Skip to main content

Programatically configure Security Policies

Alsalam alikom wa ra7mat Allah wa barakatoh

Recently, we have ran into a problem when we had to modify Install Shield script to programatically configure some security policies while being installed. We thought this information may come in handy for some of you. However, I know not much people will be interested in such a detailed problem...

Our deliverables will be:
- a .inf file a security template file that contains the proposed configurations
- a .sdb file (Security DataBase) this is able to inspect the client policies and modify/configure it.
- a .rul file (Install Shield Script) that is able to install such configurations

Let's start one by one,
  1. Open Start Menu -> Run -> MMC and hit enter
  2. File menu -> Add/Remove Snap-in
  3. Press Add and choose "Security Configuration and Analysis" then hit Add
  4. Choose "Security Templates" and hit Add... then Ok to close the main dialog
  5. Expand Security Templates and Add a new template as in the picture

  6. Choose a name (Tmpl Trial for example) and description then hit okay
  7. Now expand the newly created template, and configure it as you wish.

  8. Right click on the template, save as and choose any place you want to save it in (by default a file will have been created for you)
  9. Right click on the Security Configuration and Analysis, choose Open Database
  10. Type a name for the data base you want to create, let's call it Tmpl Trial DB
  11. It will ask you to pick a template for it, choose the .inf file you have saved earlier (in step 8).
  12. bingo, just close the mmc and don't save the Console1 if it asked you to :)

If you didn't change the default paths, you will find those files in My DocumentsSecurity
Now we've created the .inf and .sdb files... the only remaining task is to write the script that will apply the configurations

For those not familier with IShield script, what we basically want to do is to execute this command:

C:WindowsSystem32secedit.exe /configure /db "C:....Tmpl Trial DB.sdb"

There are a couple of things we don't know about,
  1. The path of the Windows Directory... you can replace that part with WINDIR macro
  2. The path of the .sdb file, you can make sure it's being copied to the installation directory, and then you can use INSTALLDIR macro

So, here is a sample script:
szApplication = WINDIR ^ "system32\secedit.exe";
szParameters = "/configure /db "" + INSTALLDIR + "Tmpl Trial DB.sdb"";
LaunchApp(szApplication, szParameters);

N.B. Of course to run the installer we need a user who has privileges to configure the security policy.

That's all...

Happy coding :)

Alsalam alikom wa ra7mat Allah wa barakatoh

Comments

  1. you were tagged by me to say 8 facts no one knows about you and tag another 8 of your friends

    ReplyDelete

Post a Comment

Popular posts from this blog

Windows7 adds Math Input Panel

Alsalam alikom wa ra7mat Allah wa barakatoh… I was reading a windows team post about Input Panels improvements in Windows7 [ here ]. When at the end I saw a very interesting –intuitive if you wish- new thing… which is, as you guessed, the Math Input Panel… Yes, that crappy font is mine… I “drew” that by mouse as I don’t have a tablet pen/pc. You can then paste it directly into word and it’ll recognize it as an editable equation… During my tests, the output panel (the top part) hanged, but I liked that the drawing panel was still responsive and I could still write/erase… till the top one started to respond again… One other thing to know, after you click Insert (that button down there) it copies the equation in MathML [ Wikipedia link ] format.. which is a standard way of representing equations and hence any application that recognizes the format can insert it not as an image but as a nice editable equation… If you think it recognized something wrong, you can click “Sele...

Microsoft Web Platform Installer… coming near you

The Microsoft Web Platform Installer 2.0 (Web PI) is a free tool that makes it simple to download, install and keep up-to-date with the latest components of the Microsoft Web Platform, including Internet Information Services (IIS), SQL Server Express, .NET Framework and Visual Web Developer. In addition, install popular open source ASP.NET and PHP web apps with the Web PI. Here is the code snippet if you want to spread the word :) < a href ="http://go.microsoft.com/fwlink/?LinkId=146503" title=" Get the Microsoft Web Platform " > < img src ="http://www.microsoft.com/web/media/badge/get_microsoft_web_platform.png" alt ="Get the Microsoft Web Platform" border ="0" /> </ a >

Question Google Chrome Process Isolation Model..

Alsalam alikom wa ra7mat Allah wa barakatoh Google once published this comics book about Google chrome (their Open Source Web Browser) I've linked to one page that I'm concerning about for now... Page 4, Google Chrome Comics Book It explains that Chrome will have separate process per tab, away from the benefits/concerns about this... I was accidently checking chrome's task manager (Shift + Esc) and found something that -apparently- violates this rule... As you see, tab1 process has actually spanned 3 tabs... which is a similar behavior to what IE8 does... I'm not quite sure why this happens in Chrome... but it's just a question to ask... Thanks, Haytham