Windows Server 2003 Recommended Baseline Security

Windows Server 2003
Recommended Baseline Security (ITSG-20)
6 Server Policy Compliance: Inspection and Enforcement
The manual approach for policy compliance is a feature of the Microsoft Operating System. This
approach uses Microsoft Management Console (MMC) with the ‘Security Configuration and
Analysis’ snap-in. This process applies to both the Domain and Workgroup environments.
Appropriate configurations for the target server are required. Policies are loaded in MMC, the
system is analyzed, and the results are presented on screen. If permissions do not match policy
settings, items are identified with a red ‘x’ or the term ‘Investigate’.
6.1 Configuration of Microsoft Management Console (MMC)
The following steps perform compliance inspection with MMC.
a. Open a ‘Command Prompt’ window.
b. At the command prompt, type ‘mmc’.
i. The ‘Console1’ GUI opens.
c. Select File =>Add/Remove Snap-in.
i. ‘Add/Remove Snap-in’ window appears.
d. Click on ‘Add’ button.
i. ‘Add Stand-alone Snap-in’ window opens.
e. Scroll down to, and select ‘Security Configuration and Analysis’.
f. Click ‘Add’ button.
g. Click ‘Close’ button.
i. Control is returned to the ‘Add/Remove Snap-in’ window.
h. Click ‘OK’ button.
6.2 Load Policy File and Computer Configuration
Effective policy files for a system under inspection must be available. They consist of a Baseline
configuration file and a role specific policy file. For a domain-based print server, “CSE High
Security – Member Server Baseline.inf” and “CSE High Security – Member File Server.inf “ are
used. Based on your Active Directory and policy files within your structure, additional files may
be required.
To load a policy file:
a. Ensure the ‘Console1’ window is active.
b. Right click on ‘Security Configuration and Analysis’.
c. Select ‘Open Database’.
i. The ‘Open Database’ window opens.
d. Enter a name for the database (e.g. systemname-date).
Compliance Inspection and Enforcement March 2004 131