Four Local Security Policies - What do They Do?
Sometimes, when using applications, we look at the title of a policy, task, or application menu choice, thinking to ourselves, "That's pretty straightforward and easy to understand". Other times we may look and say, "what in the world does the developer expect me to do with that!?", and lastly, some times we look and say "Well, that seems pretty straightforward, but what does it REALLY do?" The last question is the one we are going to focus on here, and we are not going to look at just one, but four menu choices, in this case, policy configs. What do the following four Local Security Solution (LSS) policies do and how are they used?
1. COM+\DCOM Inventory Policy - This policy inventories COM+ and DCOM packages installed on the managed computers/clients.
a. This policy inventories all of the COM+ and DCOM packages installed on managed hosts. Once inventoried, LSS then provides the ability to create a task or tasks to set a particular inventoried COM+ or DCOM application user configuration, i.e. who can execute and run the particular inventoried COM+/DCOM application. The "Set COM+ Application Configuration" or the "Set DCOM Application Configuration" tasks are used to configure those tasks, and are shown in the attached screenshot.
2. Local User Inventory Policy - This policy inventories Local User account, groups and group membership on the managed computers/clients. This policy can also be used to inventory for specific account privileges.
a. The "Randomize Local User Account Password" task, or the "Random Password Policy for Administrators" policy takes the inventoried information from the Local User Inventory Policy, and makes it available for change and adjustment.
3. Local Security Shared Folder Inventory Policy - This policy inventories shared folders on the managed computers/clients.
a. As Item 1a above, once a inventoried list of shared folders is available, LSS can use that list and allow application of any user-defined security descriptors to the security settings for an inventoried file or file share. See http://technet.microsoft.com/en-us/library/cc783702(WS.10).aspx for a detailed explanation of security descriptors. Security Descriptors are essentially permissions to operate on an object, such as a file, folder or share. LSS provides task-based tools to control change access to them, such as “Set File Security”, “Set Registry Security”, and “Set Share Security” tasks, shown as well in the attached screenshot.
4. Local Security Service Inventory Policy - This policy inventories Windows services on the managed computers/clients.
a. The inventoried Windows services are now available to be changed via the “Set Windows Service Configuration” Task, shown in the screenshot. This can change the user-defined security descriptors, as well as change the user account that the service is running under.