Role-based security at your fingertips
Want a new and easy method of securing your servers according to their roles? Tired of digging through white papers and Microsoft documentation while you try to piece together the optimal security configuration? The new Security Configuration Wizard (SCW), which comes with Windows Server 2003 Service Pack 1 (SP1), can help you quickly and easily reduce the attack surface of your Windows 2003 SP1 servers. SCW's primary goal is to define security according to a server's role or roles (e.g., Microsoft SQL Server, Exchange Server, Certificate Server, domain controller—DC). Not only can SCW provide configurations for computers that play a single role, the Wizard can also determine dependencies for computers that hold several roles on the network.
When you run SCW, it asks a series of questions designed to determine the functional requirements of the target server (i.e., the system for which you want to author, deploy, or roll back a security policy). Based on your answers and on its analysis of the target server's current configuration, SCW lets you author a security policy that you then can apply (via the Wizard's GUI or command-line version, or through Group Policy) to lock down the target computer. You can also use SCW to roll back a deployed configuration, returning the target system to its pre-policy state. (Note that I wrote this article based on the Windows 2003 SP1 Release Candidate—RC—so some details might differ slightly in the final SCW version.)
SCW can be installed only on Windows 2003 SP1 systems. After you install or upgrade to SP1, SCW will be available as an option in the Control Panel Add or Remove Programs applet. To install SCW, log on as a user who's a member of the local Administrators group on the target computer. Open the Add or Remove Programs applet, then click Add/Remove Windows Components to launch the Windows Components Wizard. On the Windows Components page, which Figure 1 shows, select the Security Configuration Wizard check box (from the Components list), then click Next. When the installation has completed, click Finish, then close the applet.
The installation installs both a GUI and command-line version of SCW. The GUI version (scw.exe) is added to the Administrative Tools folder; the command-line version (scwcmd.exe) is added to the \%SystemRoot%\system32 folder.
SCW also installs an XML-based security-configuration database, referred to as the SCW knowledge base, that contains role-specific security-configuration information derived from best-practice documents, white papers, prescriptive architecture guides, and other Microsoft security documentation and literature. This knowledge base contains predefined security-configuration definitions for more than 50 roles. If you'd rather not use the knowledge base's default local copy, you can implement a network share that maintains a centralized copy of the database. To do so, specify the location of the centralized database by launching SCW and referencing the shared knowledge base, as the following sample command shows.
scw /kb \\server\scwkbshare
What Can It Do?
When you use SCW to author a security policy, the Wizard carries out several actions to harden the target server. These actions include disabling unnecessary services and Microsoft IIS Web extensions, blocking certain ports and using IP Security (IPsec) to secure the ports that are left open, letting you configure auditing settings, letting you import Windows security templates, and securing NT LAN Manager (NTLM), Lightweight Directory Access Protocol (LDAP), and Server Message Block (SMB) transmissions.
Disable unnecessary services and IIS Web extensions. SCW disables those services that aren't required by the role or roles that you configure for the target computer. If IIS is installed on the target system, SCW also disables all unnecessary IIS Web extensions. For example, if the target system's specified role doesn't require Active Server Pages (ASP) but ASP is enabled on the system, SCW will disable ASP.
Block or secure ports. After you've defined the target system's necessary services, SCW uses a combination of Windows Firewall and IPsec to block any ports that aren't required by those services. If the target computer is multihomed, the wizard can limit services to specific interfaces. You can also tell SCW to implement IPsec to restrict the computers that are allowed to connect to open ports.
Configure audit settings. SCW lets you define auditing objectives (e.g., auditing for intrusion detection, enabling forensic investigation) for the target system.
Import existing Windows security templates. SCW lets you import existing Windows security templates, which can supply existing role definitions and settings.
Secure NTLM, LDAP, and SMB transmissions. SCW poses a series of questions to identify clients that will connect to the target computer, then secures NTLM, LDAP, and SMB transmissions according to your answers. Specifically, SCW
Aside from using SCW to author security polices, you can use the Wizard to perform several configuration or analysis tasks. You don't have to perform these operations on the local computer; you can select a remote computer as the target. (You must be a member of the local Administrators group on the target computer.) You can use the Wizard to compare a target computer's security configuration with a defined security policy so that you can determine whether the target computer is compliant with that policy. You can use SCW's command-line version, scwcmd.exe, to convert security policies to security templates, which you can import into a Group Policy Object (GPO) that you can then apply to computer accounts. You also can use scwcmd.exe to configure or analyze multiple target computers. SCW supports the use of Extensible Style Language (XSL) to transform the Wizard's XML definitions, security policies, and analysis results into HTML documents (for easier viewing). And if your network or your organization's policies change, you can use SCW to modify the policies you've created.
Authoring a Security Policy
You can use SCW to author a security policy according to a server's role. To show you how the procedure works, the Web-exclusive sidebar "Authoring a Security Policy: Step by Step" (http://www.windowsitpro.com/ windowssecurity, InstantDoc ID 45629) walks through the process of using the Wizard to author a policy designed to protect a Windows 2003 Certificate Server that implements Certificate Services Web enrollment pages. These pages require IIS with ASP, and the server will need to enable Remote Desktop to allow remote administration.
Deploying a Security Policy
After you've authored a security policy, the next logical step is to deploy it to the computer or computers that act in that server role. The deployment process differs according to the method you use: SCW itself, the command line, or Group Policy.
SCW. The easiest way to deploy a single security policy to one local or remote server is to use the SCW GUI. Log on to a computer on which SCW is installed; log on as a member of the local Administrators group if you'll be applying the security policy to the local computer or as a member of the target computer's local Administrators group if you're applying the security policy to a remote computer.
Open Administrative Tools, Security Configuration Wizard. On the Welcome to the Security Configuration Wizard page, click Next. On the Configuration Action page, click Apply an existing security policy, then click Browse. (By default, custom security policies are stored in the \%SystemRoot%\security\msscw\policies folder.) In the Open dialog box, click the security-policy XML file that you want to apply, then click Open.
On the Configuration Action page, click Next. On the Select Server page, indicate the target server's DNS name, NetBIOS name, or IP address, then click Next. On the Apply Security Policy page, you can review the policy settings by clicking View Security Policy. When you're sure that you're applying the correct security-policy file, click Next.
The Applying Security Policy page appears, showing you the progress of the security-policy application process. When the status bar states Application complete, click Next. On the Completing the Security Configuration Wizard page, click Finish.
Command line. Another method of deploying a security policy is to use the SCW's command-line version. The advantage of using the command line is that you can script the deployment to target multiple computers.
To deploy the security policy from the command line, you must use the scwcmd configure command. The command uses the following syntax:
scwcmd configure \[\[\[/m:machine | /ou:ou\] /p:policy\] | /i:machinelist\] \[/u:username\] \[/t:threads\]
For example, to apply a security policy named CertAuthorities.xml to all Certification Authorities (CAs) in an OU named OU=CAs,DC=Servers,DC= identit,DC=ca, I'd use the following command:
scwcmd configure /ou: CAs, DC=Servers,DC=identit,DC= ca /p:CertAuthorities.xml
To implement a machine list for the deployment, I'd create an XML file like the one that Listing 1 shows. To deploy the systems that this file—which I named ServerSystems.xml—lists, I'd use the following command:
scwcmd configure /i:ServerSystems.xml /t:100
This command also increases the number of threads to 100 to increase the speed of the deployment.
Group Policy. You can use the scwcmd transform command to transform the Wizard's XML security-policy files into security-template files that you can then deploy by using Group Policy. This operation creates a GPO in AD and copies all the resulting files into that GPO. To use the scwcmd transform command, you must be a member of the Domain Admins group or have the delegated ability to create GPOs, and the Windows Firewall service must be enabled on the computer on which you will execute the command. To create the GPO, run the command with the syntax
scwcmd transform \[/p:policyfile.xml\] \[/g:GPODisplayName\]
For example, to transform the CertAuthorities.xml security policy into a security template in a GPO named PKI Issuing CA Security Policy, I'd use the following command:
scwcmd transform /p:CertAuthorities.xml /g:"PKI Issuing CA Security Policy"
Note that IIS security settings aren't deployable through Group Policy. Therefore, if a security policy includes IIS security settings, you must apply these settings by using the Wizard's GUI or command-line version. For example, if you were disabling specific services within IIS (e.g., disabling WebDAV), you would need to do so through the SCW GUI or the scwcmd command. You could not enable the IIS security setting through Group Policy.
Once the GPO is created, you can link it to an OU that contains the computer accounts to which you want to apply the security policy. To do so, log on as a member of the Domain Admins group or with an account that's been delegated the permissions to link GPOs to an OU. Open the Microsoft Management Console (MMC) Active Directory Users and Computers console. Ensure that the console is connected to the domain that contains the target computer accounts. Right-click the OU that contains the computer accounts, then select Properties from the context menu. On the Group Policy tab, click Add. In the Add a Group Policy Object Link dialog box, go to the All tab. From the Look in drop-down list, select the domain in which the GPO was created, select the GPO (e.g., PKI Issuing CA Security Policy), then click OK. In the OU Properties dialog box, click OK.
Rolling Back a Security Policy
The process of applying a security policy creates a rollback-policy file in the \%SystemRoot%\security\msscwrollback folder. This rollback policy lets you revert the target server to its earlier, presecurity policy state.
To roll back a target server, log on to a computer on which SCW is installed. Log on as a member of the target computer's local Administrators group. The computer must have access to the rollback file that was created when you applied the security policy to the target computer.
Open the SCW GUI. On the Welcome to the Security Configuration Wizard page, click Next. On the Configuration Action page, click Rollback the last applied security policy, then click Next. On the Select Server page, select the target server's DNS name, NetBIOS name, or IP address, then click Next. On the Rollback Security Configuration page, you can review the rollback settings by clicking View Rollback File. When you're sure that you're applying the correct file, click Next.
The Rolling Back Security Configuration page appears, showing you the progress of the rollback operation. When the status bar states Rollback complete, click Next. On the Completing the Security Configuration Wizard page, click Finish.
To take full advantage of SCW, I suggest you follow several best practices. First, define the security roles that your network servers use. Second, create an OU structure, such as the one that Figure 2 shows, that enforces the use of roles. Deploying separate OUs for each role type lets you apply the security policies through Group Policy. Third, test all security policies in a test environment before deploying them on production servers. If you don't have a true test forest, consider using a virtualized network environment (courtesy of virtual machine—VM—technology). And fourth, convert your security policies to GPOs to enable consistent application of the policies.
SCW is a handy tool that can simplify the process of securing your Windows 2003 SP1 servers. Give it a spin.