Of the three methods, you can probably guess that this is the least used method. The reason seems fairly obvious: you don’t want to manually configure thousands of computers to establish the security on them. However, manually deploying security templates is common. You will most likely see this when the computer is not part of a Windows Active Directory domain and when the administrator of the computer does not have Active Directory administrative rights, but does have administrative privilege over the computer.
This method includes using the Security Configuration and Analysis (SCA) snap-in. The snap-in is accessed just like we accessed the Security Templates snap-in from above.
SCA only works on the computer where the MMC is running. The tool can’t configure computers remotely, which is where the limitations are evident. To configure the computer with the security template, follow these steps within the SCA snap-in:
1. Right-click on the SCA node and select Open Database
2. Select a name for the database
3. Select the security template you want to use
4. After the database is created, right-click on the SCA node and select the Configure Computer Now option
If you have more than just a few computers that you need to configure, but you don’t have access or control over the GPOs in Active Directory, you can deploy security templates using a command line option. The command line tool is named SECEDIT.EXE and is the command line version of the SCA. Almost anything that you can do in the SCA you can also do with the SECEDIT tool.
SECEDIT can either be run on each computer, or it can be scripted to run automatically on many computers. The command that would deploy a security template on a computer is:
SECEDIT /configure /db db1.sdb cfg sectemplatename.inf /log logname.log
This will configure the local computer using a database name of db1.sdb, a security template name of sectplatename.inf, and a log file of logname.log. These names can be anything that you want. If you are scripting the command, you will want to place the security template file on a network share and use a network path to point the computer to the file.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.