A computer system is typically purchased and supplied as a combined hardware-software system. Many computer system suppliers use high-capacity compact disk (CD) ROMs for supplying software images. The computer system suppliers that supply software on CD ROMs only sell a limited number of hardware configurations (for example 4 to 8) that utilize even fewer software configurations (for example 2 or 3). The software system includes a common operating system, hardware drivers, software utilities, and application programs for usage among all computer systems of a particular configuration. These computer system suppliers have the software diskettes pressed en masse, generally in batches in the ten thousand to the hundred thousands range, so that identical software systems are supplied interchangeably to many computer systems.
The conventional hardware computer system typically includes various different hardware subsystems. During installation of these conventional mass-produced software systems to hardware computer systems, some software configuration is generally performed. The downloading process often includes routines that automatically detect an identification of the hardware subsystems and build appropriate drivers for the detected subsystems.
Many different hardware vendors supply the hardware subsystems and often many different software suppliers supply software modules supplied on the mass-produced diskettes. A common problem with the conventional technique for supplying software to a computer system using mass-produced software is that various inconsistencies often arise among the various hardware subsystems and the software modules. The first time a particular hardware-software system configuration is combined is when a customer attempts to bring up the system, long after the system has left the factory. A customer typically does not have the expertise to correctly set up various configurable characteristics of the hardware and software to optimally execute the software on a particular hardware configuration. Therefore, bringing up a system is often a painful and time-consuming exercise for the both the computer system customer and the vendor with the customer making frequent usage of the vendor""s customer help services.
Security configuration is another aspect of defining and setting the system configuration in business and personal computing. Companies and individuals invest greatly, both in money and time, in the purchase of executable software and the development of information contained in databases, textual documents, spreadsheets, and the like. The protection of information resources in an important concern.
Businesses and personal computer users demand the incorporation of security and integrity features into computers to protect access to critical files and to guarantee the trustworthiness of installed programs. An ideal implementation of security features interferes with normal computer operation only minimally.
Two causes of security breaches in computer systems are file corruption and viruses. File corruption occurs in an event such as a system failure that occurs during a file transfer. File corruption is thus largely avoided by controlling the power-down sequence of the computer system, particularly in computers with advanced operating systems such as Windows 95(trademark) and Windows NT(trademark). Operating systems control power-down by requiring the user to shut down using specified steps rather than by simply turning off the power switch. Restriction of the power-down sequence allows various status information and configuration data contained in a Windows Registry file to update only when the system is properly shut down. Data stored in a disk cache is flushed to the disk only when the user properly exits Windows 95(trademark) or Windows NT(trademark).
Network connections that are not properly terminated violate system security. For example, termination of power that violates the shutdown procedure can corrupt the Windows Registry file and compromise reliability of the computer during subsequent operations. It should be noted, however, that properly exiting these operating systems requires the user to take affirmative action via menu commands prior to toggling the on/off power switch.
Computer viruses are the second threat to software integrity and can be hostile, clandestine and created to target specific types of software or hardware. Viruses are introduced into a computer in any way the computer communicates externally including a floppy drive, a network connection, a modem connection, or the like. Viruses self-replicate, generating multiple copies and secretly attaching copies to files or boot records so that the user is unaware of the intrusion. Once a virus has attached to a host program, integrity of the host is violated. Once infected, any subsequent copies of the host file also contain the virus, thereby increasing the potential for destruction. The virus is then activated when the file is executed. Consequently, a virus attached to a data file may remain dormant because the data file is not executable.
A further aspect of system configuration in computer systems is the security configuration of a particular computer system within a network. One trend in computing is the development of client/server architectures in distributed computing environments to support transaction processing applications. Present-day distributed computing environments often include interconnected mainframes, minicomputers, servers and workstations. Integration of mainframes, minicomputers, servers and workstations into a distributive computing environment creates the need for system management tools sufficient for reliable operation.
Computer purchasers who deal with Dell Computer, Inc. frequently order computer systems configured with one or more software customizations. Some customizations include loading of specific application software and setting of specific software attributes. No automated procedure exists for setting software attributes. In particular, no automated procedure exists for setting system security attributes so that security attributes are either not set or are set using tedious and error-prone manual techniques.
Current manual techniques for setting security attributes in computer systems operating in a Windows NT(trademark) environment, for example, include checking of security settings on a system using tools supplied by the Windows NT(trademark) operating system. Tools include User Manager, Windows NT Explorer(trademark), and a Microsoft(trademark) Registry Editor. A user typically employs the tools to check security settings on one computer and then, using the same tool set, recreates the security settings on another computer. Microsoft(trademark) supplies additional tools as part of a Windows NT(trademark) resource kit and a Zero Administration Kit (ZAK) that partially automates configuration tasks.
What is needed is a configuration utility that efficiently and accurately configures security attributes for a large number of computer systems with variable security requirements. Existing general purpose utilities such as the Microsoft(trademark) Registry Editor are error prone and do not have the ability to configure multiple computers simultaneously.
A Security Management Tool (SMT) is defined and created that solves the problem of efficiently and accurately configuring security attributes for multiple computer systems. To this end, a method of configuring security attributes in a computer system includes reaching a file in a storage medium, the file storing a plurality of security attributes acquired from a previously-configured computer system; and setting a security setting of the computer system, the security setting corresponding to a security attribute read from the file.