SekChek for Windows: Planning Your Analysis - Deciding Which Computers to Analyse

SekChek

previous page next page

Deciding which Computers to Analyse with SekChek

To ensure SekChek will provide you with the best results:

  • Make sure you are clear on the scope of your review. E.g. do you want to analyse domain-wide security for one domain only, dial-in security (e.g. RAS) access to a domain, access to sensitive applications or data residing on specific servers or workstations, or enterprise-wide security on all trusting and trusted domains?
  • Ensure you have a basic understanding of your client’s computer network. If you are not certain, the quickest way to obtain this information is to run SekChek on a domain controller first.

This will provide you with analyses of all domain-wide security settings, all user accounts defined to that domain and details of all computers that are visible to the domain controller. It will also give you a summary of any Trust relationships that might exist with other domains on the network.

After you have studied the domain-wide security analysis, you might decide to run SekChek on a specific computer containing sensitive data or a particular application system, to obtain an analysis of security settings that are local to that computer.

An example would be a server running RAS software, which grants dial-in access (via a modem link) to remote users.

If SekChek is run on a domain controller, it will analyse those accounts with RAS access at domain level (only) and provide you with a list of all visible RAS servers. However, because accounts with RAS access can also be defined locally (i.e. on the RAS server itself), you would additionally need to run SekChek on each RAS server to obtain a complete picture of security controls over dial-in access.

If there are trusted domains, you should consider running SekChek on the domain controllers for all trusted domains. This is because inappropriate security settings on trusted domains will threaten and undermine security on the trusting domain.

When planning your SekChek analyses, keep in mind that if SekChek is run on:

  • A domain controller, it will report on security information at the domain level for users, accounts and groups and on domain-wide security (policy) settings.
  • A server or workstation that is not a domain controller, it will report on security information at the local (server or workstation) level for users, accounts, groups and on security (policy) settings for that machine only. It will not analyse accounts and security settings defined at the domain level, although it will list any domain and workgroup memberships.

In summary, you will obtain the most comprehensive view of security by running SekChek on a combination of the domain controller, on selected servers containing sensitive data and systems, and on domain controllers for each trusted domain.

previous page start next page