The Security Configuration Wizard (SCW) is Microsoft's latest addition to its security configuration tool portfolio. SCW is included in Windows Server 2003 Service Pack 1 (SP1), which is currently planned for release in the first half of 2005. SCW guides administrators through configuring, editing, applying, and rolling back security policies on Windows 2003 SP1 servers. It specializes in easing the process of hardening servers that perform particular server roles, such as Microsoft IIS and Microsoft Exchange Server. Let's look at where SCW fits in among Microsoft's other security configuration tools and why you might want to use it.
SCW Characteristics
SCW is role-based. It can generate XML-formatted security policy files that are tailored to a server's role (e.g., file server, Exchange Server front-end server, print server). SCW can deal with role dependencies. For example, if you select the Active Directory (AD) server role, SCW automatically adds the File Replication Service (FRS) server role because AD domain controllers (DCs) use FRS to replicate the Sysvol folder between them. SCW uses an extensible knowledge base that holds a list of preferred security settings for different Windows server roles. The SCW security policy files can configure a server's service, registry, audit policy, and Microsoft IIS configuration settings. You can enforce SCW policies by using SCW itself or by transforming SCW policies into Group Policy Objects (GPOs).
Three important reasons for Windows administrators to use SCW are:
SCW reduces the time needed to create a baseline security policy for a particular server type. Instead of reading several hardening guidance documents, an administrator can leverage SCW's built-in knowledge base.
Administrators can use SCW to create a security policy for a particular server role on one server, then automatically apply it to all the servers in their organization that have the same role.
SCW is an important tool for reducing the attack surface of a Windows server system. As opposed to other Microsoft security policy configuration tools (Security Configuration Editor—SCE—and GPOs), it can lock down a Windows system's network ports, thwarting potential security breaches.
Getting Started
SCW is an optional Windows component included in Windows 2003 SP1. To install it, use the Add/Remove Windows Components option in the Add or Remove Programs Control Panel applet. After installation, the SCW icon will show up in the Administrative Tools folder. To start the graphical SCW from the command line, type
scw
To run SCW on standalone machines, you need local administrator permissions; on domain-joined machines, you need local administrator or domain administrator permissions. A machine can be configured by using SCW only if it's running Windows 2003 SP1 and has SCW installed. You can run SCW against a machine locally or remotely. Before starting SCW, make sure that all applications that use inbound network ports are running.
SCW Content
When you run the graphical version of SCW, it guides you through a set of dialog boxes, each of which lets you perform a different security configuration step:
Select whether you want to create a new policy, edit an existing policy, apply a policy, or roll back the last applied policy.
Select the server you want to use as the baseline server for policy creation, the server on which you want to edit a policy, or the server on which you want to apply or roll back a policy.
View the Security Configuration Database content, as Web Figure 1 (http://www.windowsitpro.com, InstantDoc ID 44992) shows. This is your chance to study or review which roles and services your server should provide before moving on to the actual generation of an SCW policy file or configuration of a server.
Configure role-based services. Before you run through this SCW section, you must have a complete view of the roles and services a particular server should provide. This section comprises multiple steps, all of which let you enable or disable server services and block or unblock network ports by selecting or clearing the check boxes of server roles and configuration options:
Select server roles, which include DC, DHCP server, DFS server, file server, and Exchange Server 2003 back-end server. To see the roles and services required for a particular role, click the triangle that points to the role, as Figure 1 shows.
Select client features. Client features are services that use services provided by other servers (e.g., the DHCP client service). To see the services required for a particular client feature, click the triangle that points to the role.
Select administration and other options. This step lists all options that you can install on a server (e.g., Alerter, Time Synchronization, UPS service). To see the services required for a particular administration option, click the triangle that points to the role.
Select additional services. These are services that aren't defined in the SCW database but that SCW found on the machine.
Handle unspecified services. This step lets you disable services that weren't specified in the previous SCW pages.
If you're creating a new policy, SCW by default displays the roles, client features, and administration options that are currently installed on the server on which you're running the wizard. If you're editing an existing policy, the wizard displays the roles, client features, and administration features enabled in the policy. To display, for example, all the roles defined in the SCW database, select the All Roles option in the View drop-down menu that Figure 1 shows. SCW can't configure security policy settings for the Internet Connection Sharing (ICS), Internet Security and Acceleration (ISA) Server, RRAS, or Small Business Server (SBS) roles because these roles aren't defined in the SCW database.
Configure network security. In this section of steps, you can define Windows Firewall and IP Security (IPSec) settings (i.e., you can define open or blocked inbound ports and the applications that are approved to use particular ports). SCW doesn't display all ports but rather filters ports based on the service and role options that you selected in the previous section. If you don't see a particular port, you can add it manually by clicking Add on the Open Ports and Approve Applications page. To configure IPSec settings for a particular port, click Advanced on the Open Ports and Approve Applications page. On machines with multiple NICs, you can disable or enable individual ports for certain interfaces by using the Local Interface Restrictions tab in the advanced port properties dialog box. Figure 2 shows the dialog box for restricting remote access to a local system port by using IPSec for a certain IP address, computer name, IP subnet, or range of IP addresses.
Configure registry settings. In this section, you can configure a set of Windows communication protocol security options, including Server Message Block (SMB) and Lightweight Directory Access Protocol (LDAP) signing and the LM compatibility level setting. The latter is used to determine which versions of the NT LAN Manager (NTLM) authentication protocol are made available to server users. Web Table 1 summarizes the registry settings configurable through SCW.
Configure audit policy. This section lets you set a Windows server's auditing options. The options are: don't audit, audit only successful events, and audit both successful and unsuccessful events. The auditing option you choose applies to the different Windows auditing categories (e.g., audit system events, audit logon events).
Configure Microsoft IIS. This section is available only for servers on which you selected the Web server role. You can use this section to configure several IIS-related settings, including the supported Web service extensions (e.g., Active Server Pages—ASP), the retained virtual directories, and the blocking or unblocking of anonymous access to Web content.
Save the security policy, view it, and include security templates. This section allows you to save and view the complete policy when you're done creating or editing it, as well as import existing security templates (.inf files) into the policy, as Figure 3 shows. This feature is needed because you can't use SCW to configure all the security settings that you can configure by using the security templates that SCE and GPOs use. The settings that SCW applies because of an imported security template can't be undone by using the SCW rollback option. Note in Figure 3 that you can import multiple templates into a single SCW policy and set an application priority order for them.
Apply the policy now or later. The wizard lets you immediately apply the policy or save it for later application.
An often irreverent look at some of the week's other news, including an iPhone 3G defeat, 180 million copies of Windows Vista in the wild, Microsoft earnings some more Yahoo silliness, Wii vs. Xbox 360, EU vs. Intel, AMD ousts its CEO, and so much more ...
An Exchange administrator and self-proclaimed "Windows Mobile device wrangler" gives you the scoop on how well the iPhone 3G works for enterprise email, and points out some surprising omissions in Apple's latest release. ...
Shortcut Guide to SQL Server Infrastructure Optimization With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Continuous Data Protection and Recovery for Exchange Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Tips to Managing Messaging Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Drag & Drop Data Mapping Tool Try this award-winning data mapping, & transformation tool that supports multiple databases, flat files, Web services, EDI, Excel 2007, & more! Free trial for 30 days!
Integrated Virtualization Done Right Download this white paper on server virtualization to begin improving resource utilization and lowering operating costs.
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
KVM over IP Solutions Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Previous
Register
