programming4us
           
 
 
Applications Server

Active Directory 2008 : Managing Security Settings (part 2) - The Security Configuration Wizard

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
7/17/2013 8:13:57 PM

4. The Security Configuration Wizard

You can use the Security Configuration Wizard to enhance the security of a server by closing ports and disabling services not required for the server’s roles.

The Security Configuration Wizard can be launched from the home page of Server Manager (in the Security Information section) or from the Administrative Tools folder.

There is also a command-line version of the tool, scwcmd.exe. Type scwcmd.exe/? at Command Prompt for help on the command, or see http://go.microsoft.com/fwlink/?LinkId=168678.

The Security Configuration Wizard is a next-generation security management tool, more advanced than the Security Configuration And Analysis snap-in. The Security Configuration Wizard is role based in accordance with the role-based configuration of Windows Server 2008 R2. The Security Configuration Wizard creates a security policy—an .xml file—that configures the following:

  • Services

  • Network security including firewall rules

  • Registry values

  • Audit policy

  • Other settings based on the roles of a server

That security policy can then be modified, applied to another server, or transformed into a GPO for deployment to multiple systems.

Creating a Security Policy

To create a security policy:

  1. Launch the Security Configuration Wizard from the Administrative Tools folder or the Security Information section on the home page of Server Manager.

    You can open the Security Configuration Wizard Help file by clicking the Security Configuration Wizard link on the first page of the wizard.

  2. Click Next.

  3. On the Configuration Action page, click Create A New Security Policy, and then click Next.

  4. Enter the name of the server to scan and analyze, and then click Next.

The security policy is based on the roles being performed by the specified server. You must be an administrator on the server for the analysis of its roles to proceed. Ensure also that all applications using inbound IP ports are running before you run the Security Configuration Wizard.

The Security Configuration Wizard begins the analysis of the selected server’s roles. It uses a security configuration database that defines services and ports required for each server role supported by the Security Configuration Wizard. The security configuration database is a set of .xml files installed in %SystemRoot%\Security\Msscw\Kbs.

Note

CENTRALIZING THE SECURITY CONFIGURATION DATABASE

In an enterprise environment, centralize the security configuration database so that administrators use the same database when running the Security Configuration Wizard. Copy the files in the %SystemRoot%\Security\Msscw\Kbs folder to a network folder. Then launch the Security Configuration Wizard with the Scw.exe command, using the syntax scw.exe /kb DatabaseLocation. For example, the command scw.exe /kb \\server01\scwkb launches the Security Configuration Wizard, using the security configuration database in the shared folder scwkb on SERVER01.

The Security Configuration Wizard uses the security configuration database to scan the selected server and identifies the following:

  • Roles that are installed on the server

  • Roles that the server is likely to be performing

  • Services installed on the server but not defined in the security configuration database

  • IP addresses and subnets configured for the server

The information discovered about the server is saved in a file named Main.xml. This server-specific file is called the configuration database, not to be confused with the security configuration database used by the Security Configuration Wizard to perform the analysis. To display the configuration database, click View Configuration Database on the Processing Security Configuration page.

The initial settings in the configuration database are called the baseline settings. After the server has been scanned and the configuration database has been created, you have the opportunity to modify the database, which will be used to generate the security policy to configure services, firewall rules, registry settings, and audit policies. The security policy can then be applied to the server or to other servers playing similar roles. The Security Configuration Wizard presents each of these four categories of the security policy in a section—a series of wizard pages:

  • Role-Based Service Configuration The outcome of this section is a set of policies that configure the startup state of services on the server. You want to ensure that only the services required by the server’s roles start and that other services do not start. To achieve this outcome, the Security Configuration Wizard presents pages that display the server roles, client features, and administration and other options detected on the scanned server. You can add or remove roles, features, and options to reflect the desired role configuration. 

    The server shown in Figure 5 is a domain controller, and you can see that the AD DS service is currently configured to start automatically; the policy will also set the service to start automatically to support the AD DS role. However, audio is not required for a DC, so the service named Audiosrv used by the Windows Audio option will be configured by the policy as disabled.

    The Confirm Service Changes page of the Security Configuration Wizard

    Figure 5. The Confirm Service Changes page of the Security Configuration Wizard

    You cannot change the startup states on the Confirm Service Changes page of the Security Configuration Wizard. Instead, you must click the Back button to locate the role, service, or option indicated in the Used By column and either select or deselect that item. The service startup policies on the Confirm Service Changes page are determined by the selected roles, services, and options. The wizard disables services for roles that you did not select by configuring the service startup policy as disabled. It is conceivable that the server on which you run the Security Configuration Wizard has services that are not defined by the Security Configuration Wizard security configuration database. The Select Additional Services page of the wizard allows you to include those services in the security policy so that, if the services exist on a system to which you apply the policy, those services will be started according to the startup setting in the baseline configuration database.

    It is also conceivable that a server to which you apply the security policy might have services not found on the server from which you created the security policy. On the Handling Unspecified Services page, you can specify whether such services should be disabled or allowed to remain in their current startup mode.

  • Network Security The Network Security section produces the firewall settings of the security policy. Those settings are applied by Windows Firewall With Advanced Security. Like the Role-Based Service Configuration section, the Network Security section displays a page of settings derived from the baseline settings in the configuration database. The settings in the Network Security section, however, are firewall rules rather than service startup modes. Figure 6 shows the rule that allows incoming ping requests to a domain controller. You can edit existing rules or add and remove custom rules.

    The Network Security Rules page of the Security Configuration Wizard

    Figure 6. The Network Security Rules page of the Security Configuration Wizard

    Windows Firewall with Advanced Security combines Internet Protocol Security (IPSec) and a stateful firewall that inspects and filters all IP version 4 (IPv4) and IP version 6 (IPv6) packets, discarding unsolicited packets unless a firewall rule has been created to allow traffic explicitly to a port number, application name, or service name. The security policy generated by the Security Configuration Wizard manages firewall rules, but IPSec configuration is not provided by the Security Configuration Wizard.

  • Registry Settings The Registry Settings section configures protocols used to communicate with other computers. These wizard pages determine server message block (SMB) packet signing, Lightweight Directory Access Protocol (LDAP) signing, LAN Manager (LM) authentication levels, and storage of password LM hash values. Each of these settings is described on the appropriate page, and a link on each page takes you to a Security Configuration Wizard Help page that explains the setting.

  • Audit Policy The Audit Policy section generates settings that manage the auditing of success and failure events and the file system objects that are audited. Additionally, the section allows you to incorporate a security template called SCWAudit.inf into the security policy. Use the Security Templates snap-in, described earlier in this lesson, to examine the settings in the template, which is located in %SystemRoot%\Security\Msscw\Kbs.

You can skip any of the last three sections if you you do not want to include those configurations in your security policy. When all the configuration sections have been completed or skipped, the Security Configuration Wizard presents the Security Policy section. On the Security Policy File Name page, shown in Figure 7, you can specify a path, a name, and a description for the security policy.

The Security Policy File Name page of the Security Configuration Wizard

Figure 7. The Security Policy File Name page of the Security Configuration Wizard

To examine the settings of the security policy, click View Security Policy. The settings are very well documented by the Security Configuration Wizard. You can also import a security template into the security policy by clicking Include Security Templates.

Security templates, discussed earlier in this lesson, contain settings that are not provided by the Security Configuration Wizard, including restricted groups, event log policies, and file system and registry security policies. By including a security template, you can incorporate a richer collection of configuration settings in the security policy. If any settings in the security template conflict with the Security Configuration Wizard, the settings in the Security Configuration Wizard take precedence. When you click Next, you have the option to apply the security template to the server immediately or to apply the policy later.

Editing a Security Policy

To edit a saved security policy:

  1. Open the Security Configuration Wizard.

  2. On the Configuration Action page, click Edit An Existing Security Policy.

  3. Click Browse to locate the policy .xml file. When prompted to select a server, select the server that was used to create the security policy.

Applying a Security Policy

To apply a security policy to a server:

  1. Open the Security Configuration Wizard.

  2. On the Configuration Action page, click Apply An Existing Security Policy.

  3. Click Browse to locate the policy .xml file.

  4. On the Select Server page, select a server to which you want to apply the policy.

Many of the changes specified in a security policy, including the addition of firewall rules for applications already running and the disabling of services, require that you restart the server. Therefore, as a best practice, it is recommended that you restart a server anytime you apply a security policy.

Rolling Back an Applied Security Policy

If a security policy is applied and causes undesirable results, you can roll back the changes. To roll back an applied security policy:

  1. Open the Security Configuration Wizard.

  2. On the Configuration Action page, click Rollback The Last Applied Security Policy.

When a security policy is applied by the Security Configuration Wizard, a rollback file is generated that stores the original settings of the system. The rollback process applies the rollback file.

Modifying Settings of an Applied Security Policy

Alternately, if an applied security template does not produce an ideal configuration, you can manually change settings by using the Local Security Policy console . Thus, you can see the whole picture of security configuration, from manual settings to the generation of security templates to the creation of security policies with the Security Configuration Wizard (which can incorporate security templates), to the application of security policies and back to the manual configuration of settings.

Deploying a Security Policy Using Group Policy

You can apply a security policy created by the Security Configuration Wizard to a server by using the Security Configuration Wizard itself, by using the Scwcmd.exe command, or by transforming the security policy into a GPO.

To transform a security policy into a GPO, log on as a domain administrator and run Scwcmd.exe with the transform command. For example:

scwcmd transform /p:"Contoso DC Security.xml" /g:"Contoso DC Security GPO"

This command creates a GPO called Contoso DC Security GPO with settings imported from the Contoso DC Security.xml security policy file. The resulting GPO can be linked to an appropriate scope—site, domain, or OU—by using the Group Policy Management console. Be sure to type scwcmd.exe transform /? for help and guidance about this process.

Settings, Templates, Policies, and GPOs

As suggested in the introduction to this lesson, you can manage security settings by using several mechanisms. You can use tools such as the Local Security Policy console to modify settings on an individual system. You can use security templates, which have existed since Windows 2000, to manage settings on one or more systems and to compare the current state of a system’s configuration against the desired configuration defined by the template. Security policies generated by the Security Configuration Wizard are the most recent addition to the security configuration management toolset. They are role-based .xml files that define service startup modes, firewall rules, audit policies, and some registry settings. Security policies can incorporate security templates. Both security templates and security policies can be deployed using Group Policy.

The plethora of tools available can make it difficult to identify the best practice for managing security on one or more systems. Plan to use Group Policy whenever possible to deploy security configuration. You can generate a GPO from a role-based security policy produced by the Security Configuration Wizard, which itself incorporates additional settings from a security template. After the GPO has been generated, you can make additional changes to the GPO by using the Group Policy Management Editor snap-in. Settings not managed by Group Policy can be configured on a server-by-server basis, using the local GPO security settings.

Practice Managing Security Settings

Practice Managing Security Settings

In this practice, you manage security settings, using each of the tools discussed in this lesson. To perform the exercises in this practice, you must have the following objects in the directory service for the contoso.com domain:

  • A first-level OU named Admins.

  • An OU named Admin Groups in the Admins OU.

    If you have an OU named Groups in the Admins OU from an earlier practice, you can rename that OU Admin Groups.

  • A global security group named SYS_DC Remote Desktop in the Admins OU. The group must be a member of the Remote Desktop Users group. This membership gives the SYS_DC Remote Desktop group the permissions required to connect to the RDP-Tcp connection.

Alternately, you can add the SYS_DC Remote Desktop group to the access control list (ACL) of the RDP-Tcp connection, using the Remote Desktop Session Host Configuration console. Right-click RDP-Tcp and click Properties; then click the Security tab, click Add, and type SYS_DC Remote Desktop. Click OK twice to close the dialog boxes.

EXERCISE 1 Configure the Local Security Policy

In this exercise, you use the local security policy to enable a group to log on using Remote Desktop to the domain controller named SERVER01. The local security policy of a domain controller affects only that individual DC—it is not replicated between DCs.

  1. Log on to SERVER01 as Administrator.

  2. Open the Local Security Policy console from the Administrative Tools folder.

  3. Expand Security Settings\Local Policies and then click User Rights Assignment.

  4. In the details pane, double-click Allow Log On Through Remote Desktop Services.

  5. Click Add User Or Group.

  6. Type CONTOSO\SYS_DC Remote Desktop and then click OK.

  7. Click OK again.

    You will now remove the setting because you will manage the setting by using other tools in later exercises.

  8. Double-click Allow Log On Through Remote Desktop Services.

  9. Select CONTOSO\SYS_DC Remote Desktop.

  10. Click Remove.

  11. Click OK.

EXERCISE 2 Create a Security Template

In this exercise, you create a security template that gives the SYS_DC Remote Desktop group the right to log on using Remote Desktop.

  1. Log on to SERVER01 as Administrator.

  2. Click Start, and then click Run.

  3. Type mmc and press Enter.

  4. Click File, and then click Add/Remove Snap-in.

  5. Select Security Templates from the Available Snap-ins list and click Add. Click OK.

  6. Choose Save from the File menu, and save the console to your desktop with the name Security Management.

  7. In the console tree, expand the Security Templates node. Right-click C:\Users\Administrator\Documents\Security\Templates and click New Template.

  8. Type DC Remote Desktop and click OK.

  9. Expand the console tree so that you can select DC Remote Desktop\Local Policies\User Rights Assignment.

  10. In the details pane, double-click Allow Log On Through Remote Desktop Services.

  11. Select Define These Policy Settings In The Template.

  12. Click Add User Or Group.

  13. Type CONTOSO\SYS_DC Remote Desktop and click OK.

  14. Click OK.

  15. Right-click DC Remote Desktop and click Save.

EXERCISE 3 Use the Security Configuration And Analysis Snap-in

In this exercise, you analyze the configuration of SERVER01, using the DC Remote Desktop security template to identify discrepancies between the server’s current configuration and the desired configuration defined in the template. You then create a new security template.

  1. Log on to SERVER01 as Administrator. Open the Security Management console you created and saved in Exercise 2, “Create a Security Template.”

  2. Click File, and then click Add/Remove Snap-in.

  3. Select Security Configuration And Analysis from the Available Snap-ins list and click Add. Click OK.

  4. Choose Save from the File menu to save the modified console.

  5. Select the Security Configuration And Analysis console tree node.

  6. Right-click the same node and click Open Database.

    The Open Database menu command allows you to create a new security database.

  7. Type SERVER01Test and click Open.

    The Import Template dialog box appears.

  8. Select the DC Remote Desktop template you created in Exercise 2 and click Open.

  9. Right-click Security Configuration And Analysis and click Analyze Computer Now.

  10. Click OK to confirm the default path for the error log.

  11. Expand the console tree so that you can select Security Configuration And Analysis\Local Policies\User Rights Assignment.

  12. Notice that the Allow Log On Through Remote Desktop Services policy is flagged with a red circle and an X. This indicates a discrepancy between the database setting and the computer setting.

  13. Double-click Allow Log On Through Remote Desktop Services.

  14. Notice the discrepancies. The computer is not configured to allow the SYS_DC Remote Desktop Users group to log on through Remote Desktop Services.

  15. Notice also that the Computer Setting currently allows Administrators to log on through Remote Desktop Services. This is an important setting that should be incorporated into the database.

  16. Select the check box next to Administrators under Database Setting, and then click OK. This adds the right for Administrators to log on through Remote Desktop Services to the database. It does not change the template, and it does not affect the current configuration of the computer.

  17. Right-click Security Configuration And Analysis and click Save.

    This saves the security database, which includes the settings imported from the template plus the change you made to allow Administrators to log on through Remote Desktop Services. The hint displayed in the status bar when you click Save suggests that you are saving the template. That is incorrect. You are saving the database.

  18. Right-click Security Configuration And Analysis and click Export Template.

  19. Select DC Remote Desktop and click Save.

    You have now replaced the template created in Exercise 2 with the settings defined in the database of the Security Configuration And Analysis snap-in.

  20. Close and reopen your Security Management console.

    This is necessary to refresh fully the settings shown in the Security Templates snap-in.

  21. Expand Security Templates\C:\Users\Administrator\Documents\Security\Templates\DC Remote Desktop\Local Policies, and then click User Rights Assignment.

  22. In the details pane, double-click Allow Log On Through Remote Desktop Services.

  23. Notice that both the Administrators and SYS_DC Remote Desktop groups are allowed to log on through Remote Desktop Services in the security template. Click OK.

  24. Right-click Security Configuration And Analysis and click Configure Computer Now.

  25. Click OK to confirm the error log path.

    The settings in the database are applied to the server. You will now confirm that the change to the user right was applied.

  26. Open the Local Security Policy console from the Administrative Tools folder.

    If the console was already open during this exercise, right-click Security Settings and click Reload.

  27. Expand Security Settings\Local Policies\User Rights Assignment. Double-click Allow Log On Through Remote Desktop Services.

  28. Confirm that both Administrators and SYS_DC Remote Desktop are listed.

    The Local Security Policy console displays the actual, current settings of the server.

EXERCISE 4 Use the Security Configuration Wizard

In this exercise, you use the Security Configuration Wizard to create a security policy for domain controllers in the contoso.com domain based on the configuration of SERVER01.

  1. Log on to SERVER01 as Administrator.

  2. Open the Security Configuration Wizard from the Administrative Tools folder.

  3. Click Next.

  4. Select Create A New Security Policy and click Next.

  5. Accept the default server name, SERVER01, and click Next.

  6. On the Processing Security Configuration Database page, you can optionally click View Configuration Database and explore the configuration that was discovered on SERVER01.

  7. Click Next and, on the Role Based Service Configuration section introduction page, click Next.

  8. Explore the settings that were discovered on SERVER01, but do not change any settings, on the following pages of the wizard: Select Server Roles, Select Client Features, Select Administration And Other Options; Select Additional Services; and Handling Unspecified Services.

  9. On the Confirm Service Changes page, click the View drop-down list and choose All Services. Examine the settings in the Current Startup Mode column, which reflect service startup modes on SERVER01, and compare them to the settings in the Policy Startup Mode column. Click the View drop-down list and choose Changed Services. Click Next.

  10. On the Network Security section introduction page, click Next.

  11. On the Network Security Rules page, you can optionally examine the firewall rules derived from the configuration of SERVER01. Do not change any settings. Click Next.

  12. On the Registry Settings section introduction page, click Next.

  13. Click through each page of the Registry Settings section. Examine the settings, but do not change any of them. When the Registry Settings Summary page appears, examine the settings and click Next.

  14. On the Audit Policy section introduction page, click Next.

  15. On the System Audit Policy page, examine but do not change the settings. Click Next.

  16. On the Audit Policy Summary page, examine the settings in the Current Setting and Policy Setting columns. Click Next.

  17. On the Save Security Policy section introduction page, click Next.

  18. In the Security Policy File Name text box, click after the end of the default path, and then type DC Security Policy.

  19. Click Include Security Templates.

  20. Click Add.

  21. Browse to locate the DC Remote Desktop template created in Exercise 3, “Use the Security Configuration And Analysis Snap-in,” located in your Documents\Security\Templates folder. When you have located and selected the template, click Open.

  22. Click OK to close the Include Security Templates dialog box.

  23. Click View Security Policy to examine the settings in the security policy. You are prompted to confirm the use of the ActiveX control; click Yes. Close the window after you have examined the policy, and then click Next in the Security Configuration Wizard window.

  24. If you are prompted to confirm that you are replacing the default DC Security Policy, click Yes.

  25. Accept the Apply Later default setting and click Next.

  26. Click Finish.

EXERCISE 5 Transform a Security Configuration Wizard Security Policy to a Group Policy

In this exercise, you convert the security policy generated in Exercise 4, “Use the Security Configuration Wizard,” to a GPO, which can then be deployed to computers by using Group Policy.

  1. Log on to SERVER01 as Administrator.

  2. Open Command Prompt.

  3. Type cd c:\windows\security\msscw\policies and press Enter.

  4. Type scwcmd transform /? and press Enter.

  5. Type scwcmd transform /p:“DC Security Policy.xml” /g:“DC Security Policy” and press Enter.

  6. Open the Group Policy Management console from the Administrative Tools folder.

  7. Expand the console tree nodes Forest, Domains, contoso.com, and Group Policy Objects.

  8. Select DC Security Policy.

    This is the GPO created by the Scwcmd.exe command.

  9. Click the Settings tab to examine the settings of the GPO.

  10. Click the Show link next to Security Settings.

  11. Click the Show link next to Local Policies/User Rights Assignment.

  12. Confirm that the BUILTIN\Administrators and CONTOSO\SYS_DC Remote Desktop groups are given the Allow Log On Through Remote Desktop Services user right.

    The GPO is not applied to DCs because it is not linked to the Domain Controllers OU. In this practice, do not link the GPO to the domain, site, or any OU. In a production environment, you would spend more time examining, configuring, and testing security settings in the security policy before deploying it as a GPO to production domain controllers.

  13. In the tree pane, under Group Policy Objects, right-click DC Security Policy and click Delete. Click Yes to confirm the deletion. This ensures the policy can’t inappropriately be linked in your test environment.
Other -----------------
- Active Directory 2008 : Delegating the Support of Computers (part 2) - Delegating Administration Using Restricted Groups Policies with the Members Of This Group Setting
- Active Directory 2008 : Delegating the Support of Computers (part 1) - Understanding Restricted Groups Policies
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 3) - Security for the Services Dedicated to BI
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 2) - Set Up Your Own VMs on Windows 2008 R2
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 1) - Set Up a Pre-configured VM
- BizTalk Server 2010 : WCF SAP Adapter RFCs and BAPIs - Schema generation
- BizTalk Server 2010 : WCF SAP Adapter RFCs and BAPIs - Overview of SAP RFCs and BAPIs
- Exchange Server 2010 Administration Essentials : Understanding Exchange Server 2010 Organizations (part 2) - Using Configuration Containers Instead of Administrative Groups
- Exchange Server 2010 Administration Essentials : Understanding Exchange Server 2010 Organizations (part 1) - How Site-Based Routing Works
- Exchange Server 2010 Administration Essentials : Validating the Exchange Server Licensing
- Installing Configuration Manager 2007 : ConfigMgr Service Manager
- Installing Configuration Manager 2007 : Transfer Site Settings Wizard, Copy Packages Wizard
- Microsoft Dynamic AX 2009 : The Batch Framework (part 6) - Managing the Batch Server Execution Process - Manage Batch Jobs, Debug a Batch Task
- Microsoft Dynamic AX 2009 : The Batch Framework (part 5) - Managing the Batch Server Execution Process - Set Up Server Configuration, Create a Batch Group
- Microsoft Dynamic AX 2009 : The Batch Framework (part 4) - Creating a Batch Job - Using the Batch API
- Microsoft Dynamic AX 2009 : The Batch Framework (part 3) - Creating a Batch Job - From the Batch Job Form
- Microsoft Dynamic AX 2009 : The Batch Framework (part 2) - Batch-Enabling a Class
- Microsoft Dynamic AX 2009 : The Batch Framework (part 1) - Batch Processing in Dynamics AX, Common Uses of Batch Processing
- Using Non-Windows Systems to Access Exchange Server 2007 : Terminal Server Client for Mac
- Using Non-Windows Systems to Access Exchange Server 2007 : Configuring and Implementing Entourage for the Mac
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us