Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 2005

Security Configuration Wizardry

Get the most out of Windows 2003 SP1's new server-hardening tool
From the February 2005 Edition
of Windows IT Pro
Jan De Clercq
Feature
InstantDoc #44992
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here

The Security Configuration Wizard (SCW) is Microsoft's latest addition to its security configuration tool portfolio. SCW is included in Windows Server 2003 Service Pack 1 (SP1), which is currently planned for release in the first half of 2005. SCW guides administrators through configuring, editing, applying, and rolling back security policies on Windows 2003 SP1 servers. It specializes in easing the process of hardening servers that perform particular server roles, such as Microsoft IIS and Microsoft Exchange Server. Let's look at where SCW fits in among Microsoft's other security configuration tools and why you might want to use it.

SCW Characteristics
SCW is role-based. It can generate XML-formatted security policy files that are tailored to a server's role (e.g., file server, Exchange Server front-end server, print server). SCW can deal with role dependencies. For example, if you select the Active Directory (AD) server role, SCW automatically adds the File Replication Service (FRS) server role because AD domain controllers (DCs) use FRS to replicate the Sysvol folder between them. SCW uses an extensible knowledge base that holds a list of preferred security settings for different Windows server roles. The SCW security policy files can configure a server's service, registry, audit policy, and Microsoft IIS configuration settings. You can enforce SCW policies by using SCW itself or by transforming SCW policies into Group Policy Objects (GPOs).

Three important reasons for Windows administrators to use SCW are:

  • SCW reduces the time needed to create a baseline security policy for a particular server type. Instead of reading several hardening guidance documents, an administrator can leverage SCW's built-in knowledge base.
  • Administrators can use SCW to create a security policy for a particular server role on one server, then automatically apply it to all the servers in their organization that have the same role.
  • SCW is an important tool for reducing the attack surface of a Windows server system. As opposed to other Microsoft security policy configuration tools (Security Configuration Editor—SCE—and GPOs), it can lock down a Windows system's network ports, thwarting potential security breaches.

Getting Started
SCW is an optional Windows component included in Windows 2003 SP1. To install it, use the Add/Remove Windows Components option in the Add or Remove Programs Control Panel applet. After installation, the SCW icon will show up in the Administrative Tools folder. To start the graphical SCW from the command line, type

scw

To run SCW on standalone machines, you need local administrator permissions; on domain-joined machines, you need local administrator or domain administrator permissions. A machine can be configured by using SCW only if it's running Windows 2003 SP1 and has SCW installed. You can run SCW against a machine locally or remotely. Before starting SCW, make sure that all applications that use inbound network ports are running.

SCW Content
When you run the graphical version of SCW, it guides you through a set of dialog boxes, each of which lets you perform a different security configuration step:

  1. Select whether you want to create a new policy, edit an existing policy, apply a policy, or roll back the last applied policy.
  2. Select the server you want to use as the baseline server for policy creation, the server on which you want to edit a policy, or the server on which you want to apply or roll back a policy.
  3. View the Security Configuration Database content, as Web Figure 1 (http://www.windowsitpro.com, InstantDoc ID 44992) shows. This is your chance to study or review which roles and services your server should provide before moving on to the actual generation of an SCW policy file or configuration of a server.
  4. Configure role-based services. Before you run through this SCW section, you must have a complete view of the roles and services a particular server should provide. This section comprises multiple steps, all of which let you enable or disable server services and block or unblock network ports by selecting or clearing the check boxes of server roles and configuration options:

    5. Select server roles, which include DC, DHCP server, DFS server, file server, and Exchange Server 2003 back-end server. To see the roles and services required for a particular role, click the triangle that points to the role, as Figure 1 shows.

    Select client features. Client features are services that use services provided by other servers (e.g., the DHCP client service). To see the services required for a particular client feature, click the triangle that points to the role.

    Select administration and other options. This step lists all options that you can install on a server (e.g., Alerter, Time Synchronization, UPS service). To see the services required for a particular administration option, click the triangle that points to the role.

    Select additional services. These are services that aren't defined in the SCW database but that SCW found on the machine.

    Handle unspecified services. This step lets you disable services that weren't specified in the previous SCW pages.

    If you're creating a new policy, SCW by default displays the roles, client features, and administration options that are currently installed on the server on which you're running the wizard. If you're editing an existing policy, the wizard displays the roles, client features, and administration features enabled in the policy. To display, for example, all the roles defined in the SCW database, select the All Roles option in the View drop-down menu that Figure 1 shows. SCW can't configure security policy settings for the Internet Connection Sharing (ICS), Internet Security and Acceleration (ISA) Server, RRAS, or Small Business Server (SBS) roles because these roles aren't defined in the SCW database.

  5. Configure network security. In this section of steps, you can define Windows Firewall and IP Security (IPSec) settings (i.e., you can define open or blocked inbound ports and the applications that are approved to use particular ports). SCW doesn't display all ports but rather filters ports based on the service and role options that you selected in the previous section. If you don't see a particular port, you can add it manually by clicking Add on the Open Ports and Approve Applications page. To configure IPSec settings for a particular port, click Advanced on the Open Ports and Approve Applications page. On machines with multiple NICs, you can disable or enable individual ports for certain interfaces by using the Local Interface Restrictions tab in the advanced port properties dialog box. Figure 2 shows the dialog box for restricting remote access to a local system port by using IPSec for a certain IP address, computer name, IP subnet, or range of IP addresses.
  6. Configure registry settings. In this section, you can configure a set of Windows communication protocol security options, including Server Message Block (SMB) and Lightweight Directory Access Protocol (LDAP) signing and the LM compatibility level setting. The latter is used to determine which versions of the NT LAN Manager (NTLM) authentication protocol are made available to server users. Web Table 1 summarizes the registry settings configurable through SCW.
  7. Configure audit policy. This section lets you set a Windows server's auditing options. The options are: don't audit, audit only successful events, and audit both successful and unsuccessful events. The auditing option you choose applies to the different Windows auditing categories (e.g., audit system events, audit logon events).
  8. Configure Microsoft IIS. This section is available only for servers on which you selected the Web server role. You can use this section to configure several IIS-related settings, including the supported Web service extensions (e.g., Active Server Pages—ASP), the retained virtual directories, and the blocking or unblocking of anonymous access to Web content.
  9. Save the security policy, view it, and include security templates. This section allows you to save and view the complete policy when you're done creating or editing it, as well as import existing security templates (.inf files) into the policy, as Figure 3 shows. This feature is needed because you can't use SCW to configure all the security settings that you can configure by using the security templates that SCE and GPOs use. The settings that SCW applies because of an imported security template can't be undone by using the SCW rollback option. Note in Figure 3 that you can import multiple templates into a single SCW policy and set an application priority order for them.
  10. Apply the policy now or later. The wizard lets you immediately apply the policy or save it for later application.
   Previous  [1]  2  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path For server-hardening information:
"“Using MMC Snap-ins to Secure Win2K Systems”"


To use GPOs for security configuration:
"“Group Policy and Security”"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

How can I stop and start services from the command line?

...

Where is Microsoft NetMeeting in Windows XP?

...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing