Windows is running, or the user can start the service manually as needed. In Unix systems, they can be likened to daemons. There are several methods that can be used to identify the services that are installed (enabled) in the computer.

3.1

Using System Information

The Windows built-in System Information utility can be run to gather a snapshot of the services that are currently installed. System Information can be accessed via: Start Programs Accessories System Tools System Information In the left pane, expand Software Environment by clicking on the [+] and then select Services:

Basic information about the services will be displayed. Clicking on the column headers sorts the services according to the heading.

3.2

Using MMC

Opening the console services.msc in Microsoft Management Console or MMC (discussed in a separate chapter) also gives the user a new method to view services that are enabled for the computer. It can be opened via Start Run then typing services.msc in the dialog box. A sample screenshot is provided below:

Using MMC, the user is presented with Extended and Standard tabs. The Standard tab provides for a tabulated list of the services, while the Extended tab provides a pane where additional information for each service is displayed and point-and-click links to either Start, Stop, Pause or Restart the particular service. Alternatively, right-clicking on the service provides a context-menu with the same options, regardless of whether the user is in the Extended or Standard view. Another helpful feature of services.msc is its ability to view and manage services of another computer. By right-clicking on Services (local) at the left pane and then selecting Connect to another computer the user can, with the sufficient rights, view and Start/Stop/Pause/Restart services.

In the above example, selecting Connect to another computer will bring up the Select computer dialog box, and the computer name or IP address of the remote computer is entered, as shown below.

The left pane will change to indicate the remote computer and the right pane will display the services installed for that computer.

3.3

Using the Command Line

Several command-line methods that can display local and network-based services are available to the user as alternatives to GUI-based methods. A couple of examples are given below: sc query state= all > C:\scoutput.txt This uses the sc (Service Controller) utility to query the computer about installed services and then writes its output to a text file. Aside from querying, sc can also stop and start services. wmic /output:c:\wmicoutput.txt process list /format:csv This uses the wmic (Windows Management Interface Command-line) utility that displays currently-running processes to a comma-separated text file. WMIC also allows control of both local and remote systems.

Chapter 4 Installed Software

The basic system information that we gathered so far using the tools that were discussed in the previous sections can already tell us a great deal of information that could be relevant to our audit objective. Information on the version of the OS, service packs, patch levels, disk format (NTFS should be used), services that are running, could help us identify issues or audit concerns. Another thing that the tools were able to provide us is on the applications that are loaded in the host. A basic application list can help us identify high-level security issues. We can look for applications that are missing (such as an antivirus program that should be installed) as well as applications that are present but are prohibited (such as an instant messaging application) per organisational policy.Below are how Hyena, Belarc Advisor and Microsofts Add/Remove Programs tools can give us the list of applications that are installed.

4.1

Using Hyena

In Hyena, choose the object that you want to look at and by using right mouse click, choose Properties. Shown below is the screen shot of Hyena.

After choosing Properties, the window below will appear. Click the Software tab to view the applications that are installed in the host.

4.2

Using Belarc Advisor

In Belarc Advisor, the Software Licenses as well as the Software Versions are included on its html output, as shown below.

4.3

Using Add or Remove Programs

The Add or Remove Programs utility can be accessed via the Control Panel or via Start Run then typing appwiz.cpl in the dialog box. Below is a sample screenshot:

The Add or Remove Programs utility, as the name suggests, does not only display the installed applications, but also allows the user to either Change or Remove the applications.

Chapter 5 Security Configuration

After obtaining basic system information, determining patch levels, services and applications that are in the system, this chapter will focus on how security is being implemented in Windows.

5.1

Microsoft Management Console (MMC)

The Microsoft Management Console (MMC) lets system administrators create and customise flexible user interfaces and administration tools. MMC unifies and simplifies day-to-day system management tasks. It hosts tools and displays them as consoles. These tools, consisting of one or more applications, are built with modules called snap-ins. The snap-ins also can include additional extension snap-ins. Microsoft Management Console enables system administrators to create special tools to delegate specific administrative tasks to users or groups. Microsoft provides standard tools with the operating system that perform everyday administrative tasks that users need to accomplish. These standard tools can be customised, saved as MMC console (.msc) files, and then can be implemented on other computers. For the auditor, a basic knowledge of how to use MMC will help in the analysis of a computers hardware and software profiles, device and services management, and most importantly, the computers security settings for group and individual users. MMC is used in other sections of this document to inquire about the services installed on a computer and its security configurations. To open up MMC, do Start Run, then type MMC. Microsoft Management Console opens with an empty console (or administrative tool) as shown in Figure 1. The empty console has no management functionality until snap-ins are added.

Figure 1: Beginning Console Window

On the File menu, click Add/Remove Snap-in. Click Add. This displays the Add Standalone Snap-in dialog box that lists the snap-ins that are installed on your computer. From the list of snap-ins, double-click Computer Management to open the Computer Management wizard. Click Local computer and select the check box for "Allow the selected computer to be changed when launching from the command line." Click Finish. This returns you to the Add/Remove Snap-ins dialog box. Click the Extensions tab as shown in Figure 2 below. By ticking Add all extensions, all locally-installed extensions on the computer are used. If this check box is not selected, then any extension snap-in that is selected is explicitly loaded when the console file is opened on a different computer.

Figure 2: Select All Extensions

Click OK to close the Add/Remove Snap-in dialog box. The Console Root window now has a snap-in, Computer Management, rooted at the Console Root folder.

Customising the Display of Snap-ins in the Console: New Windows After adding the snap-ins, you can add windows to provide different administrative views in the console. In the left pane of the tree view in Figure 3 below, click the [+] next to Computer Management. Click System Tools.

Figure 3: Console1 System Tools

Right-click the Event Viewer folder that opens, and then click New window from here. As shown in Figure 4 below, this opens a new Event Viewer window rooted at the Event Viewer extension to computer management.

Figure 4: Event Viewer

Click on the Window menu and click Console Root. In the Console Root window, click Services and Applications, right-click Services in the left pane, and then click New Window from here. As shown in Figure 5 below, this opens a new Services window rooted at the Event Viewer extension to Computer Management.

Figure 5: New window

Close the original window with Console Root showing in it. On the Window menu, select Tile Horizontally. The console file should appear and include the information shown in Figure 4 and Figure 5 above.

You can now save your new MMC console. Click the Save as icon on the Console window, and give your console a name. Your console is now saved as an .msc file, and you can provide it to anyone who needs to configure a computer with these tools. Note: Each of the two smaller windows has a toolbar with buttons and drop-down menus. The toolbar buttons and drop-down menus on each of these two windows apply only to the contents of the window. You can see that a window's toolbar buttons and menus change depending on the snap-in selected in the left pane of the window. If you select the View menu, you can see a list of available toolbars. The Microsoft Management Console also allows the user group information and functionality that previously would have required opening a Control Panel option plus two separate administrative tools. The modular architecture of MMC makes it easy for system network developers to create snap-in applications that leverage the platform while easing administrative load. The next section shows how we can perform an analysis of a computers security settings using MMC manipulations.

5.2

Using Security Configuration and Analysis (SCA)

The Security Configuration and Analysis (SCA) MMC snap-in compares systems in their current configuration against settings specified within a pre-defined security template, or within multiple templates. By applying rules defined in templates, the entire security of a system can be configured quickly. SCA is a great tool for initial system rollouts and deployments because the organisations entire security policy can be contained in a single template and can be applied for all servers and workstations across the entire network. Current configurations can also be saved to, and exported from, a template should a rollback be needed. The ability to gather the computers security settings makes SCA one of the handiest tools for the IT auditor. How to run SCA To begin using the SCA snap-in, youll need to add it to a console in MMC. To do so, follow these steps: 1. Run MMC in author mode by typing MMC in a command window or by the Start Run shortcut. Author mode allows the construction of new consoles from scratch and adding snap-ins to them. 2. Click the File menu, then select Add/Remove Snap-in. Then click Add. This raises a dialog box entitled Add Standalone Snap-in. 3. From the list, select Security Configuration and Analysis, click Add, and then click Close.

4. Click OK in the next box to confirm the addition of the snap-in.

Creating and using template databases with SCA SCA uses databases, which have an .SDB extension, to store security templates for faster access and data retrieval. To create a new template database or open an existing SDB file: 1. On the console, right-click Security Configuration and Analysis in the left pane and select Open Database from the context menu.

2. At the Open Database dialog box, select from the list to open an existing database, or enter a name for a new database.

3. If a new filename is typed, the Import Template box appears, showing a list of available base security templates. Choose either a predefined template that ships with the operating system, or one that have been modified or customised previously.

4. Click OK. Any number of other templates can be imported to a database. Simply right-click Security Configuration and Analysis, and from the context menu choose Import Template. From there, select the .INF file that is the template you want, and click OK. The settings are added to the database. Please note that changes made to a security policy from within SCA are saved to the database and not to a template file that can be imported into a GPO or otherwise applied to other systems. To save the settings to a template, right-click Security Configuration and Analysis, and from the context menu choose Export Template. From there, choose a filename with a .INF extension for the exported template, and click OK.

Scanning system security To analyse a system using SCA, right-click Security Configuration and Analysis in the console and select Analyze Computer Now from the context menu.

The Perform Analysis dialog box will appear. Select a filename for the results and accompanying log and click OK.

Two reports will be generated. First, events will be written to a log file to correspond with each success and failure of a component analysed by SCA. And second, SCA will write the current state of each component to the configuration trees within SCA, as shown in Figure A below.

Figure A

To view the log file, right-click on Security Configuration and Analysis in the left pane, then select View Log File. The log file will be loaded into the right pane and will show generally what portions of the computers security policy dont match up to a certain baseline as set in the database, or have not been configured as should be.

For a more exact analysis, it is better to examine the policy tree itself. On the left pane, expand Security Configuration and Analysis and select one of the security areas to consider. Figure A shows the Password Policy tree under Account Policies. Still in Figure A, note the Database Setting and Computer Setting columns in the right pane. These indicate exactly which configuration options match between the current computer and the settings configured in the SCA database. Settings that agree are preceded by an icon with a small green checkmark. Settings that disagree are preceded by a small red X. Settings that dont appear in the database are not analysed and thus are not marked.

Correcting system security To implement wholesale changes to a computers security policy as specified by SCA, right-click Security Configuration and Analysis and select Configure Computer Now. The changes will be updated on the local computer. To make a change in the database based on the actual configuration object, double-click the attribute in question to bring up its properties. For example, double-clicking on Minimum password length attribute (under the Password Policy tree), will bring up the Minimum password length Properties window, as shown in Figure B.

Figure B

Adjust the appropriate settings in the box (make sure the Define this policy in the database is ticked) and then click OK. The change will be committed to the database, but not to the local computer, and all future computers which will be examined with that SCA database will be analysed with that change committed.

Chapter 6 Group Policy Management

After obtaining basic system information, looking at the patch levels, services as well as applications that are in the system, this chapter will focus on how security is being implemented in Windows.