Dear Friends,
This article contains tips, tricks and steps to use Security Configuration wizard (SCW) included in Windows Server 2008. I was recently working on locking down Windows Server 2008 with IIS. By default, Windows Server 2008 is more locked down than any previous Microsoft server OS. (PS: So is IIS). I wasn't sure where to begin. I have used SCW in previous operating systems; I figured that would be a good place to start. I quickly discovered Microsoft has done an excellent job with SCW, it's easy to use, creates xml files that can be edited for later use and / or turned into a GPO (Group Policy Object). Probably the most flexible thing I discovered you can run SCW, save your settings and not apply the policy. The GPO option really captured my attention! You may wonder why the GPO option is so awesome? You can setup your custom policy and then apply to OU's containing targeted machines, such as internet-facing servers. This technique provides a consistent policy across all your machines..
To get started, I created a model machine which included all the necessary IIS modules. I executed the steps below, then used scwcmd (command line version of SCW) to 'transform' the XML file to a GPO. One thing to be aware the user account that executes scwcmd needs to have permissions to create GPO's, which are stored on an Active Directory (AD) domain controller. I HIGHLY recommend doing this in a controlled / test environment before implementing in production. Also, if you are not in control of your AD environment, get with your AD tech's to have them grant permissions.
A few tips I recommend, you perform this in a isolated environment using a virtual machine. You can use Virtual PC, VMware Server or Hyper-V. When I applied the policy, the Terminal Services service was disabled preventing me from accessing the machine remotely. The first time I ran the process, "I said, what the heck", I'll apply the policy. Luckily the machine was a VMware VM. :) Other settings that were captured were firewall rules. Things like the Server service (which was recently exploited and a patch was released) and blocking normal Microsoft ports (135,137,138,139,445). For internet facing servers, I would think there aren’t too many reasons to have these ports open. If you do need the ports open, you can set your Windows Firewall rules to only allow certain machines, for example your NAS / SAN connections where the content files reside. In conclusion, Microsoft has provided a tool to help lockdown Windows Server 2008. I hope you find this article useful.
Security Configuration Wizard
With the Security Configuration Wizard (SCW), you can reduce the attack surface of a computer running the Windows Server® 2008 operating system by customizing the security settings of server roles.
What does the Security Configuration Wizard do?
The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. It provides an easy way to create or modify a security policy for your server based on its role. You can then use Group Policy to apply the security policy to multiple target servers that perform the same role. You can also use SCW to roll back a policy to its prior configuration for recovery purposes. With SCW, you can compare a server's security settings with a desired security policy to check for vulnerable configurations in the system.
The version of SCW in Windows Server 2008 includes more server role configurations and security settings than the version of SCW in Windows Server 2003. Also, by using the version of SCW in Windows Server 2008, you can:
- Disable unneeded services based on the server role.
- Remove unused firewall rules and constrain existing firewall rules.
- Define restricted audit policies.
Once a security policy is created with SCW, you can use the Scwcmd command-line tool to:
- Apply the policy to one or more servers.
- Roll back policies.
- Analyze and view an SCW policy on multiple servers, including compliance reports that can show any discrepancies in the configuration of a server.
- Transform an SCW policy into a Group Policy object (GPO) for centralized deployments and management by using Active Directory Domain Services (AD DS).
Who will be interested in this feature?
You will be interested in this feature if you are an IT professional in one of the following groups:
- IT professionals who deploy or administer server security solutions in an organization
- IT professionals at small-sized or medium-sized organizations who want to easily and quickly create and apply security policies to one or more servers
- IT professionals who are security specialists at organizations that employ regulatory compliance scenarios and requirements
Here are the steps to run SCW.
No comments:
Post a Comment