Over the life of an operating system install, configuration changes can occur that prevent the operating system or applications from functioning correctly. Symptoms that can be caused by overly restrictive security settings include but are not limited to:
- OS, service or application startup failures
- Authentication or authorization failures
- Resource access failures on the local or a remote computer
Operations that can make changes to security settings include but are not limited to:
- OS upgrades, QFE service pack and application installs
- Group policy changes
- User rights assignments
- Security templates
- The modification of security settings in Active Directory and the registry and other databases
- The modification of permissions on objects in AD, the file system, the Windows registry
Note that the security settings can be defined on the local, a remote computer, an interoperability mismatch between the local and a remote computer.
When a formerly working installation suddenly fails, a natural troubleshooting step is to return to the last working configuration that existed when the operating system, service or application last worked, or in an extreme case, return the operating system to its out-of-the-box configuration.
This article describes supported and unsupported methods to undo or rollback changes to the following elements:
Limitations of importing default security templates:
- Permissions in the Registry, File System and Services
- User rights assignments
- Security policy
- Group membership
The previous version of this article states a method to use the “secedit /configure” command with the caveat that the procedure does not restore all security settings that are applied when you install Windows and may result in unforeseen consequences.
The use of "secedit /configure" to import the default security template, dfltbase.inf, is unsupported nor is it a viable method to restore default security permissions on Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 computers.
Beginning with Windows Vista, the method to apply the security during operating system setup changed. Specifically, security settings consisted of settings defined in deftbase.inf augmented by settings applied by the operating installation process and server role installation. Because there is no supported process to replay the permissions made by the operating system setup, the use of the “secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
” command line is no longer capable of resetting all security defaults and may even result in the operating system becoming unstable.
For Microsoft Windows 2000, Windows XP or Windows Server 2003 computers, the “secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
” command is still supported in the very few scenarios where security settings need to be restored using the secsetup.inf template. Since importing the Secsetup.inf or any other template only resets what’s defined in the template and does not restore external settings, this method may still not restore all operating system default, including those that may be causing a compatibility problem. The use of "secedit /configure" remains fully supported for importing custom templates.
The following is a list of supported methods (in a loose order of preference) to restore the Windows system to its previously working state.
- Restore using System State: (For all Windows clients/servers)
If you have a System State backup that was created for the particular Windows system prior to the incident, use the same to restore the security settings to a working state. Any changes to the applications on the system since the system state may need to be reapplied for successful recovery. This may not be helpful to restore security settings on application related data or any non-operating system files. You may need a Complete System backup including the system state to restore it back to its original state.
- Restore using System Restore: (For Windows client operating systems only)
The built-in System Restore feature automatically creates restore points at regular intervals and when applications are added via supported installer methods. Each restore point contains the necessary information needed to restore the system to the chosen system state. This method can be used to recover the system back to a specific state. As mentioned earlier in the previous method, this may not be helpful to restore security settings on application data and a Complete System backup may be needed for the same.
- Restore using a preconfigured template:
For systems built with a template, you can use Security Configuration Wizard if a template was created for the problem machine.
- Restore file permissions only:
For file permissions, you can use the built in command line tool ICACLS/restore to restore file security that has been backed up using the /save switch on the same machine from a prior working state. This method can be used to compare the results from an identical working machine to a failing one.
When none of the above methods apply or no backup is available from which to restore, please undo the change by following your change control list or refer to the troubleshooting section of this article to a specific security setting or by process of elimination.
Here is a table comparing the methods mentioned earlier:
Collapse this tableExpand this table
|Method||Supported operating systems||Pro’s||Con’s||Pre-work needed|
|Windows Backup||All Windows Servers/Clients||Can be used to backup data & restore system state||Potentially Large data set to manage. Also, you may need to replay changes after the backup that was restored.||Yes|
|System Restore||All Windows clients –Windows XP, Windows Vista
, Windows 7
||Can be configured to perform automatic system state backups||Doesn’t restore application data which may be inadvertently changed.||Yes|
|Security Configuration Wizard||Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2||Can provide a template to restore/apply security|| Only applies or views data contained within the template used||Yes|
|ICACLS /Restore||Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2||Useful for backing up NTFS file permissions for reuse later if needed||It currently doesn’t offer saving permissions for other locations such as registry, services etc.||Yes|
|Troubleshooting methods||Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2||Useful when none of the above mentioned tools/backup are available||This may not put the entire machine configuration in its original state before the permissions change occurred. Also, undoing such changes may break dependencies set by an application or OS component.||No|
The following Security parameters may need to be addressed to resolve a permissions issue. These are parameters that are defined within security templates:
Collapse this tableExpand this table
|Area Name ||Description|
|SECURITYPOLICY ||Local policy and domain policy for the system. This includes account policies, audit policies, and other policies. |
|GROUP_MGMT ||Restricted group settings for any groups that are specified in the security template. |
|USER_RIGHTS ||User logon rights and granting of permissions. |
|REGKEYS ||Security on local registry keys. |
|FILESTORE ||Security on local file storage. |
|SERVICES ||Security for all defined services.|
The following tools are available for troubleshooting
the different security areas:
- SecurityPolicy (Account Policies, Audit Policies, Event Log Settings and Security Options):
Following are some additional details regarding the usage of each of the tools listed above.RSOP (Resultant Set of Policy)
Resultant Set of Policy (RSoP) is an addition to Group Policy that makes policy implementation and troubleshooting easier. RSoP is a query engine that polls existing policies and planned policies, and then reports the results of those queries. It polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (otherwise known as CIM-compliant object repository) through Windows Management Instrumentation (WMI).What Is Resultant Set of Policy?http://technet.microsoft.com/en-us/library/cc758010(WS.10).aspx
It's a built-in snap-in “rsop.msc” available for all supported operating systems -Windows XP or later.
Security Configuration and Analysis
Security Configuration and Analysis is a tool for analyzing and configuring local system security. Security Configuration and Analysis enables you to quickly review security analysis results and directly configure local system security. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template.Analyze system securityhttp://technet.microsoft.com/en-us/library/cc776590(WS.10).aspx
Best practices for Security Configuration and Analysishttp://technet.microsoft.com/en-us/library/cc757894(WS.10).aspx
is a built-in command line tool that can be used to export the local policy or the merged policy from a Windows machine. You can export the policy state from the machine in its working state and then use the /configure switch to reapply the template onto the machine when in problem state.
For syntax and additional information, refer this
is a command line resource kit tool that allows you to grant or revoke user rights on a Windows computer either locally or remotely.How to set logon user rights by using the NTRights utilityhttp://support.microsoft.com/kb/315276
is part of the resource kit tools which can be downloaded here
is one of the Sysinternals utilities that allows for monitoring of File system, Registry, Process, Thread, and DLL activity in real time. It allows us to filter the results as well as save the results in a file for review later. This tool can be used to troubleshoot security issues with file and registry access. For example: You can filter the “result” for “denied” attempts.
For additional information, please refer the link below:http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Download from here or Run Process Monitor now from Live.Sysinternals.comAccessCheck
is a command line program that can be used to check what kind of accesses specific users/groups have to resources such as files/directories/registry keys, global objects and Windows services. Click link below for details:http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
Download from here
gives you a full view of your file system path and
Registry hive security settings helping you for security holes and lock down permissions where necessary.http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
Download from here
is a built-in command line tool that communicates with the Service Control Manager. It can be used to display information about a service start value, change or disable it. In the context of this article, you can use the command “sc sdshow Service_Name” to output the permissions on the service. Once you have the output, you can use the following KB article to interpret the sameBest practices and guidance for writers of service discretionary access control listshttp://support.microsoft.com/kb/914392
Also, you can run the command "sc sdset service_name DACL_in_SDDL_format" to modify the permissions.
Additional information about this can be found in the following links:http://support.microsoft.com/kb/251192
Icacls.exeIcacls.exe is a built-in command line utility which allows to display or modify the discretionary access control lists (DACLs) on specified files/directories. “ICACLS path_name /save aclfile” can be use to export the ACL’s for the relevant path name(files/directories) into a text file and also be used to restore it back onto the files using the command "ICACLS path_name /restore aclfile"
Additional information about this can be found in the following links:http://support.microsoft.com/kb/919240