These days, security is on everyone's mind--as well as on everyone's computer screen. Security warnings pop up in your Web browser, your e-mail, your antivirus software, your network settings, and all your other apps. But tracking every nook and cranny where Windows hides its security settings--and choosing the correct ones--can be a full-time job.

Fortunately, Windows XP Professional and 2000 contain the building blocks of a comprehensive security analysis and configuration tool. (If you have XP Home, the security built into Service Pack 2 should meet your needs.) But you have to assemble the components into a security suite yourself. I'll show you how to put the utility together, use it to analyze your system, and decide what actions to take based on the results. While Windows' Security Configuration and Analysis utility does not address security for e-mail and other apps, it lets you assign all of Windows' system-level security settings in one place.

Changes to security settings can affect your network and Internet connections, your applications, and Windows' own Registry settings, so back up your system before embarking on any serious tweaking. (Read "Care and Feeding of the Windows Registry" from Stan Miastkowski's May 2002 Step By Step column.) After each change of setting, test your applications and network connection to make sure they're working properly. If a problem crops up, restore your Registry as explained in Lincoln Spector's April 2003 Answer Line column, "How Do I Restore My Windows Registry?".

Build Your Software

to create your custom security tool, log in as an administrator, choose Start, Run, type mmc, and press Enter. In Windows XP, choose File, Add/Remove Snap-in. In Windows 2000, click Console, Add/Remove Snap-in from the Console1 main menu. In both versions, click Add, select Security Configuration and Analysis, click Add again, and then Close and OK.

The little Console Root icon in the window now has a subicon, but no other real branches to its tree. To add a subentry for the icon, create a database of your settings: Right-click Security Configuration and Analysis and choose Open Database. In the 'File name' box, type the name of your database--for example, my security settings--and press Enter to be prompted to import a template. (If you don't see this dialog, or if you cancel it accidentally, right-click Security Configuration and Analysis and choose Import template.)

The templates range from the default Windows settings (setup security.inf) to very high security (hisecws.inf). Unless you are a network-management or security expert, or you believe another template applies to your system, select setup security and click Open (see FIGURE 1; the file appears as "setup security.inf" if your system is set to show file extensions).

Save your newly created tool so you can access it again without retracing all these steps. Choose Console, Save As (in Windows 2000) or File, Save As (in XP), and select a location. If you save the utility in the Administrative Tools folder on your Start menu (the default option), you can launch it by choosing its icon from the Start, Program, Administrative Tools menu (or the All Programs, Administrative Tools menu). If the icon is missing, right-click Start, select Properties, Start Menu, Customize, Advanced, and at the bottom of the 'Start menu items' list, choose a display option. The path for this folder is usually C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools (change the default path if you don't want all users who log on to the machine to see this item). Type a name, such as Security Analyzer, and then press Enter.

Do a Security Check

To analyze your system and compare its settings to those in your template, right-click Security Configuration and Analysis and choose Analyze Computer Now (see FIGURE 2). Type a path for the log file, or just click OK to accept the default path.

When the analysis is done, the pane on the left should show new branches. To see how your PC's settings compare to the template, click any + sign until one or more branches have no more subbranches. Click an icon at the end of a branch to view that category's settings in the right pane (see FIGURE 3).

The icons for many of the entries will tell you how your PC's settings compare to the template database. The chart "Security Template Scorecard" explains these icons (Windows 2000 shows only the first three).

The columns in the right pane show how your system diverges from the template you loaded. The Account Policies and Local Policies sections have three columns that tell the whole story--Policy (the type of setting), Computer Setting (your system's configuration), and Database Setting (the setting in the template).

Tweak Your Settings

if all or nearly all of the settings you look at have a green check mark, then your system's security essentially matches that recommended by the template database. Relax and have a cuppa joe. But what if you see many discrepancies--such as those marked with an X in a red circle? You have several choices:

Do nothing: If your system is running the way you like and you have no reason to believe that you are susceptible to security breaches, just walk away. If it ain't broke, what's to fix? This is the safest approach, and the one I recommend unless you have some basis for thinking that you do have a security problem.

Get a different template: An abundance of discrepancies may indicate that the template you chose is not suited to your system. To find a better match in Windows XP, choose Start, Help and Support. In the search box, type Predefined security templates and press Enter. Click Predefined security templates in the left pane to view the nitty-gritty on these templates in the right pane. In Windows 2000, click the question-mark Help icon at the far right of the security utility's toolbar. With the Contents tab in front, select Security Configuration and Analysis, Advanced Topics, Predefined templates. The info you need is in the right pane.

If you find a better template fit, select Security Configuration and Analysis in the left pane and choose Action, Import Template (or right-click the icon and choose Import Template from the context menu). In the Import Template dialog box, check Clear this database before importing to replace the current template. Otherwise, you'll end up with a composite of settings from multiple templates. Select the desired template, click Open, and repeat the analysis as explained above.

Tweak individual settings: If you're the supercautious type and just can't leave well enough alone, inspect the settings that diverge from the template database and decide one by one whether and how to change them. The safest way to do this is to use an entirely different tool for the analysis than you used to create the template. For example, if the settings you want to change are in the Account Policies or Local Policies sections of your new tool, choose Start, Programs, Administrative Tools, Local Security Policy (in XP it's Start, All Programs, Administrative Tools, Local Security Policy), or choose Start, Run, type secpol.msc /s, and press Enter.

With the Local Security Policy tool (Local Security Settings in Windows 2000), only the settings you change get applied to your system; but with the Security Configuration and Analysis tool, you risk applying dozens of unknown template settings. In this case, limit use of the latter utility to determining which items to adjust via the Local Security Policy tool.

Windows XP describes each icon in the Account Policies or Local Policies sections of the Local Security Policy and Security Configuration and Analysis tools. To access these descriptions, choose Start, Help and Support, type Account and local policies in the search box, and press Enter. In the Search Results pane, select Full-text Search Matches and click Account and local policies. Use the text and links on the right to locate the information you need. Windows 2000 lacks this information, but you can click the Help icon at the far right of the toolbar and select Contents, Security Configuration and Analysis, Advanced Topics for some guidance.

Go for broke: If you are used to tinkering with your system's advanced settings, you can use the Security Configuration and Analysis tool to apply some or all of a template's settings. To make only selected changes to your machine's current configuration, double-click an icon in the right pane whose settings you think you should change (such as one with an X in a red circle). Then check or uncheck the desired boxes in the Database Setting column (in the dialog boxes where it appears), or adjust other settings in the dialog box.

When you have finished making your changes, click OK and choose File, Save. To apply the changes to your PC, select Security Configuration and Analysis in the left pane and choose Action, Configure Computer Now. Either type a path for the log file, or click OK to accept the default path. When the tool finishes applying the settings, repeat the analysis. You should now see fewer red circles with X's, since your system settings should match those in your current database.

Test your network and Internet connections, as well as your e-mail and any other applications that may have been affected by the change. If any problems occur, restore the Registry and try again.