8/11/2019 Command-Line Configuration and Analysis

1/2

AWR-138 Resource

Page 1

Command-line Configuration and AnalysisThe online help provided with Secedit.exe describes the syntax for using the command.

To view the help text:

On the Start menu, click Run and then type CMD. Click OK.

Type Secedit and press Enter to see online Help for this command.

The command provides five high-level operations:

Configuring Security with Secedit.exe

The following example reapplies only the file system configuration specified byMysecure.inf.

To configure file system security with Secedit.exe:

Change to the %windir%\security\database directory (where %windir% is thedrive and path to your Windows directory). For example, at the command prompt

type: cd\c:\windir\security\logs

Type the following:

secedit /configure /db mysecure.sdb /areas FILESTORE /log %windir%

\security\logs\Mysecure.log /verbose

where %windir% with the drive and path to your Windows directory (for example,C:\WINNT)

Note that since the database already existed and contained configuration informationpreviously imported from Mysecure.inf, you did not need to specify the /cfg parameter.

Note also that paths for /db, /cfg, and /log

other than the current directory

must beabsolute.

Type %windir%\security\logs\Mysecure.log

Notice that previous configurations configure all security areas, while the lastconfiguration processed only the file security area.

8/11/2019 Command-Line Configuration and Analysis

2/2

AWR-138 Resource

Page 2

Performing Security Analysis with Secedit.exe

Your system is currently configured according to the customized settings defined inMysecure.inf. You will now violate this policy, and then perform a command-lineanalysis to locate the violation.

To violate the policy and then locate the violation:

Recall that Mysecure.inf specifies a restricted Group Policy for the Administrators groupsuch that only the administrator user should belong to the Administrators group. Violatethat policy by adding Everyone to the administrators group.

Type the following at the Command prompt, and press Enter: Net LocalGroup Administrators Everyone /Add

Perform the analysis using Mysecure.sdb as the baseline configuration.

Type the following command at the Command prompt: secedit /analyze /dbMysecure.sdb /Log Monitor.log /verbose

If you have access to the Grep tool, you can parse the log file to locate mismatches.Type the following at the Command prompt: grep Mismatch Monitor.Log

Notice that the administrators group is flagged. Mismatches on registry values areoccurring because these particular registry values are configured on the system, but notconfigured in the database. The snap-in tool does not flag these types of mismatches.