Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


June 26, 2008

Using the Security Configuration Wizard to Harden Your Windows Servers

A Web Exclusive from Windows IT Pro
Jan De Clercq
User Group
InstantDoc #99672
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Q: I'm looking for an easy way to harden the security settings of my Windows file servers. What tool would you recommend I use?

 

A: I recommend using the Security Configuration Wizard (SCW), which Microsoft first included in Windows Server 2003 SP1. The SCW guides administrators through the process of configuring, editing, applying, and rolling back security policies on Windows servers. SCW security policies can be enforced using the SCW or Windows Group Policy Object (GPO) settings.

     

The SCW is role-based and can generate XML-formatted security policy files that are tailored to a server’s specific role. Sample roles include a file server, a Microsoft Exchange front-end server, and a print server. You can use the SCW to create a security policy for a particular server role on one server, and then automatically apply it to all the servers that have the same role in your organization.

     

The SCW uses an extensible knowledge base that contains a list of preferred security settings for different Windows server roles, and it reduces the time needed to create a baseline security policy for a particular server type. Instead of reading several hardening guidance documents, you can leverage the SCW’s built-in knowledge base.

     

You can also use the SCW to configure several security-related server configuration settings such as enabled or disabled services and their inbound or outbound network connectivity, security-related registry settings (e.g., Server Message Block—SMB—signing and LAN Manager authentication levels), and the audit policy. In addition, the SCW can lock down the network ports on a Windows system. Network ports that typically would have been open and thus listening for incoming requests are effectively shut down, thwarting potential security breaches. In Windows 2003, the SCW is also an important tool for reducing the attack surface of a Windows server.

     

To apply SCW security policies in Windows domain environments, I recommend transforming the SCW policy into GPO settings and applying the security policies through the GPO. Doing so will enable you to apply the SCW policy to multiple servers at one time. It's a less time-consuming solution for applying security policies than having to run the SCW on each individual server. Transferring the SCW security policy to a GPO is a must if your organization uses GPOs extensively. If you don’t transfer the SCW security settings to a GPO, they could be overridden by settings defined in Active Directory (AD) GPOs.

     

To transform SCW policies into GPO settings, use scwcmd.exe, a command-line utility that's included with the SCW. The following command is an example of how you can use scwcmd.exe to transform the fileserver.xml SCW security policy file into a GPO called FileServerPolicy:

 

scwcmd transform /p:%windir%\security\msscw\policies\fileserver.xml /g:FileServerPolicy

 

When you run this command, the SCW will create a GPO folder for the newly created GPO in the SYSVOL folder. This folder will contain an .inf file for the security settings GPO extension, a .pol file for the Windows Firewall GPO extension, and an IPSec configuration blob for the IPSec GPO extension.

     

After the GPO has been successfully created, you can link it to an AD object. For example, you can link the GPO to an AD organizational unit (OU) to apply the SCW settings to the machines that are stored in that OU. When linking an SCW-derived GPO to an AD object, you must make sure that you link it at the right AD level. Keep in mind the AD GPO application order (i.e., Local GPO, Domain GPO, Site GPO, Parent OU GPO, Child OU GPO) and the fact that GPOs that are applied later in the application process will overwrite GPOs that were applied earlier.

     

You can use the SCW to reduce the attack surface of a Server 2008 server; however, using the SCW in Server 2008 is less useful than it is in Windows 2003 because some of the SCW’s tasks are now performed by the Server Manager. When you install Server 2008, the Server Manager automatically determines what's needed based on the server roles the administrator selects, and it implements the minimum functionality that's required for those roles.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta

Addressing the Insider Threat with NetIQ Security and Administration Solutions
Related Events Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing