It is no secret that Microsoft needs to work on its operating systems' security. It is also no secret that many of its attempts to date haven't worked as seamlessly as originally intended. However, Microsoft is finally onto something with the introduction of the new Security Configuration Wizard that's bundled with Windows Server 2003 Service Pack 1.
The Wizard works in conjunction with security policies. The resulting security policies can be applied to any server on your network, allowing for consistency and stability of the security settings on all servers. The security policies are created based on a baseline server. Once the security policy is created, it can be applied to the baseline server, or any other server in the organisation.
In this article, we will go over the options that you have as you manœuvre through the Security Configuration Wizard, starting with the options of how to manipulate the security policies. We will also cover key areas that are targeted by the Wizard, including services, network security, registry settings, administration and other server responsibilities.
Getting to the Security Configuration Wizard
The Security Configuration Wizard is not installed by default after you install Windows Server 2003 Service Pack 1. You will need to go through the Add/Remove Windows Components applet in Control Panel to install the Wizard.
After the Wizard is installed, you can access it easily by going to the Administrative Tools menu from the Start Menu.
You should note the message that is highlighted with the yellow yield sign. The message indicates that the wizard will detect inbound ports that are being used by this server. This requires that all applications that use inbound ports be running before you run the Wizard and create the security policy.
Working with security policies
Once you launch the Wizard, you will first be prompted to make a decision about the security policy you are going to be working with. You can create a new policy, edit an existing policy, apply an existing policy, or roll back the last applied policy.
Security policies are created as XML files, using the XML file extension. The default security policy storage location is C:WindowsSecuritymsscwpolicies. You can provide a description with each security policy, which is extremely useful if you have a multitude of policies.
When you work with the security policy XML file, you won’t be working with the file as a whole; you will be working with the file in different sections. These sections are organised and referenced within the Security Configuration Wizard interface using a security configuration database structure. You can view the security configuration database using the SCW Viewer.
Configuring the security policy
Once the security configuration database is generated, you will work within the Security Configuration Wizard to make the security settings desired for a server or group of servers. The Wizard will gently walk you through an assortment of sections related to the roles and functions that the server is responsible for.
The following is a summary of the different sections that you will encounter as you configure the security policy.
Role-based service configuration
This section provides a way to configure the services that are installed and available based on the server’s role and other features. The Wizard is not designed to install components or set up a server to perform specific roles. Instead, it is designed to enable services and open ports based on a list of server roles and client features.
Note that, to install components or set up a server for a role, run the Configure Your Server Wizard.
This section is broken down into subsections, which allow you to select server roles, client functions, services, etc. Here is a list of the subsections that you will encounter for the role-based service configuration section:
- Select Server Roles
- Select Client Features
- Select Administration and Other Options
- Select Additional Services
- Handling Specific Services
- Confirm Service Changes
This section is designed to configure inbound ports using Windows Firewall. The configurations will be based on the roles and administration options that were selected in the previous section. You will also be able to restrict access to ports and configure port traffic to be signed or encrypted using IPSec. The selection of the ports are based on ports and applications that use specific ports.
This section is designed to configure protocols used to communicate with computers on the network. Security for communication protocols is important due to legacy Windows operating systems requiring protocols that are vulnerable to password cracking and man-in-the-middle attacks. The key areas targeted in this section include:
- SMB Security Signatures
- LDAP Signing
- Outbound Authentication Protocols
- Inbound Authentication Protocols
This section will configure the auditing of the server based on your auditing objectives. The audit policy within the Wizard can be configured to not audit any events, audit only successful events, or audit both successful and unsuccessful events. The audit policy will not only configure the Object Access events, but the entire audit policy list of events. You can see what the audit policy will be for a server that should be auditing both successful and unsuccessful events from the Audit Policy Summary dialog.
Internet Information Services
This section will only display if you selected the server to run the Web server role. This section is designed to configure the security aspects of Internet Information Services (IIS). The subsections that you will be shown for this section include:
- Select Web Service Extensions for Dynamic Content
- Select Virtual Directories to Retain
- Prevent Anonymous Users from Accessing Content Files
Once you have your security policy created, you are empowered to control other computers on the network in a consistent and secure configuration. When you save the security policy, you will be given the opportunity to also include one or more security templates within the policy. This added option of including security templates provides a powerful way to centralise the security settings for servers within your organization. An excellent built-in feature of using the security policy is the ability to use the rollback feature. This feature allows you to back out of the most recent security policy application, if applications, service, or other functions fail due to settings that are too secure.