4. The Security Configuration Wizard
You can use the Security Configuration Wizard to enhance the
security of a server by closing ports and disabling services not
required for the server’s roles.
The Security Configuration Wizard can be launched from the home
page of Server Manager (in the Security Information section) or from
the Administrative Tools folder.
There is also a command-line version of the tool, scwcmd.exe. Type scwcmd.exe/? at Command Prompt for help on the
command, or see http://go.microsoft.com/fwlink/?LinkId=168678.
The Security Configuration Wizard is a next-generation security
management tool, more advanced than the Security Configuration And
Analysis snap-in. The Security Configuration Wizard is role based in
accordance with the role-based configuration of Windows Server 2008
R2. The Security Configuration Wizard creates a security policy—an
.xml file—that configures the following:
That security policy can then be modified, applied to another
server, or transformed into a GPO for deployment to multiple
systems.
Creating a Security Policy
To create a security policy:
-
Launch the Security Configuration Wizard from the
Administrative Tools folder or the Security Information section
on the home page of Server Manager.
You can open the Security Configuration Wizard Help file
by clicking the Security Configuration Wizard link on the first
page of the wizard. -
Click Next. -
On the Configuration Action page, click Create A New
Security Policy, and then click Next. -
Enter the name of the server to scan and analyze, and then
click Next.
The security policy is based on the roles being performed by
the specified server. You must be an administrator on the server for
the analysis of its roles to proceed. Ensure also that all
applications using inbound IP ports are running before you run the
Security Configuration Wizard.
The Security Configuration Wizard begins the analysis of the
selected server’s roles. It uses a security configuration database
that defines services and ports required for each server role
supported by the Security Configuration Wizard. The security
configuration database is a set of .xml files installed in
%SystemRoot%\Security\Msscw\Kbs.
Note
CENTRALIZING THE SECURITY
CONFIGURATION DATABASE
In an enterprise environment, centralize the security
configuration database so that administrators use the same
database when running the Security Configuration Wizard. Copy the
files in the %SystemRoot%\Security\Msscw\Kbs folder to a network
folder. Then launch the Security Configuration Wizard with the
Scw.exe command, using the syntax scw.exe /kb
DatabaseLocation. For example, the command
scw.exe /kb \\server01\scwkb launches the Security Configuration
Wizard, using the security configuration database in the shared
folder scwkb on SERVER01.
The Security Configuration Wizard uses the security
configuration database to scan the selected server and identifies
the following:
-
Roles that are installed on the server -
Roles that the server is likely to be performing -
Services installed on the server but not defined in the
security configuration database -
IP addresses and subnets configured for the server
The information discovered about the server is saved in a file
named Main.xml. This server-specific file is called the
configuration database, not to be confused with
the security configuration database used by the Security Configuration Wizard to perform the analysis.
To display the configuration database, click View Configuration
Database on the Processing Security Configuration page.
The initial settings in the configuration database are called the
baseline settings. After the server has been
scanned and the configuration database has been created, you have
the opportunity to modify the database, which will be used to
generate the security policy to configure services, firewall rules,
registry settings, and audit policies. The security policy can then be applied to
the server or to other servers playing similar roles. The Security
Configuration Wizard presents each of these four categories of the
security policy in a section—a series of wizard pages:
-
Role-Based Service
Configuration The outcome of this section is a set of policies
that configure the startup state of services on the server. You
want to ensure that only the services required by the server’s
roles start and that other services do not start. To achieve
this outcome, the Security Configuration Wizard presents pages
that display the server roles, client features, and
administration and other options detected on the scanned server.
You can add or remove roles, features, and options to reflect
the desired role configuration.
The server shown in Figure 5 is a
domain controller, and you can see that the AD DS service is
currently configured to start automatically; the policy will
also set the service to start automatically to support the AD DS
role. However, audio is not required for a DC, so the service
named Audiosrv used by the Windows Audio option will be
configured by the policy as disabled.
You cannot change the startup states on the Confirm
Service Changes page of the Security Configuration Wizard. Instead, you must
click the Back button to locate the role, service, or option
indicated in the Used By column and either select or deselect
that item. The service startup policies on the Confirm Service
Changes page are determined by the selected roles, services, and
options. The wizard disables services for roles that you did not
select by configuring the service startup policy as disabled. It
is conceivable that the server on which you run the Security
Configuration Wizard has services that are not defined by the
Security Configuration Wizard security configuration database.
The Select Additional Services page of the wizard
allows you to include those services in the security policy so that, if the services exist on
a system to which you apply the policy, those services will be
started according to the startup setting in the baseline
configuration database.
It is also conceivable that a server to which you apply
the security policy might have services not found on the server
from which you created the security policy. On the Handling Unspecified Services page, you can
specify whether such services should be disabled or allowed to
remain in their current startup mode. -
Network Security
The Network Security section produces the
firewall settings of the security policy. Those settings are
applied by Windows Firewall With Advanced Security. Like the
Role-Based Service Configuration section, the Network Security
section displays a page of settings derived from the baseline
settings in the configuration database. The settings in the
Network Security section, however, are firewall rules rather
than service startup modes. Figure 6 shows the
rule that allows incoming ping requests to a domain controller.
You can edit existing rules or add and remove custom
rules.
Windows Firewall with Advanced Security combines
Internet Protocol Security (IPSec) and a stateful firewall that
inspects and filters all IP version 4 (IPv4) and IP version 6
(IPv6) packets, discarding unsolicited packets unless a firewall
rule has been created to allow traffic explicitly to a port
number, application name, or service name. The security policy generated by the Security Configuration Wizard manages firewall
rules, but IPSec configuration is not provided by the Security
Configuration Wizard. -
Registry Settings
The Registry Settings section configures protocols
used to communicate with other computers. These wizard pages
determine server message block (SMB) packet signing,
Lightweight Directory Access Protocol (LDAP) signing, LAN Manager (LM) authentication levels, and
storage of password LM hash values. Each of these settings is
described on the appropriate page, and a link on each page takes
you to a Security Configuration Wizard Help page that explains
the setting. -
Audit Policy
The Audit Policy section generates settings that
manage the auditing of success and failure events and the file
system objects that are audited. Additionally, the section
allows you to incorporate a security template called SCWAudit.inf into the security policy. Use the
Security Templates snap-in, described earlier in this lesson, to
examine the settings in the template, which is located in
%SystemRoot%\Security\Msscw\Kbs.
You can skip any of the last three sections if you you do not
want to include those configurations in your security policy. When
all the configuration sections have been completed or skipped, the
Security Configuration Wizard presents the Security Policy section.
On the Security Policy File Name page, shown in Figure 7, you can
specify a path, a name, and a description for the security
policy.
To examine the settings of the security policy, click View Security Policy. The settings are very well
documented by the Security Configuration Wizard. You can also import a
security template into the security policy by clicking Include
Security Templates.
Security templates, discussed earlier in this lesson, contain
settings that are not provided by the Security Configuration Wizard,
including restricted groups, event log policies, and file system and
registry security policies. By including a security template, you
can incorporate a richer collection of configuration settings in the
security policy. If any settings in the security template conflict
with the Security Configuration Wizard, the settings in the Security
Configuration Wizard take precedence. When you click Next, you have
the option to apply the security template to the server immediately
or to apply the policy later.
Editing a Security Policy
To edit a saved security policy:
-
Open the Security Configuration Wizard. -
On the Configuration Action page, click Edit An Existing
Security Policy. -
Click Browse to locate the policy .xml file. When prompted
to select a server, select the server that was used to create
the security policy.
Applying a Security Policy
To apply a security policy to a server:
-
Open the Security Configuration Wizard. -
On the Configuration Action page, click Apply An Existing
Security Policy. -
Click Browse to locate the policy .xml file. -
On the Select Server page, select a server to which you
want to apply the policy.
Many of the changes specified in a security policy, including
the addition of firewall rules for applications already running and
the disabling of services, require that you restart the server.
Therefore, as a best practice, it is recommended that you restart a
server anytime you apply a security policy.
Rolling Back an Applied Security Policy
If a security policy is applied and causes undesirable
results, you can roll back the changes. To roll back an applied
security policy:
-
Open the Security Configuration Wizard. -
On the Configuration Action page, click Rollback The Last
Applied Security Policy.
When a security policy is applied by the Security
Configuration Wizard, a rollback file is generated that stores the
original settings of the system. The rollback process applies the
rollback file.
Modifying Settings of an Applied Security Policy
Alternately, if an applied security template does not produce
an ideal configuration, you can manually change settings by using
the Local Security Policy console . Thus,
you can see the whole picture of security configuration, from manual
settings to the generation of security templates to the creation of
security policies with the Security Configuration Wizard (which can incorporate
security templates), to the application of security policies and
back to the manual configuration of settings.
Deploying a Security Policy Using Group Policy
You can apply a security policy created by the Security
Configuration Wizard to a server by using the Security Configuration
Wizard itself, by using the Scwcmd.exe command, or by transforming the security
policy into a GPO.
To transform a security policy into a GPO, log on as a domain
administrator and run Scwcmd.exe with the transform command. For
example:
scwcmd transform /p:"Contoso DC Security.xml" /g:"Contoso DC Security GPO"
This command creates a GPO called Contoso DC Security GPO with
settings imported from the Contoso DC Security.xml security policy
file. The resulting GPO can be linked to an appropriate scope—site,
domain, or OU—by using the Group Policy Management console. Be sure
to type scwcmd.exe transform /? for
help and guidance about this process.
Settings, Templates, Policies, and GPOs
As suggested in the introduction to this lesson, you can manage
security settings by using several mechanisms. You can use tools such
as the Local Security Policy console to modify settings on an
individual system. You can use security templates, which have existed
since Windows 2000, to manage settings on one or more systems and to
compare the current state of a system’s configuration against the
desired configuration defined by the template. Security policies
generated by the Security Configuration Wizard are the most recent
addition to the security configuration management toolset. They are
role-based .xml files that define service startup modes, firewall
rules, audit policies, and some registry settings. Security policies
can incorporate security templates. Both security templates and
security policies can be deployed using Group Policy.
The plethora of tools available can make it difficult to
identify the best practice for managing security on one or more
systems. Plan to use Group Policy whenever possible to deploy security
configuration. You can generate a GPO from a role-based security
policy produced by the Security Configuration Wizard, which itself
incorporates additional settings from a security template. After the
GPO has been generated, you can make additional changes to the GPO by
using the Group Policy Management Editor snap-in. Settings not managed
by Group Policy can be configured on a server-by-server basis, using
the local GPO security settings.
Practice Managing Security Settings
Practice Managing Security Settings
In this practice, you manage security settings, using each of the tools discussed
in this lesson. To perform the exercises in this practice, you
must have the following objects in the directory service for the
contoso.com domain:
-
A first-level OU named Admins. -
An OU named Admin Groups in the Admins OU.
If you have an OU named Groups in the Admins OU from an
earlier practice, you can rename that OU Admin Groups. -
A global security group named SYS_DC Remote Desktop in
the Admins OU. The group must be a member of the Remote
Desktop Users group. This membership gives the SYS_DC Remote
Desktop group the permissions required to connect to the
RDP-Tcp connection.
Alternately, you can add the SYS_DC Remote Desktop group to
the access control list (ACL) of the RDP-Tcp connection, using the
Remote Desktop Session Host Configuration console. Right-click
RDP-Tcp and click Properties; then click the Security tab, click Add, and type SYS_DC Remote Desktop. Click OK twice to
close the dialog boxes.
EXERCISE 1 Configure the Local
Security Policy
In this exercise, you use the local security policy to enable a group to log on
using Remote Desktop to the domain controller named SERVER01. The
local security policy of a domain controller affects only that
individual DC—it is not replicated between DCs.
-
Log on to SERVER01 as Administrator. -
Open the Local Security Policy console from the
Administrative Tools folder. -
Expand Security Settings\Local Policies and then click
User Rights Assignment. -
In the details pane, double-click Allow Log On Through
Remote Desktop Services. -
Click Add User Or Group. -
Type CONTOSO\SYS_DC Remote
Desktop and then click OK. -
Click OK again.
You will now remove the setting because you will manage
the setting by using other tools in later exercises. -
Double-click Allow Log On Through Remote Desktop
Services. -
Select CONTOSO\SYS_DC Remote Desktop. -
Click Remove. -
Click OK.
EXERCISE 2 Create a Security
Template
In this exercise, you create a security template that gives
the SYS_DC Remote Desktop group the right to log on using Remote
Desktop.
-
Log on to SERVER01 as Administrator. -
Click Start, and then click Run. -
Type mmc and press
Enter. -
Click File, and then click Add/Remove Snap-in. -
Select Security Templates from the Available Snap-ins
list and click Add. Click OK. -
Choose Save from the File menu, and save the console to
your desktop with the name Security Management. -
In the console tree, expand the Security Templates node. Right-click
C:\Users\Administrator\Documents\Security\Templates and click New
Template. -
Type DC Remote Desktop
and click OK. -
Expand the console tree so that you can select DC Remote
Desktop\Local Policies\User Rights Assignment. -
In the details pane, double-click Allow Log On Through
Remote Desktop Services. -
Select Define These Policy Settings In The
Template. -
Click Add User Or Group. -
Type CONTOSO\SYS_DC Remote
Desktop and click OK. -
Click OK. -
Right-click DC Remote Desktop and click Save.
EXERCISE 3 Use the Security
Configuration And Analysis Snap-in
In this exercise, you analyze the configuration of SERVER01,
using the DC Remote Desktop security template to identify discrepancies between
the server’s current configuration and the desired configuration
defined in the template. You then create a new security
template.
-
Log on to SERVER01 as Administrator. Open the Security
Management console you created and saved in Exercise 2,
“Create a Security Template.” -
Click File, and then click Add/Remove Snap-in. -
Select Security Configuration And Analysis from the
Available Snap-ins list and click Add. Click OK. -
Choose Save from the File menu to save the modified
console. -
Select the Security Configuration And Analysis console
tree node. -
Right-click the same node and click Open
Database.
The Open Database menu command allows you to create a
new security database. -
Type SERVER01Test and
click Open.
The Import Template dialog box appears. -
Select the DC Remote Desktop template you created in
Exercise 2 and click Open. -
Right-click Security Configuration And Analysis and
click Analyze Computer Now. -
Click OK to confirm the default path for the error
log. -
Expand the console tree so that you can select
Security Configuration And Analysis\Local
Policies\User Rights Assignment. -
Notice that the Allow Log On Through Remote Desktop
Services policy is flagged with a red circle and an X. This
indicates a discrepancy between the database setting and the
computer setting. -
Double-click Allow Log On Through Remote Desktop
Services. -
Notice the discrepancies. The computer is not configured
to allow the SYS_DC Remote Desktop Users group to log on
through Remote Desktop Services. -
Notice also that the Computer Setting currently allows
Administrators to log on through Remote Desktop Services. This
is an important setting that should be incorporated into the
database. -
Select the check box next to Administrators under
Database Setting, and then click OK. This adds the right for
Administrators to log on through Remote Desktop Services to
the database. It does not change the template, and it does not
affect the current configuration of the computer. -
Right-click Security Configuration And Analysis and click
Save.
This saves the security database, which includes the
settings imported from the template plus the change you made
to allow Administrators to log on through Remote Desktop
Services. The hint displayed in the status bar when you click
Save suggests that you are saving the template. That is
incorrect. You are saving the database. -
Right-click Security Configuration And Analysis and
click Export Template. -
Select DC Remote Desktop and click Save.
You have now replaced the template created in Exercise 2
with the settings defined in the database of the Security Configuration And Analysis
snap-in. -
Close and reopen your Security Management
console.
This is necessary to refresh fully the settings shown in
the Security Templates snap-in. -
Expand Security
Templates\C:\Users\Administrator\Documents\Security\Templates\DC
Remote Desktop\Local Policies, and then click User Rights
Assignment. -
In the details pane, double-click Allow Log On Through
Remote Desktop Services. -
Notice that both the Administrators and SYS_DC Remote
Desktop groups are allowed to log on through Remote Desktop
Services in the security template. Click OK. -
Right-click Security Configuration And Analysis and
click Configure Computer Now. -
Click OK to confirm the error log path.
The settings in the database are applied to the server.
You will now confirm that the change to the user right was
applied. -
Open the Local Security Policy console from the
Administrative Tools folder.
If the console was already open during this exercise,
right-click Security Settings and click Reload. -
Expand Security Settings\Local Policies\User Rights
Assignment. Double-click Allow Log On Through Remote Desktop
Services. -
Confirm that both Administrators and SYS_DC Remote
Desktop are listed.
The Local Security Policy console displays the actual,
current settings of the server.
EXERCISE 4 Use the Security
Configuration Wizard
In this exercise, you use the Security Configuration Wizard to create a security
policy for domain controllers in the contoso.com domain based on
the configuration of SERVER01.
-
Log on to SERVER01 as Administrator. -
Open the Security Configuration Wizard from the
Administrative Tools folder. -
Click Next. -
Select Create A New Security Policy and click
Next. -
Accept the default server name, SERVER01, and click
Next. -
On the Processing Security Configuration Database page,
you can optionally click View Configuration Database and
explore the configuration that was discovered on
SERVER01. -
Click Next and, on the Role Based Service Configuration
section introduction page, click Next. -
Explore the settings that were discovered on SERVER01,
but do not change any settings, on the following pages of the
wizard: Select Server Roles, Select Client Features, Select
Administration And Other Options; Select Additional Services;
and Handling Unspecified Services. -
On the Confirm Service Changes page, click the View
drop-down list and choose All Services. Examine the settings
in the Current Startup Mode column, which reflect service
startup modes on SERVER01, and compare them to the settings in
the Policy Startup Mode column. Click the View drop-down list
and choose Changed Services. Click Next. -
On the Network Security section introduction page, click
Next. -
On the Network Security Rules page, you can optionally
examine the firewall rules derived from the configuration of
SERVER01. Do not change any settings. Click Next. -
On the Registry Settings section introduction page,
click Next. -
Click through each page of the Registry Settings
section. Examine the settings, but do not change any of them.
When the Registry Settings Summary page appears, examine the
settings and click Next. -
On the Audit Policy section introduction page, click
Next. -
On the System Audit Policy page, examine but do not
change the settings. Click Next. -
On the Audit Policy Summary page, examine the settings
in the Current Setting and Policy Setting columns. Click
Next. -
On the Save Security Policy section introduction page, click
Next. -
In the Security Policy File Name text box, click after
the end of the default path, and then type DC Security Policy. -
Click Include Security Templates. -
Click Add. -
Browse to locate the DC Remote Desktop template created
in Exercise 3, “Use the Security Configuration And Analysis
Snap-in,” located in your Documents\Security\Templates folder.
When you have located and selected the template, click
Open. -
Click OK to close the Include Security Templates dialog
box. -
Click View Security Policy to examine the settings in
the security policy. You are prompted to confirm the use of
the ActiveX control; click Yes. Close the window after you
have examined the policy, and then click Next in the
Security Configuration Wizard window. -
If you are prompted to confirm that you are replacing
the default DC Security Policy, click Yes. -
Accept the Apply Later default setting and click
Next. -
Click Finish.
EXERCISE 5 Transform a Security
Configuration Wizard Security Policy to a Group
Policy
In this exercise, you convert the security policy generated
in Exercise 4, “Use the Security Configuration Wizard,” to a GPO,
which can then be deployed to computers by using Group Policy.
-
Log on to SERVER01 as Administrator. -
Open Command Prompt. -
Type cd
c:\windows\security\msscw\policies and press
Enter. -
Type scwcmd transform /?
and press Enter. -
Type scwcmd transform /p:“DC
Security Policy.xml” /g:“DC Security Policy” and
press Enter. -
Open the Group Policy Management console from the
Administrative Tools folder. -
Expand the console tree nodes Forest, Domains,
contoso.com, and Group Policy Objects. -
Select DC Security Policy.
This is the GPO created by the Scwcmd.exe
command. -
Click the Settings tab to examine the settings of the
GPO. -
Click the Show link next to Security Settings. -
Click the Show link next to Local Policies/User Rights
Assignment. -
Confirm that the BUILTIN\Administrators and
CONTOSO\SYS_DC Remote Desktop groups are given the Allow Log
On Through Remote Desktop Services user right.
The GPO is not applied to DCs because it is not linked
to the Domain Controllers OU. In this practice, do not link
the GPO to the domain, site, or any OU. In a production
environment, you would spend more time examining, configuring,
and testing security settings in the security policy before
deploying it as a GPO to production domain controllers. -
In the tree pane, under Group Policy Objects,
right-click DC Security Policy and click Delete. Click Yes to
confirm the deletion. This ensures the policy can’t
inappropriately be linked in your test environment.
|