Export (0) Print
Expand All

Hardening the Windows infrastructure

Hardening the Microsoft Windows Server 2008 operating system reduces the attack surface by disabling functionality that is not required while maintaining the minimum functionality that is required. When you install Microsoft Forefront Threat Management Gateway as part of the installation of Essential Business Server, the setup program automatically hardens the Windows Server 2008 operating system running on the Forefront TMG computer after the installation of Forefront TMG is completed by launching the Scwcmd.exe command-line tool with the following command:

scwcmd.exe configure /p:isa_harden.xml

This command applies the security policy defined in the file Isa_harden.xml, which is supplied with Forefront TMG. When this security policy is applied, the startup type of numerous services is configured. 

The following table lists the services whose startup type is set by the security policy defined in Isa_harden.xml.

Service Name Startup Type

AeLookupSvc

Automatic

ALG

Manual

Appinfo

Manual

AppMgmt

Manual

AudioEndpointBuilder

Disabled

Audiosrv

Disabled

BFE

Automatic

BITS

Automatic

Browser

Automatic

CertPropSvc

Manual

clr_optimization_v2.0.50727_32

Manual

COMSysApp

Manual

CryptSvc

Automatic

CscService

Disabled

DcomLaunch

Automatic

Dhcp

Automatic

Dnscache

Automatic

dot3svc

Manual

DPS

Automatic

EapHost

Manual

Eventlog

Automatic

EventSystem

Automatic

FCRegSvc

Manual

fdPHost

Manual

FDResPub

Manual

gpsvc

Automatic

hidserv

Disabled

hkmsvc

Manual

IKEEXT

Automatic

IPBusEnum

Disabled

iphlpsvc

Automatic

KeyIso

Manual

KtmRm

Automatic

LanmanServer

Automatic

LanmanWorkstation

Automatic

lltdsvc

Manual

lmhosts

Automatic

MMCSS

Manual

MpsSvc

Automatic

MSDTC

Automatic

MSiSCSI

Manual

msiserver

Manual

napagent

Manual

Netman

Manual

netprofm

Automatic

NlaSvc

Automatic

nsi

Automatic

pla

Manual

PlugPlay

Automatic

PolicyAgent

Disabled

ProfSvc

Automatic

ProtectedStorage

Manual

RasAuto

Disabled

RasMan

Manual

RemoteAccess

Ignored

RemoteRegistry

Disabled

RpcLocator

Manual

RpcSs

Automatic

RSoPProv

Manual

sacsvr

Manual

SamSs

Automatic

SCardSvr

Disabled

Schedule

Automatic

SCPolicySvc

Disabled

seclogon

Automatic

SENS

Automatic

SessionEnv

Manual

SharedAccess

Disabled

ShellHWDetection

Automatic

slsvc

Automatic

SLUINotify

Manual

SNMPTRAP

Manual

SSDPSRV

Disabled

SstpSvc

Ignored

swprv

Manual

SysMain

Manual

TapiSrv

Manual

TBS

Manual

TermService

Automatic

Themes

Disabled

THREADORDER

Manual

TrkWks

Automatic

TrustedInstaller

Manual

UI0Detect

Manual

UmRdpService

Manual

upnphost

Disabled

UxSms

Automatic

vds

Manual

VSS

Manual

W32Time

Automatic

WcsPlugInService

Manual

WdiServiceHost

Manual

WdiSystemHost

Manual

Wecsvc

Manual

wercplsupport

Manual

WerSvc

Automatic

WinHttpAutoProxySvc

Manual

Winmgmt

Automatic

WinRM

Automatic

wmiApSrv

Manual

WPDBusEnum

Manual

wuauserv

Automatic

wudfsvc

Manual

DNS

Disabled

nfssvc

Disabled

nfsclnt

Disabled

ADAM_ISASTGCTRL

Automatic

AppHostSvc

Automatic

aspnet_state

Manual

clr_optimization_v2.0.50727_64

Manual

fwsrv

Automatic

IAS

Automatic

IISADMIN

Automatic

isactrl

Automatic

isasched

Automatic

ISASTG

Automatic

MDM

Manual

MSSQL$ISARS

Automatic

MSSQL$MSFW

Automatic

MSSQLServerADHelper

Disabled

ose

Manual

ReportServer$ISARS

Automatic

Rqs

Manual

SQLBrowser

Automatic

SQLWriter

Automatic

W3SVC

Automatic

WAS

Manual

WMSvc

Manual

xmonitor

Automatic

The security policy defined in the file Isa_harden.xml also configures your Forefront TMG computer as a client of other servers. The following client features are enabled:

  • MSClient
  • TimeSync
  • DHCPClient
  • DNSClient
  • DynamicDNS

The remaining sections of this topic assume that you have applied the configurations recommended in the "Windows Server 2008 Security Guide" on the computer running Forefront TMG. Specifically, you should apply the Microsoft Baseline Security Policy security template. However, do not implement the IPsec filters or any of the server role policies.

In addition, you should consider Forefront TMG functionality and consider performing manual hardening of the operating system accordingly.

Cc995076.note(en-us,TechNet.10).gifNote:
We recommend that you harden the Windows infrastructure after you have completely installed Forefront TMG.

If you want to harden your server manually, you can configure the service startup mode, as described in this section. You configure the computer as does the Security Configuration Wizard.

Cc995076.note(en-us,TechNet.10).gifNote:
We recommend that you use the security policy defined in the file Isa_harden.xml to harden the computer, because it is best optimized to secure the Forefront TMG computer.

Administration and other tasks

For a server to perform necessary tasks, specific services must be enabled in accordance with the roles that you select. Unnecessary services should be disabled. The following table lists possible server tasks for Forefront TMG, describes when they may be required, and lists the services that should be activated when you perform each task.

Server task Usage scenario Services required Startup mode

Installing applications on the local computer using Windows Installer

Required to install, uninstall, or repair applications using the Microsoft Installer service.

Windows Installer

Manual

Backup

Required if a backup program is used on the Forefront TMG computer.

Microsoft Software Shadow Copy Provider

Volume Shadow Copy

Removable Storage

Manual

Manual

Error reporting

Used to enable error reporting, thereby helping improve Windows reliability by reporting critical faults to Microsoft for analysis.

Windows Error Reporting Service

Automatic

Help and Support

Allows collection of historical computer data for Microsoft Product Support Services incident escalation.

Help and Support

Automatic

Forefront TMG: SQL Server Express logging

Required to allow loggingusing SQL Server Express databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the log viewer in offline mode.

SQLAgent$MSFW

SQL Server Express (MSFW)

Manual

Automatic

Performance data collection

Allows background collection of performance data on the Forefront TMG computer.

Performance Logs and Alerts

Automatic

Printing

Allows printing from the Forefront TMG computer.

Print Spooler

TCP/IP NetBIOS Helper

Workstation

Automatic

Automatic

Automatic

Remote Windows administration

Allows remote management of the Windows server (not required for remote management of Forefront TMG).

Server

Remote Registry

Automatic

Automatic

Time synchronization

Allows the Forefront TMG computer to contact an NTP server to synchronize its clock. From a security perspective, an accurate clock is important for event auditing and other security protocols.

Windows Time

Automatic

Remote Assistance Expert

Allows the Remote Assistance feature to be used on this computer.

Help and Support

Remote Desktop Help Session Manager

Terminal Services

Automatic

Manual

Manual

Notes

  • To function properly, time-synchronizing client applications require that either the Wireless or the Server service is running.
  • To function properly, performance counters require that both the Remote Registry and Server services are running.
  • The startup mode for the Server service should be Automatic when you use Routing and Remote Access Management, rather than Forefront TMG Management, to configure a virtual private network (VPN).
  • The startup mode for the Routing and Remote Access service is manual. Forefront TMG starts the service only if a VPN is enabled.
  • The Server service is required only if you use Routing and Remote Access Management (rather than Forefront TMG Management) to configure a VPN.

Client features

Servers can be clients of other servers. Client features are dependent on feature-specific services being enabled. The following table lists possible client features for Forefront TMG, describes when they may be required, and lists the services that should be activated when you enable the feature.

Client features Usage scenario Services required Startup mode

Windows Update

Select this feature to allow the automatic detection, download, and installation of updates for Windows and other programs.

Windows Update

Automatic

Background Intelligent Transfer Service (BITS)

Select this feature to enable the transfer of update files in the background using idle network bandwidth.

Background Intelligent Transfer Service

Automatic

DHCP Client

Select this feature if the Forefront TMG computer receives its IP address automatically from a DHCP server.

DHCP Client

Automatic

DNS Client

Select this feature if the Forefront TMG computer needs to receive name resolution information from other servers.

Also select the DNS Client feature when Forefront TMG requires name resolution information (DNS and Hosts file).

DNS Client

Automatic

Domain Member

Select this feature if the Forefront TMG computer belongs to an Active Directory domain.

Network Location Awareness

Netlogon

Windows Time

Automatic

Automatic

Automatic

DNS Registration Client

Select this feature to allow the Forefront TMG computer to automatically register its name and address information with a DNS server.

DHCP Client

Automatic

Microsoft Networking client

Select this feature if the Forefront TMG computer needs to connect to other Windows clients. If you do not select this role, the Forefront TMG computer will not be able to access shares on remote computers, for example, to publish reports.

TCP/IP NetBIOS Helper

Workstation

Automatic

Automatic

WINS Client

Select this fetaure if the Forefront TMG computer uses WINS-based name resolution.

Server

TCP/IP NetBIOS Helper

Automatic

Automatic

You can create a security template by using the Security Templates Microsoft Management Console (MMC) snap-in. A security template is an .inf file that includes information about which services should be enabled, as well as their startup mode, and can contain security settings that cannot be set with the Security Configuration Wizard. However, you can include a security template in a security policy created with the Security Configuration Wizard and then apply the security policy to your Forefront TMG computer.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft