http://articles.techrepublic.com.com/5100-10878_11-6081763.html
Takeaway: If you've been looking for a way to standardize and simplify security settings for your Windows Server 2003 servers, don't overlook the Security Configuration Wizard. Mike Mullins has the details in this edition of Security Solutions.
Many organizations struggle with implementing the proper security features on a new Windows Server 2003 installation, and some just add security as needed. As far as resources go, there are multiple sources for checklists and guides available, including SANS, NSA, NIST, and a host of others. However, rather than reading through hundreds of pages of documentation and creating custom security templates, there's an easier way—the Security Configuration Wizard.
This wizard contains an XML database that includes every service, feature, and administration option for every different server deployment type. Regardless of whether you're deploying a DNS, Exchange, File and Print, Domain Controller, or any other Windows server, this tool has the settings you need to lock it down.
Run the wizard
The main purpose of this wizard is to implement role-based security on Windows Server 2003. By defining the server's role on the network, you can disable unnecessary services, block unused ports, implement additional address or security restrictions for ports necessary for operation, disable unnecessary IIS Web extensions, and restrict access to server message block (SMB), LanMan, and Lightweight Directory Access Protocol (LDAP) services.
You must have Windows Server 2003 Service Pack 1 installed to run this wizard. To access the wizard, go to Start | All Programs | Administrative Tools | Security Configuration Wizard (Scw.exe).
When you first run the tool, it will prompt you to start or install any network applications (e.g., IIS, Exchange, SQL, etc.) that the server will use, so it can define the server role and apply the proper security settings. The wizard will also ask whether you want to create a new security policy, edit an existing policy, apply a policy, or roll back a policy. For this example, we're using this tool after initial installation, so select Create A New Security Policy.
Define the role
At this point, you can select a predefined role for your server from the wizard's security configuration database. After you select the server role, the wizard will prompt you to select the client features, additional administrative options, additional services (for non-Microsoft applications), and any special handling for these services.
Now, let's take a look at the different sections of the Security Configuration Wizard.
Network security
This section configures inbound ports using the built-in Windows Firewall. The tool bases the displayed settings on the roles and administration options that you've selected. If your organization uses IPSec, you can add further restrictions to access IP services and ports as well as configure encryption for port traffic using IPSec.
Registry settings
This section configures protocols used to communicate with computers on the network. If you have legacy Windows systems operating on your network (pre-Windows 2000), these systems create an additional vulnerability to password-cracking and man-in-the-middle attacks, and they require special configuration to interoperate with Windows Server 2003. You can adjust the security settings of SMB and LDAP services as well as inbound/outbound authentication protocols for these legacy systems.
Audit policy
This section configures the auditing of the server based on your organization's auditing policy. The Audit Policy Editor allows you to configure the server to not audit any events, audit only successful events, or audit both successful and unsuccessful events.
Warning: If you use the wizard to apply the built-in audit security template to set the System Access Control Lists (SACLs), you cannot remove these settings through the rollback feature.
Internet Information Services
If this server will function as an IIS server, the wizard will prompt you to configure the security for the Web server. You can select the Web service extensions used for dynamic content, virtual directories used for your Web server, and allow or deny anonymous users from accessing Web site content.
Final thoughts
While some people might still prefer the pre-Windows Server 2003 method of securing their servers, the Security Configuration Wizard provides a powerful and easy opportunity to create a role-based security template that you can apply consistently to every server you own. If you've been looking for a way to standardize and simplify security settings for your Windows Server 2003 servers, don't overlook the Security Configuration Wizard.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
