Upload
drthtater
View
220
Download
0
Embed Size (px)
Citation preview
8/11/2019 Command-Line Configuration and Analysis
1/2
AWR-138 Resource
Page 1
Command-line Configuration and AnalysisThe online help provided with Secedit.exe describes the syntax for using the command.
To view the help text:
On the Start menu, click Run and then type CMD. Click OK.
Type Secedit and press Enter to see online Help for this command.
The command provides five high-level operations:
Configuring Security with Secedit.exe
The following example reapplies only the file system configuration specified byMysecure.inf.
To configure file system security with Secedit.exe:
Change to the %windir%\security\database directory (where %windir% is thedrive and path to your Windows directory). For example, at the command prompt
type: cd\c:\windir\security\logs
Type the following:
secedit /configure /db mysecure.sdb /areas FILESTORE /log %windir%
\security\logs\Mysecure.log /verbose
where %windir% with the drive and path to your Windows directory (for example,C:\WINNT)
Note that since the database already existed and contained configuration informationpreviously imported from Mysecure.inf, you did not need to specify the /cfg parameter.
Note also that paths for /db, /cfg, and /log
other than the current directory
must beabsolute.
Type %windir%\security\logs\Mysecure.log
Notice that previous configurations configure all security areas, while the lastconfiguration processed only the file security area.
8/11/2019 Command-Line Configuration and Analysis
2/2
AWR-138 Resource
Page 2
Performing Security Analysis with Secedit.exe
Your system is currently configured according to the customized settings defined inMysecure.inf. You will now violate this policy, and then perform a command-lineanalysis to locate the violation.
To violate the policy and then locate the violation:
Recall that Mysecure.inf specifies a restricted Group Policy for the Administrators groupsuch that only the administrator user should belong to the Administrators group. Violatethat policy by adding Everyone to the administrators group.
Type the following at the Command prompt, and press Enter: Net LocalGroup Administrators Everyone /Add
Perform the analysis using Mysecure.sdb as the baseline configuration.
Type the following command at the Command prompt: secedit /analyze /dbMysecure.sdb /Log Monitor.log /verbose
If you have access to the Grep tool, you can parse the log file to locate mismatches.Type the following at the Command prompt: grep Mismatch Monitor.Log
Notice that the administrators group is flagged. Mismatches on registry values areoccurring because these particular registry values are configured on the system, but notconfigured in the database. The snap-in tool does not flag these types of mismatches.