======================================================================
    Security Configuration Editor
======================================================================
  (c) Copyright Microsoft Corporation, 1998

=======
Preface
=======
In addition to installation information, this readme.txt file provides
information on the basic use of SCE.  It is recommended that you print
this readme.txt file and follow the steps in section 4.0, Using SCE.

========
Contents
========
1.0 Introduction
2.0 Requirements
3.0 Installation
  3.1 To Install the SCE GUI and Command Line Tool
  3.2 To Install the SCE Command Line Tool only
4.0 Using SCE
  4.1 To load the SCE MMC Snap-in
  4.2 To Edit a predefined SCE Configuration File
  4.3 To Configure a system from the SCE UI
  4.4 To Perform a security analysis
  4.5 Using the SCE Command Line Tool
5.0 The Predefined SCE Configuration Files
  5.1 Compatible
  5.2 Secure
  5.3 High Secure
  5.4 Basic
  5.5 MS Office 97 - SR1
6.0 Further Information
7.0 Feedback

================
1.0 Introduction
================
Service Pack 4 includes support for the Microsoft Security
Configuration Editor (SCE).  SCE allows system administrators to
consolidate all security related system settings into a single
configuration file.  These security settings may then be applied to 
any number of Windows NT machines.  Sample configuration files which
implement different levels of security are also included.

SCE supports both a graphical user interface (GUI) and a command line tool.

The SCE GUI allows an administrator to
  o create and edit security configuration files
  o apply a security configuration to a system
  o perform a security analysis
  o graphically review the analysis results

The SCE command line tool is all that is needed to
  o apply a security configuration to a Windows NT system
  o perform a security analysis
    - This analysis may then be reviewed graphically
      from a Windows NT machine that has the SCE GUI.

================
2.0 Requirements
================
The SCE GUI and command line tool require:
  o NT4-SP4.   

The SCE GUI requires:
  o Microsoft Internet Explorer 3.02 or higher
  o Microsoft Management Console 1.0 or higher


================
3.0 Installation
================
SCE is included as an optional component of Service Pack 4, thus 
updating to Service Pack 4 does not automatically install SCE.  

---------------------------------------------------------
3.1 To install the SCE GUI and command line tool
---------------------------------------------------------
1. Install Internet Explorer 3.02 or Higher
     - IE 3.02 is available on Windows NT Service Pack 3
     - IE 4.01-SP1 is available on Windows NT Service Pack 4
     - Installation of IE optional components is not necessary.

2. Install Windows NT Service Pack 4
   - Refer to the SP4 README.TXT file in the root of the SP4 CD.

3. Install SCE.
   - SCE is available on the SP4 CD in \MSSCE\<platform>
   - Run MSSCE.EXE
  - Answer Yes to install MMC as part of the SCE installation.

---------------------------------------------
3.2 To install the SCE command line tool only
---------------------------------------------
1. Install SP4
   - Refer to the SP4 README.TXT file in the root of the SP4 CD.

2. Install SCE command line tool only.
   - SCE is available on the SP4 CD in \MSSCE\<platform>
   - Run MSSCE.EXE /C

Note, that a silent install is also available via the /S option.

=============
4.0 Using SCE
=============

                        ***********
                        * WARNING *
************************* ------- *******************************
* THE PREDEFINED SECURITY CONFIGURATION FILES DESCRIBED IN THIS *
* USAGE SCENARIO SHOULD NOT BE APPLIED TO PRODUCTION SYSTEMS    *
* WITHOUT PASSING COMPREHENSIVE QUALITY ASSURANCE TESTS.        *
*****************************************************************

-------------------------------
4.1 To load the SCE MMC Snap-in
-------------------------------

1. Run the Microsoft Management Console. 
   - MMC.Exe
2. Add the Security Configuration Manager Snap-in. 
   - From the Console pull-down menu, Click Add/Remove Snap-in
   - Click Add
   - Select Security Configuration Manager - OK

-----------------------------------------------
4.2 To Edit a predefined SCE Configuration File
-----------------------------------------------
1. Expand the Security Configuration Manager node
   This reveals the following folders:
  - Database: Not Loaded
  - Configurations
2. Expand the Configurations node
3. Expand the Default configuration file directory
  - %windir%\security\templates
  - The following configuration files should be revealed:

  Configuration File  Security Level  Platform
  ------------------  --------------  --------
  Basicwk.inf    Default    NT4 Wksta
  Basicsv.inf    Default    NT4 Server
  Basicdc.inf    Default    NT4 DC
  Compws4.inf    Compatible  NT4 Wksta\Server
  Compdc4.inf    Compatible  NT4 DC
  Securws4.inf    Secure    NT4 Wksta\Server
  Securdc4.inf    Secure    NT4 DC
  Hisecws4.inf    High Security  NT4 Wksta\Server
  Hisecdc4.inf    High Security  NT4 DC
  Off97SR1.inf    w/ Compatible  NT4 Wksta\Server

4. Expand a specific configuration file
  - For example: securws4
  - There are seven security areas such as account policies
    and File System settings which can be configured.
5. Highlight a specific security area
  - For example: Local Policies\Security Options
  - The configurable parameters are exposed in the result pane.
6. Double Click on a security object in the result pane
  - For Example: Message text for users attempting to log on
7. Customize the security setting for your environment
  - Enter a text string that is customized for your environment - OK
8. Save the customized configuration file
  - Right Click on the configuration file in the scope pane (securws4.inf)
  - Save or Save As to save any changes.

------------------------------------------
4.3 To configure a system from the SCE UI:
------------------------------------------
1. Click on the node Database: None
  - This activates the default database (secedit.sdb)
  - All configurations and analyses are performed against a database.
2. Right click on Database: Secedit.SDB
2. Select Import Configuration
3. Select the configuration you are interested in applying
  - Check the Overwrite existing configuration in database
    box to remove any previous settings stored in the database.
    The default is to append to the selected database.
  - Open
4. Right click on Database: Secedit.SDB
5. Select Configure System Now...
6. Enter the name of a file to log processing information to - OK

WARNING: Applying a secure configuration to an NT System may result
in a loss of performance and functionality.  

For example, many applications expect that all users will have Change 
(Read, Write, Execute, Delete) permissions on the root, systemroot,
and systemroot\system32 directories because this is the default Windows NT 
configuration.  Along with many other changes, the secure configuration files 
restrict these default access rights and may cause applications, which 
previously ran correctly, to fail.

----------------------------------
4.4 To perform a security analysis
----------------------------------
Before implementing the following steps, violate the security policy applied
in the previous step to see how the analysis engine highlights the violation.
For example:
  - Change the password policy using User Manager.
1. Right Click on Database: Secedit.SDB
2. Select Analyze System Now...
3. Enter the name of a file to log processing information in - OK

A progress dialog displays the security areas being analyzed.  When the
analysis has completed, the result pane highlights mismatches between actual
system settings and the settings defined in securws4.inf.


-----------------------------------
4.5 Using the SCE Command Line Tool
-----------------------------------
SP4 also includes a command line tool (secedit.exe) for applying 
configuration files.  Typing secedit with no command line arguments 
exposes the syntax for the command line tool.

The command line tool is useful for applying predefined configuration
files to many systems using distributed systems management tools such
as Microsoft Systems Management Server.

As an example,

secedit /configure /cfg securws4.inf /areas REGKEYS FILESTORE

would apply the file system and registry security settings specified 
in the securws4.inf configuration file to the Windows NT System 
where the program is run.

==========================================
5.0 The Predefined SCE Configuration Files
==========================================
System administrators can use the supplied configuration files to
test and customize for their specific environments.  These 
configurations should not be implemented in production environments 
without passing comprehensive quality assurance measures.

The predefined security configuration files define three levels of 
security beyond the default settings.  These predefined security 
levels are described as follows:

----------------------------
5.1 Compatible Configuration
----------------------------
An improvement over the default security settings, 
the compatible configuration errs on the side of applications when 
making a tradeoff between functionality and security.

------------------------
5.2 Secure Configuration
------------------------
An improvement over the compatible security settings, the secure 
configuration errs on the side of security when making a tradeoff 
between functionality and security.

-----------------------------
5.3 High Secure Configuration
-----------------------------
The High Security configuration enforces ideal security settings for a 
Windows NT system without consideration for application functionality.  
Most existing applications will not function adequately under the 
High Secure configuration.  The intent of the High Secure configuration
is to promote the development of future "security conscious" applications.

-----------------------
5.4 Basic Configuration
-----------------------
The basic configuration files are provided as a means to "undo" the 
application of a more secure configuration.  The Basic configuration 
applies the Windows NT default settings, but does not reset the following
User Rights as they are commonly modified by application setup programs:
  - Logon as a service
  - Act as part of the operating system

It is important to note that applying the basic (default) 
configuration does not "rollback" the application of a secure 
configuration.  The default configuration files simply apply a 
different set of security settings than the secure configuration files. 

--------------------
5.5 MS Office 97-SR1
--------------------
The MS Office 97-SR1 configuration file is meant to be used in conjunction
with the compatible configuration.  It must be applied AFTER Microsoft
Office 97-SR1 is installed and provides exceptions to the compatible
configuration that allow MS Office 97-SR1 to run successfully under a
non-administrative context.


=======================
6.0 Further information
=======================
Updated information related to SCE and the predefined configuration files
will be made availabe at http://www.microsoft.com/security/ntprod.htm as
it becomes available.

=======================
7.0 Feedback
=======================
The version of SCE available on NT4-SP4 is a backport of technology that
will ship in NT 5.0.  To help make improvements for NT 5.0, please send
your feedback to scefeed@microsoft.com