Remember in the previous post I mentioned about how to simplify the system hardening process for Windows Server 2003 & Windows XP Professional system using Security Configuration and Analysis in Microsoft Management Console, you can easily locate those security templates inside MMC console, but if you try to do the same thing in Windows 7 & Windows Server 2008 system, you will found that the security template is missing from C:\Windows\security\templates\ directory. So where to get those files and how to prepare the security hardening on Windows 7 and Windows Server 2008?
Apparently, the location for the security templates is already changed to C:\Windows\inf\ directory. You can refer to below security template in the directory mentioned above:
(Security template for default security settings of your system)
(Security template for Windows 7, inside this inf file contains the default recommended security settings for Windows 7)
(Security template for Windows Server 2008)
(Security template for domain controllers) You can still make use of Security Configuration and Analysis console to analyze and configure your system using the security template listed above. You can use the console or you can make use of ‘secedit’ command to apply the security settings by just using the command prompt.
Secedit is a command line tool that exist since Windows 2000 for the purpose of imposing the security policy settings to all the system in the domain. In Windows 2000, the functionality of this command is similar to ‘gpupdate’. It enforces the group policy application to the workstation but the difference is, this command have to be ran at the domain controller in order to instruct the domain controller enforce the policy settings to apply immediately to all the machines that connected to the domain.
In order to make use of ‘secedit’ to analyze and configure your systems with security templates, you can refer to command lines below. The first command is basically to analyze your computer security settings by using the security template, and store the database into C:\Security folder. The second command is to apply the security settings onto your system. You will need to create a folder called Security under drive C:\, or else, the command will return ‘Invalid path – C:\Security’
Analyze your computer security settings:
secedit /analyze /cfg C:\Windows\inf\Defltwk.inf /db C:\Security\WorkstationSecSettings.sdb /verbose
Apply security settings onto your computer:
secedit /configure /cfg C:\Windows\inf\Defltwk.inf /db C:\Security\WorkstationSecSettings.sdb /verbose
Just try it out, but please do not forget to backup your computer security settings, or else, it might screw up some of the programs.