Once you have a baseline, or snapshot, of one or more of your computers, what do you do with it? One of the most effective uses of baselines is to compare them with known “good” baselines. There are many definitions for a “good” baseline. It generally means a baseline of a secure system. The process of comparing configuration settings of a computer with a collection of secure configuration settings makes it easy to see the differences. An alternate approach would be to define an insecure baseline and look for similarities or differences with your systems.

The process of comparing real computer configurations to known baselines is called profiling. Profiling, in general, means extracting information about someone or something based on known attributes. Many movies contain plot devices that depend on profiling. Westerns provide a great example of character profiling. In many old Westerns, the good guys wore white hats. The bad guys wore black hats. It was easy to tell who was good and who was bad. The process of comparing the known wardrobe characteristics with what a specific character wears is called profiling the character.

While profiling is not accurate in all cases, it quickly identifies attributes or characteristics associated with a subject of a predefined group. In old Western movies, wearing a black hat doesn’t make a character bad, but it makes the audience suspicious of that character. Profiling in the operating system security context is really no different. The idea of profiling is to define a baseline of a known configuration. In most cases, the baseline is that of a secure configuration. Once you have a defined baseline, it can be compared with existing system configurations, reporting any differences. You can investigate the differences and take appropriate action to make your computers more secure.

Profiling also allows you to compare snapshots, or baselines, of your systems over time. Comparing two snapshots of the same computer taken at two different times helps you see configuration changes over time. While some changes may be normal, other configuration changes may indicate unauthorized changes to your environment.

Microsoft provides a few tools that make profiling Windows easy. The Security Configuration and Analysis (SCA) tool helps administrators do several things. It allows you to analyze a computer and compare its configuration settings with a baseline. The SCA can also apply a baseline to force current computer settings to match the settings defined in the baseline. This feature is handy anytime you want to overwrite existing settings and revert to a known configuration. The SCA uses security templates to store the settings that make up baselines (FIGURE 7-1). A security template is a text file that contains a list of configuration settings.

Older versions of Windows included a collection of security templates. Since there is a wide variety of use cases in which Windows computers operate, current versions of Windows do not include an assortment of specific templates. Microsoft decided that attempting to address so many workstation and server roles would be difficult and wouldn’t end up providing much value. Creating vendor-supplied generic default security templates becomes more difficult as the number of configuration roles and options grow. A good way to create a baseline for profiling use is to create your own security template that corresponds to your organization’s security policy. The process of editing template settings is very similar to editing Group Policy Object (GPO) settings. Microsoft provides the Security Templates snap-in (FIGURE 7-2) to the MMC, which helps you to create and manage security templates.

The SCA tool can be used to profile a Windows computer. The SCA tool allows you to analyze a computer using either a default template or a custom template you created using the Security Templates MMC snap-in. You can also use security templates you have acquired from some other source. You can conduct a security analysis, also called profiling a system, using either the SCA MMC snap-in or the SCA command-line tool. The security analysis compares the current system settings with the template loaded representing the baseline. Once a baseline template is created, use the SCA command-line tool to report any differences between the current computer settings and the baseline. Although the same information is available in the SCA MMC snap-in, the SCA command-line tool produces text output. This makes it easier to spot differences without having to navigate through multiple windows. You can even use SCA to change current settings to match the baseline template.