Security Configuration Manager (SCM)

The SCM is a set of tools that allow administrators to define security templates that can be applied to individual machines or any number of machines via group policy on a Windows XP Professional PC. Following policies and restrictions can be included in the security template:
- Password policies, - Lockout policies, - Kerberos policies, - Audit policies, - Event log settings, - Registry values, - Service startup modes, - Service permissions, - User rights, - Group membership restrictions, - Registry permissions and file system permissions.
Before going indepth into Security templates, let us discuss about the default security groups that are available in Windows XP.
The major change in Windows XP operating system is restriction on "Anonymous Logon group".
Unlike in previous operating systems, none of the the Anonymous Logon group is no longer a member of the Everyone group. This made Windows XP operating system more secured, as the anonymous users doesn't have permission to accesses a computer and its resources through the network without an account name, password, or domain is a member of the Anonymous Logon built-in security group.
In previous versions of Windows, members of the Anonymous Logon security group had access to many resources due to membership of the Everyone group.
Now in Windows XP, there are three fundamental levels of security granted to users. These are granted to end users through membership in the Users, Power Users, or Administrators groups.
The Users group is the most secure, and this group can only work with the programs which have been certified for Windows. They cannot change any settings of the Windows operating system. The Power Users group primarily provides backward compatibility for running non-certified applications. This group has the right to modify computerwide settings.
The Administrators group is provided to perform computer maintenance tasks. The default permissions allotted to this group allows complete control over the entire system.
Types of SCM:
The SCM can be a predefined or a user defined. Microsoft provides a number of predefined security templates to help you lock down your PC via Group Policy.
Pre defined security template:
The predefined security templates are provided as a starting point for customizing security policies as per the organizational requirements. These are available in %windir%\Security\Templates as *.inf files that can also be viewed as text files.
However, note that you cannot secure Windows XP Professional systems that are installed on FAT file systems. To apply a security template, the operating system should be on NTFs file system. Following are the default *.inf files:
- Setup security.inf- Compatws.inf- Secure*.inf- hisec*.inf- Rootsec.inf- Notssid.inf
The "Setup security.inf" is the default security computer-specific template that represents the default security settings that are applied during installation of the operating system. Setup security.inf should never be applied using Group Policy.
The "Compatws.inf" is the compatible template that deals with the default permissions for workstations and servers are primarily granted to the Administrators, Power Users, and Users. The compatws.inf should not be applied to domain controllers.
The "secure*.inf" templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings.
Securews.inf, Securedc.inf are the important templates in this group. These templates also provide further restrictions for anonymous users by preventing anonymous users from enumerating account names and shares and performing SID-to-name or name-to-SID translations. The "hisec*.inf" template set (Hisecws.inf, Hisecdc.inf ) is the highly secure templates set available in Windows XP. These are the supersets of the secure templates that impose further restrictions on the levels of encryption and signing that are required for authentication and for the data that flows over secure channels.The Secure set templates enables server-side SMB packet signing to have high levels of encryption. Additionally, the Highly Secure templates require strong encryption and signing for the secure channel data that constitutes domain-to-member and domain-to-domain trust relationships.
The "Rootsec.inf" template specifies the new root permissions introduced with Windows XP Professional. This template can be used to reapply the root directory permissions. The "Notssid.inf" template can be applied to remove the unnecessary Terminal Server SIDs from the file system and registry locations. However, removing the access control entry for the Terminal Server SID from these default file system and registry locations does not increase the security of the system. Instead of removing the Terminal Server SID, simply run Terminal Server in Full Security mode. When running in Full Security mode, the Terminal Server SID is not used.
For more information on the above pre defined templates, see the Microsoft Web site.
User defined security template:
It is the modified/customized security template. Following steps will help you to navigate from installing a security template to applying it:
Adding a Security Templates to MMC console:
1. Click Start, Run.2. Type mmc, click OK. 3. Click File menu, Add/Remove Snap-in. 4. In Add/Remove Snap-in, Add. 5. In Available Standalone Snap-ins, click Security Templates, Add, Close.6. Click OK. 7. Click File menu, click Save.
Customizing a predefined security template:
1. Open Security Templates. 2. Click File menu, Open.3. Using console tree, go to systemroot\Security\Templates, and in the details pane, right-click the predefined template you wish to modify. 4. Click Save As, type a new file name for the security template, and click Save. 5. In the console tree, double-click the new security template to display the security policies.6. Find the security attribute that you wish to modify.7. Right-click the security attribute and Properties. 8. Select the Define this policy setting in the template check box, make your changes, then click OK. NOTE: Ensure that you have logged in as administrator.
Once you customize the existing security template, you have to apply it to the local policy. Following are the steps to do so:
1. click Start, Run.2. Type mmc and OK. 3. Click File menu, Open.4. click the console that you want to open, then click Open. 5. In the console tree, right-click Security Configuration and Analysis. 6. click Open Database. 7. Type a file name and then click Open. 8. In Import Template, click a template, and then click Open. 9. In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now.
The alternative is to use Secedit.exe tool available. To know more information on using the Secedit.exe tool, visit MS KB article: q227448. However, if you have any issues with working secedit.exe tool, visit this web site. (http://support.microsoft.com/?kbid=897327), download the hotfix and apply it.

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
Disable default shares