S 4.243 Windows client operating system administration tools
Initiation responsibility: Administrator
Implementation responsibility: Administrator
The command line-based secedit tool is already familiar from Windows 2000. It enables the automation of the task of specifying the configuration of the security settings. With this tool, it is possible to automatically create, apply, and analyse templates, among other tasks. One of its most important features is the ability to compare the currently valid group policy settings with a set of model settings. It should be noted that part of the secedit functionality in Windows XP has been migrated to the gpupdate tool. If secedit is called from the command line in Windows Vista and Windows 7, then the command line process must have been started with explicit administrator privileges ("Run as administrator").
Analysis of the currently valid settings can also be performed with the Security Configuration & Analysis MMC snap-in. In contrast to secedit, the results are prepared and presented graphically. It must be taken into account that neither the secedit tool nor the Security Configuration & Analysis MMC snap-in can be used to configure and analyse the parameters defined in administrative templates.
Security templates are edited in Windows XP, Windows Vista and Windows 7 using the MMC snap-in Security Templates. Since the security templates are simple text files, they can also be edited with a normal text editor. This may be necessary when specifying additional registry keys, for example.
When the settings of a group policy change, the changes to the configuration only take effect after a certain delay, the length of which is defined in the processing settings of the group policy. In Microsoft Windows XP and higher versions, the gpupdate command line tool can be used to immediately propagate the changes to a user or a computer. This tool replaces the secedit /refreshpolicy command previously available in Windows 2000.
The gpresult command line tool can be used on a Windows client running Windows XP or higher to list the results of all group policies set up on the computer. It can also be used to find out what happens when a certain user logs on to a certain computer, among other things (gpresult /s:computername /u:username). This tool can be used for troubleshooting in particular or to document the currently valid settings.
The MMC snap-in Resultant Set of Policy (rsop.msc) also offers functionality similar to that of gpresult. This tool can not only be used to document the currently valid settings (logging mode), but also to simulate other possible scenarios (planning mode).
This means it is possible to simulate the implementation of a policy, which is extremely important, especially in the design phase, and can help avoid implementation errors, especially in the case of complex group policy structures and hierarchies.
The Group Policy Management Console (GPMC) tool available for free from Microsoft offers significantly improved administration capabilities for group policies in the Active Directory over the standard snap-ins available in Windows 2000 and Windows XP. The tool is included by default in a standard installation of Windows Vista. This tool provides enhanced functionality that is very important for the administration of the group policies in the Active Directory:
- creation, linking and deletion of GPOs,
- importing the settings from backup copies of Group Policy Objects,
- creation of GPO reports which can be used for documentation purposes, among other purposes, and
- creating backup copies of GPOs and restoring them.
Finally, GPMC provides a scripting interface that can be a real help when performing a number of administrative tasks. It is therefore urgently recommended to use GPMC in Active Directory environments. In Windows 7 and higher, the GPMC was replaced by the RSAT (Remote Server Administration Tool).
The GPOAccelerator tool supports the configurations of group policies for the operation of Windows Vista clients in a domain as long as the domain controller has not been operated yet on a Windows Server 2008 system. The configuration of the group policies must be done from a Windows Vista client in this case. A domain administrator can specify the required configurations of the group policies on the client using the GPOAccelerator tool. After that, the configurations must be transferred to the sysvol folder of the domain controller. In Windows 7 and higher, the GPO Accelerator tool is replaced by the Microsoft Security Compliance Manager Suite.
Another useful tool is the migration table editor mtedit, which is a standard tool delivered with the GPMC. This tool allows the convenient creation of migration tables that can be used to copy or import a security policy across domains. Domain-specific information such as group names or SIDs can be modified using migration tables.
The auditpol tool is available in Windows Vista and Windows 7 for configuring auditing policies.
With the Baseline Security Analyzer (MBSA), Microsoft provides a tool that can be used to automatically evaluate the patch versions used. The use of this tool provides administrators a current overview of the patch status of the system, and therefore contributes significantly to the overall security of the system (see S 4.249 Keeping Windows client systems up to date).
The Microsoft Problem Steps Recorder (PSR) allows users to document arising problems in a useful and understandable manner for administrators. The tool is available in Windows 7 and higher and, once enabled, documents all input by the user. The tool generates screenshots of the affected IT system and marks and describes the input by the user. In addition, the user can add his own comments to a screenshot to describe the problem in more detail. The PSR generates a ZIP file which contains an MHT file describing the problem. It should be fundamentally specified in an instruction that:
- windows with confidential screen contents should be closed or minimised while the problem is being recorded,
- no passwords or other authentication data, and
- no confidential information is entered .
Furthermore, a communication channel which is appropriately secure with respect to the content of this file must be selected for transferring the ZIP/MHT file generated.
All of these tools simply must be used by administrators when troubleshooting and during the design and test phases. The use of these tools helps them to detect and avoid vulnerabilities in the configurations.
Review questions:
- Are the administration tools of the Windows Client operating systems used according to the requirements?