The Security Configuration Wizard (SCW) is Microsoft's latest addition to its security configuration tool portfolio. SCW is included in Windows Server 2003 Service Pack 1 (SP1), which is currently planned for release in the first half of 2005. SCW guides administrators through configuring, editing, applying, and rolling back security policies on Windows 2003 SP1 servers. It specializes in easing the process of hardening servers that perform particular server roles, such as Microsoft IIS and Microsoft Exchange Server. Let's look at where SCW fits in among Microsoft's other security configuration tools and why you might want to use it.
SCW Characteristics
SCW is role-based. It can generate XML-formatted security policy files that are tailored to a server's role (e.g., file server, Exchange Server front-end server, print server). SCW can deal with role dependencies. For example, if you select the Active Directory (AD) server role, SCW automatically adds the File Replication Service (FRS) server role because AD domain controllers (DCs) use FRS to replicate the Sysvol folder between them. SCW uses an extensible knowledge base that holds a list of preferred security settings for different Windows server roles. The SCW security policy files can configure a server's service, registry, audit policy, and Microsoft IIS configuration settings. You can enforce SCW policies by using SCW itself or by transforming SCW policies into Group Policy Objects (GPOs).
Three important reasons for Windows administrators to use SCW are:
SCW reduces the time needed to create a baseline security policy for a particular server type. Instead of reading several hardening guidance documents, an administrator can leverage SCW's built-in knowledge base.
Administrators can use SCW to create a security policy for a particular server role on one server, then automatically apply it to all the servers in their organization that have the same role.
SCW is an important tool for reducing the attack surface of a Windows server system. As opposed to other Microsoft security policy configuration tools (Security Configuration Editor—SCE—and GPOs), it can lock down a Windows system's network ports, thwarting potential security breaches.
Getting Started
SCW is an optional Windows component included in Windows 2003 SP1. To install it, use the Add/Remove Windows Components option in the Add or Remove Programs Control Panel applet. After installation, the SCW icon will show up in the Administrative Tools folder. To start the graphical SCW from the command line, type
scw
To run SCW on standalone machines, you need local administrator permissions; on domain-joined machines, you need local administrator or domain administrator permissions. A machine can be configured by using SCW only if it's running Windows 2003 SP1 and has SCW installed. You can run SCW against a machine locally or remotely. Before starting SCW, make sure that all applications that use inbound network ports are running.
SCW Content
When you run the graphical version of SCW, it guides you through a set of dialog boxes, each of which lets you perform a different security configuration step:
Select whether you want to create a new policy, edit an existing policy, apply a policy, or roll back the last applied policy.
Select the server you want to use as the baseline server for policy creation, the server on which you want to edit a policy, or the server on which you want to apply or roll back a policy.
View the Security Configuration Database content, as Web Figure 1 (http://www.windowsitpro.com, InstantDoc ID 44992) shows. This is your chance to study or review which roles and services your server should provide before moving on to the actual generation of an SCW policy file or configuration of a server.
Configure role-based services. Before you run through this SCW section, you must have a complete view of the roles and services a particular server should provide. This section comprises multiple steps, all of which let you enable or disable server services and block or unblock network ports by selecting or clearing the check boxes of server roles and configuration options:
Select server roles, which include DC, DHCP server, DFS server, file server, and Exchange Server 2003 back-end server. To see the roles and services required for a particular role, click the triangle that points to the role, as Figure 1 shows.
Select client features. Client features are services that use services provided by other servers (e.g., the DHCP client service). To see the services required for a particular client feature, click the triangle that points to the role.
Select administration and other options. This step lists all options that you can install on a server (e.g., Alerter, Time Synchronization, UPS service). To see the services required for a particular administration option, click the triangle that points to the role.
Select additional services. These are services that aren't defined in the SCW database but that SCW found on the machine.
Handle unspecified services. This step lets you disable services that weren't specified in the previous SCW pages.
If you're creating a new policy, SCW by default displays the roles, client features, and administration options that are currently installed on the server on which you're running the wizard. If you're editing an existing policy, the wizard displays the roles, client features, and administration features enabled in the policy. To display, for example, all the roles defined in the SCW database, select the All Roles option in the View drop-down menu that Figure 1 shows. SCW can't configure security policy settings for the Internet Connection Sharing (ICS), Internet Security and Acceleration (ISA) Server, RRAS, or Small Business Server (SBS) roles because these roles aren't defined in the SCW database.
Configure network security. In this section of steps, you can define Windows Firewall and IP Security (IPSec) settings (i.e., you can define open or blocked inbound ports and the applications that are approved to use particular ports). SCW doesn't display all ports but rather filters ports based on the service and role options that you selected in the previous section. If you don't see a particular port, you can add it manually by clicking Add on the Open Ports and Approve Applications page. To configure IPSec settings for a particular port, click Advanced on the Open Ports and Approve Applications page. On machines with multiple NICs, you can disable or enable individual ports for certain interfaces by using the Local Interface Restrictions tab in the advanced port properties dialog box. Figure 2 shows the dialog box for restricting remote access to a local system port by using IPSec for a certain IP address, computer name, IP subnet, or range of IP addresses.
Configure registry settings. In this section, you can configure a set of Windows communication protocol security options, including Server Message Block (SMB) and Lightweight Directory Access Protocol (LDAP) signing and the LM compatibility level setting. The latter is used to determine which versions of the NT LAN Manager (NTLM) authentication protocol are made available to server users. Web Table 1 summarizes the registry settings configurable through SCW.
Configure audit policy. This section lets you set a Windows server's auditing options. The options are: don't audit, audit only successful events, and audit both successful and unsuccessful events. The auditing option you choose applies to the different Windows auditing categories (e.g., audit system events, audit logon events).
Configure Microsoft IIS. This section is available only for servers on which you selected the Web server role. You can use this section to configure several IIS-related settings, including the supported Web service extensions (e.g., Active Server Pages—ASP), the retained virtual directories, and the blocking or unblocking of anonymous access to Web content.
Save the security policy, view it, and include security templates. This section allows you to save and view the complete policy when you're done creating or editing it, as well as import existing security templates (.inf files) into the policy, as Figure 3 shows. This feature is needed because you can't use SCW to configure all the security settings that you can configure by using the security templates that SCE and GPOs use. The settings that SCW applies because of an imported security template can't be undone by using the SCW rollback option. Note in Figure 3 that you can import multiple templates into a single SCW policy and set an application priority order for them.
Apply the policy now or later. The wizard lets you immediately apply the policy or save it for later application.
Microsoft on Tuesday announced that it would retire its $50-a-year security subscription product, Windows Live OneCare, and replace it with a free solution codenamed "Morro." Unlike OneCare, however, Morro will focus only on core anti-malware features and ...
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Previous
Register
