1. SECEDIT command-line switches:
    This creates a template which can be used to "roll back" changes another template would make.
  2. SECEDIT command-line switches:
    When not used with the /db switch, this exports the current local Group Policy security settings.
  3. SECEDIT command-line switches:
    When used with /export, this collects the security template settings applied from GPO with the settings from the local GPO and exports them into a merged template file
  4. SECEDIT command-line switches:
    Checks a security template for errors
  5. SECEDIT command-line switches:
    Suppresses all screen and log output
  6. Name five places where you can get pre-created templates
    Microsoft, SANS, NIST, NSA, CSI
  7. What are the two levels standard security templates operate within?
    • Enterprise Client (EC):
    • Computers joined to an AD domain running 2003 servers or better
    • Specialized Security - Limited Functionality (SSLF):
    • Maximum security
  8. True or False: you can use group policy to set NTFS permissions on any given folder or even individual files
  9. Whenever there is a conflict of settings, the template applied _____ overrides the template applied _______.
    Whenever there is a conflict of settings, the template applied LATER overrides the template applied EARLIER..
  10. What is secedit.exe?
    A command-line version of SCA
  11. SECEDIT command-line switches:
    /AREAS area1 area2 areax
    • Allows you to specify which parts of the database should be exported. Areas include:
    • SECURITYPOLICY:account policies, audit policies
    • GROUP_MGMT:restricted group settings
    • USER_RIGHTS:logon and user rights settings
    • REGKEYS:permissions & audit settings on registry keys
    • FILESTORE:permissions & audit settings on NTFS folders and files
    • SERVICES:start-up state & permissions on windows processes
  12. What is the default location of security templates?
  13. Before you can apply a template or compare a system to a given template, you must _________.
    Store the settings in a SCA database
  14. True or False: you can use group policy to set registry key permissions.
  15. Example secedit.exe syntax:
    • secedit.exe /analyze /db dbase.sdb /cfg generic.inf
    • secedit.exe /configure /db dbase.sdb
  16. The SAN can be used to do which of the following:
    A) reconfigure systems
    B) audit against templates
    C) create "database"
    D) import/export
    E) manage remote systems over the network
    A, B, C, D
  17. What should you always do when making changes to a security template?
    Save the template
  18. What is the purpose of security templates?
    To store a large number of settings in a single file
  19. What is the SCA?
    Security Configuration & Analysis Snap-in
  20. What are registry keys used for in security templates?
    For setting permissions on registry keys. NOT for changing the values of registry keys.
  21. What is SCW?
    • Security Configuration Wizard. Requires 2003+SP1/2008.
    • Must be installed via Add/Remote Programs .cpl
  22. Does SCW use .inf or .xml files?
  23. Does SCA use .inf or .xml files?
  24. Does SCW replace INF security templates?
    No. It cannot manage wireless security or RDP settings and many aspects of IIS security. It is best used in conjunction with other tools.
  25. What is the command-line version of SCW?
  26. What command would you use to view a report called win2008.xml of SCW policy compliance?
    scwcmd.exe view /x:win2008.xml /s:%windir%\security\msscw\TransformFiles\scwanalysis.xsl
  27. How would you deploy different SCW policies to thousands of computers in different domains?
    • Use SCWCMD.exe to create a GPO from an .xml with the command:
    • scwcmd.exe transform /p:policyfile.xml /g:GroupPolicyObjectName
    • **Note IIS settings and firewall settings are not included in the GPO.
  28. Which tool is best suited for automating the application of security templates to a small group of computers?
  29. Which tool is best suited for automating the application of security templates to thousands of computers?
    Group Policy
  30. What command would you use to take an XML file and automatically create a new GPO from it?
    SCWCMD.exe transform /p:policyfile.xml /g:GroupPolicyObjectName
  31. List 8 things that can be configured via Group Policy
    • * Change registry values through ADM templates
    • * Install applications and other software (.MSI and .ZAP)
    • * Assign scripts for startup,shutdown,logon and logoff
    • * Configure all IPSec settings
    • * Configure all PKI settings
    • * Control which programs users can run
    • * Limit access to control panel applets
    • * Configure virtually every option in IE
Card Set
Securing Windows DAY 2 - Group Policy