In NT 4.0 Service Pack 4, Microsoft released a tool called the Security Configuration Editor (SCE). You can also download the tool from ftp://ftp.microsoft.com/. The SCE is installed by default in Windows 2000.

The Security Configuration Editor is a MMC (Microsoft Management Console) snap-in (an add-on component) that makes it possible to edit many of the security settings discussed in this chapter using a friendly GUI (shown in Figure 2.1). With the SCE, you can make templates that you can apply on another server. The templates can be applied using either the GUI or the command line.

Figure 2-1. The Security Configuration Editor MMC snap-in

If you have built a template and want to apply the changes without installing SCE on a host, copy the template file, as well as the secedit.exe, scedll.dll, and esent.dll files to a floppy disk. The secedit.exe executable is the command-line interface to the core SCE functions stored in scedll.dll. SCE uses an Indexed Sequential Access Method (ISAM) database engine, previously called “Jet,” to store its settings and results. This database engine is referred to as the Extensible Storage Engine (ESE). The esent.dll provides this functionality.

Insert the floppy in the target system and run the following command:

C:\> secedit /configure /cfg bastion.inf /db %TEMP%\secedit.sdb /verbose /log %TEMP%\scelog.txt ...