I have been tasked with preparing for a security audit of over 600+ W2K3 and W2K8 servers in a single domain. I have to prepare a script (zipped up) to give to the server admins - there are multiple server admin groups - for them to run as a batch script on EACH server.
I need the security data in a flat file format so that we can wrap it up into a PHP script and put it up on a Web browser.
So far - I plan to add this to the script:
secedit /export /mergedpolicy /cfg sec.pol.txt
I am having trouble understanding the secedit output - example:
[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,0
Which of the above matches the GUI output of gpedit.msc under the tags:
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Will I have to change the registry , run secedit - view the ouput - change the registry - run secedit - and then see what value changes to verify the secedit output ? Maybe MS has some explanation of the value settings - somewhere ? In my experience 0 = off and 1 = on but looking at the secedir output that is NOT always true - also the registry entries from the secedit are cryptic and I am not certain what GUI entry they match !!
or --
Is there a better program to do this with ?? Can I script gpedit.msc to run in a batch mode - maybe via wmic ?? I can take HTML output and add it directly to the PHP code -but - so far I cannot get gpedit to run in batch and to export all the data.
Thanks
I need the security data in a flat file format so that we can wrap it up into a PHP script and put it up on a Web browser.
So far - I plan to add this to the script:
secedit /export /mergedpolicy /cfg sec.pol.txt
I am having trouble understanding the secedit output - example:
[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,0
Which of the above matches the GUI output of gpedit.msc under the tags:
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Will I have to change the registry , run secedit - view the ouput - change the registry - run secedit - and then see what value changes to verify the secedit output ? Maybe MS has some explanation of the value settings - somewhere ? In my experience 0 = off and 1 = on but looking at the secedir output that is NOT always true - also the registry entries from the secedit are cryptic and I am not certain what GUI entry they match !!
or --
Is there a better program to do this with ?? Can I script gpedit.msc to run in a batch mode - maybe via wmic ?? I can take HTML output and add it directly to the PHP code -but - so far I cannot get gpedit to run in batch and to export all the data.
Thanks
