5. Configuring
Local Security Policies with the SecEdit Utility
The Security Edit
(SecEdit) utility helps you analyze and manage security policies on your
system. This utility uses the following syntax:
secedit /analyze /db FileName [/cfg FileName] [/overwrite]
[/log FileName] [/quiet]
secedit /configure /db FileName [/cfg FileName ] [/overwrite]
[/areas Area1 Area2 ...] [/log FileName] [/quiet]
secedit /export [/db FileName] [/cfg FileName]
[/mergedpolicy] [/areasArea1 Area2 ...] [/log FileName] [/quiet]
secedit /import /db FileName.sdb /cfg FileName [/overwrite]
[/areas Area1 Area2 ...] [/log FileName] [/quiet]
secedit /validate FileName
secedit /GenerateRollback /CFG FileName /RBK SecurityTemplatefilename
[/log FileName] [/quiet]
The following list
describes each of the command line arguments.
/analyze
Provides
performance analysis of the security policy on a system by comparing it
to the settings in a database.
/db
FileName
Specifies the
database used to perform the analysis, configuration, or other tasks.
/cfg
FileName
Specifies a
security template to import into the database before the utility
performs a task. You can create a security template using the Security
Template Microsoft Management Console (MMC) snap-in.
/overwrite
Overwrites any
existing database entries before the utility imports the security
template. Otherwise, the utility adds the settings in the security
template to the existing database.
/log
FileName
Specifies the file to
use for logging purposes. The log receives the status of the
configuration process. If you don't specify this command line switch,
the utility uses the SCESrv.LOG file located in the \WINDOWS\security\logs
folder.
/quiet
Performs the
analysis without displaying any comments.
/configure
Performs a
security configuration based on the content of the specified security
database.
/areas Area1 Area2 ...
Specifies the
security areas to manage. If you don't include this command line switch,
the utility manages all security areas. You can specify multiple areas
by separating each area with a space. The following list contains the
valid security areas.
SECURITYPOLICY
Defines
the user security policy, which includes account policies, audit
policies, event log settings, and security options.
GROUP_MGMT
Defines
the restricted group settings.
USER_RIGHTS
Defines
the user rights assignments to system objects.
REGKEYS
Defines the registry permissions.
FILESTORE
Defines the file system permissions.
SERVICES
Defines the system service settings.
/export
Exports the security
settings to a database file.
/mergedpolicy
Creates a merged
database file that includes both local and domain security settings.
/import
Imports the
security settings from a database file. You can use a template file to
provide overrides for settings in the database.
/validate
FileName
Validates the contents
of a security template. Use this option to reduce syntax-induced errors.
/GenerateRollback
Generates a
security rollback based on the content of a security rollback template.
The system offers you the opportunity to create a rollback template when
you apply a security update to the system. This rollback template
returns the system to the state it was in before the security update.
/RBK
SecurityTemplatefilename
Specifies the
name of the file that contains the security rollback template.
