/build/static/layout/Breadcrumb_cap_w.png

Performing Extra Security Configurations Using RIS

If you can figure out how to install it via Batch file then you are set. I believe you can use a command line based batch file to call secedit as seen below:

secedit /import

Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.

Syntax

secedit /import /db FileName.sdb /cfg FileName.inf [/overwrite] [/areas Area1 Area2 ...] [/log FileName] [/quiet]

Parameters

/db FileName.sdb

Specifies the database that the security template settings will be imported into.

/CFG FileName

Specifies a security template to import into the database. Security templates are created using the Security Templates snap-in.

/overwrite FileName

Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.

/areas Area1 Area2 ...

Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space. Area name Description

SECURITYPOLICY Includes account policies, audit policies, event log settings, and and security options.

GROUP_MGMT Includes Restricted Group settings

USER_RIGHTS Includes User Rights Assignment

REGKEYS Includes Registry Permissions

FILESTORE Includes File System permissions

SERVICES Includes System Service settings

/log FileName

Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.

/quiet

Specifies that the configuration process should take place without prompting the user.

Examples

Following is an example of how you can use this command:

secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite

Once you can get the batch file working then you need to add some information to your unattend.sif file. Here are the following areas to modify:

[GuiUnattended]

AdminPassword=xxxxxxx (should be your local admin password)

Autologon=Yes

AutoLogonCount=1

What these settings do is 1. sets admin password on machine 2. specifies that it will automatically logon as admin without prompting for credentials 3. specifies that the AutoLogon will only happen once.

Now you must also add the following information.

[GuiRunOnce]

{Path to batch file}

To get the batch file onto the local machine you must create add the file into the folders where you keep the drivers usually \$OEM$\$1\. Anything in this folder will be copied to the root of the c:\ so you will want to burry it at least one more folder deep. Then in the GuiRunOnce section you can call it as c:\{folder}\secedit.bat. At this point the file will exist locally so there should be no problem calling it. You will want to make sure that in your batch file you specify shutdown.exe -r to reboot the machine. If not then you will have a machine sitting logged in as administrator. Shutdown is in the res kit for win2k. I created a similar setup to manually change a registry setting upon reboot. Here is what my batch file looked like:

regedit.exe /s c:\drv\reg\ddhcpms.reg

c:\drv\reg\shutdown.exe /r

del /Q c:\drv\reg\*.*

I ran shutdown and it has a delay by default, so it leaves enough time to run the del command to clean up after.

Once you have the machine configured the way you want then you can use the secedit command again and export the inf, See below:

Allows you to export the security settings stored in the database.

Syntax

secedit /export [/DB FileName] [/mergedpolicy] [/CFG FileName] [/areas Area1 Area2 ...] [/log FileName] [/quiet]

Parameters

/db FileName

Specifies the database used to configure security.

/mergedpolicy

Merges and exports domain and local policy security settings.

/CFG FileName

Specifies the template the settings will be exported to.

/areas Area1 Area2 ...

Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space. Area name Description

SECURITYPOLICY Includes account policies, audit policies, event log settings, and and security options.

GROUP_MGMT Includes Restricted Group settings

USER_RIGHTS Includes User Rights Assignment

REGKEYS Includes Registry Permissions

FILESTORE Includes File System permissions

SERVICES Includes System Service settings

/log FileName

Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.

/quiet

Specifies that the configuration process should take place without prompting the user.

Examples

Following is an example of how you can use this command:

secedit /export /db hisecws.inf /log hisecws.log


Comments

This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ