Lab 5.3 - Applying Windows System Security Policies
Used secedit.exe to analyze a Windows VM against the Alpha-Win-Wkstn-Basic-Sec-Policy template, surfaced MinimumPasswordLength, LockoutBadCount, and MaximumLogSize mismatches via Select-String on the log, applied the template with /configure, and re-analyzed to confirm the drift was eliminated.
Commands
1. Review secedit.exe /analyze syntax
Ran secedit /analyze with no arguments to print the help text. The workflow needs three things: a database file (/db) to hold the analysis, a configuration template (/cfg) that defines the desired state, and a log file (/log) to record per-setting results.
secedit.exe /analyze
2. Analyze the VM against the Alpha basic template
Ran secedit /analyze against the Alpha-Win-Wkstn-Basic-Sec-Policy.inf template. The engine compares every setting in the template to the current VM state and writes per-setting results to the compare log. Task completed successfully means the analysis engine ran cleanly — the actual drift findings live in the log.
secedit.exe /analyze /db alpha-basic-policy.sdb /cfg Alpha-Win-Wkstn-Basic-Sec-Policy.inf /log C:\sec401\labs\5.3\compare-vm-to-alpha-basic-policy.log
3. Open the compare log and scan for Mismatch
Opened the log in Notepad and used Find to jump through 'Mismatch' entries. The --Analyze Security Policy-- section shows MinimumPasswordLength as Mismatch while adjacent settings (PasswordHistorySize, MaximumPasswordAge, PasswordComplexity) are Not Configured — meaning the template doesn't define them. LockoutBadCount is also flagged.
notepad C:\sec401\labs\5.3\compare-vm-to-alpha-basic-policy.log
4. Grep the log with Select-String
Piped Get-Content to Select-String 'mismatch' to list only the drift. Five Mismatch lines: MinimumPasswordLength, LockoutBadCount, and MaximumLogSize (x3 — one per event log: Application, Security, System). That's the exact hardening delta the template will apply.
Get-Content .\compare-vm-to-alpha-basic-policy.log | Select-String 'mismatch'
5. Apply the template with secedit /configure
Ran secedit /configure using the same database. /configure is the verb that actually writes the template's settings into local policy. The task completed successfully message means every defined setting in the template was applied.
secedit.exe /configure /db alpha-basic-policy.sdb /log C:\sec401\labs\5.3\apply-apha-basic-policy-to-vm.log
6. Re-analyze to verify the drift is gone
Ran /analyze a second time and wrote the output to recompare-vm-to-alpha-basic-policy.log. Running the compare twice — once before /configure and once after — is the evidence pattern: the second log should show zero Mismatch entries, which proves the template was applied successfully.
secedit.exe /analyze /db alpha-basic-policy.sdb /log C:\sec401\labs\5.3\recompare-vm-to-alpha-basic-policy.log
7. Load the MMC snap-ins
Added Security Templates and Security Configuration and Analysis to an MMC console. The MMC snap-ins are the GUI equivalent of secedit /analyze and /configure — useful for editing .inf templates interactively and for analysts who prefer a tree view. Same engine, different surface.
mmc.exe (File → Add/Remove Snap-in → Security Templates, Security Configuration and Analysis)
Key Findings
- MinimumPasswordLength did not match the Alpha basic template
- LockoutBadCount did not match the template
- MaximumLogSize mismatched on Application, Security, and System event logs
- Template applied cleanly via secedit /configure
- Re-analysis confirms zero Mismatch entries post-configure
Security Controls
- Windows security baselines (CIS, Microsoft SCT)
- Group Policy Objects and Local Security Policy
- Password policy (length, history, lockout)
- Event log sizing and retention
- Configuration drift detection and audit evidence