Hardening the Windows infrastructure

Article
09/26/2008

Hardening the Microsoft Windows Server 2008 operating system reduces the attack surface by disabling functionality that is not required while maintaining the minimum functionality that is required. When you install Microsoft Forefront Threat Management Gateway as part of the installation of Essential Business Server, the setup program automatically hardens the Windows Server 2008 operating system running on the Forefront TMG computer after the installation of Forefront TMG is completed by launching the Scwcmd.exe command-line tool with the following command:

scwcmd.exe configure /p:isa_harden.xml

This command applies the security policy defined in the file Isa_harden.xml, which is supplied with Forefront TMG. When this security policy is applied, the startup type of numerous services is configured.

The following table lists the services whose startup type is set by the security policy defined in Isa_harden.xml.

Service Name	Startup Type
AeLookupSvc	Automatic
ALG	Manual
Appinfo	Manual
AppMgmt	Manual
AudioEndpointBuilder	Disabled
Audiosrv	Disabled
BFE	Automatic
BITS	Automatic
Browser	Automatic
CertPropSvc	Manual
clr_optimization_v2.0.50727_32	Manual
COMSysApp	Manual
CryptSvc	Automatic
CscService	Disabled
DcomLaunch	Automatic
Dhcp	Automatic
Dnscache	Automatic
dot3svc	Manual
DPS	Automatic
EapHost	Manual
Eventlog	Automatic
EventSystem	Automatic
FCRegSvc	Manual
fdPHost	Manual
FDResPub	Manual
gpsvc	Automatic
hidserv	Disabled
hkmsvc	Manual
IKEEXT	Automatic
IPBusEnum	Disabled
iphlpsvc	Automatic
KeyIso	Manual
KtmRm	Automatic
LanmanServer	Automatic
LanmanWorkstation	Automatic
lltdsvc	Manual
lmhosts	Automatic
MMCSS	Manual
MpsSvc	Automatic
MSDTC	Automatic
MSiSCSI	Manual
msiserver	Manual
napagent	Manual
Netman	Manual
netprofm	Automatic
NlaSvc	Automatic
nsi	Automatic
pla	Manual
PlugPlay	Automatic
PolicyAgent	Disabled
ProfSvc	Automatic
ProtectedStorage	Manual
RasAuto	Disabled
RasMan	Manual
RemoteAccess	Ignored
RemoteRegistry	Disabled
RpcLocator	Manual
RpcSs	Automatic
RSoPProv	Manual
sacsvr	Manual
SamSs	Automatic
SCardSvr	Disabled
Schedule	Automatic
SCPolicySvc	Disabled
seclogon	Automatic
SENS	Automatic
SessionEnv	Manual
SharedAccess	Disabled
ShellHWDetection	Automatic
slsvc	Automatic
SLUINotify	Manual
SNMPTRAP	Manual
SSDPSRV	Disabled
SstpSvc	Ignored
swprv	Manual
SysMain	Manual
TapiSrv	Manual
TBS	Manual
TermService	Automatic
Themes	Disabled
THREADORDER	Manual
TrkWks	Automatic
TrustedInstaller	Manual
UI0Detect	Manual
UmRdpService	Manual
upnphost	Disabled
UxSms	Automatic
vds	Manual
VSS	Manual
W32Time	Automatic
WcsPlugInService	Manual
WdiServiceHost	Manual
WdiSystemHost	Manual
Wecsvc	Manual
wercplsupport	Manual
WerSvc	Automatic
WinHttpAutoProxySvc	Manual
Winmgmt	Automatic
WinRM	Automatic
wmiApSrv	Manual
WPDBusEnum	Manual
wuauserv	Automatic
wudfsvc	Manual
DNS	Disabled
nfssvc	Disabled
nfsclnt	Disabled
ADAM_ISASTGCTRL	Automatic
AppHostSvc	Automatic
aspnet_state	Manual
clr_optimization_v2.0.50727_64	Manual
fwsrv	Automatic
IAS	Automatic
IISADMIN	Automatic
isactrl	Automatic
isasched	Automatic
ISASTG	Automatic
MDM	Manual
MSSQL$ISARS	Automatic
MSSQL$MSFW	Automatic
MSSQLServerADHelper	Disabled
ose	Manual
ReportServer$ISARS	Automatic
Rqs	Manual
SQLBrowser	Automatic
SQLWriter	Automatic
W3SVC	Automatic
WAS	Manual
WMSvc	Manual
xmonitor	Automatic

The security policy defined in the file Isa_harden.xml also configures your Forefront TMG computer as a client of other servers. The following client features are enabled:

MSClient
TimeSync
DHCPClient
DNSClient
DynamicDNS

The remaining sections of this topic assume that you have applied the configurations recommended in the "Windows Server 2008 Security Guide" on the computer running Forefront TMG. Specifically, you should apply the Microsoft Baseline Security Policy security template. However, do not implement the IPsec filters or any of the server role policies.

In addition, you should consider Forefront TMG functionality and consider performing manual hardening of the operating system accordingly.

Note

We recommend that you harden the Windows infrastructure after you have completely installed Forefront TMG.

Manually hardening Windows Server 2008

If you want to harden your server manually, you can configure the service startup mode, as described in this section. You configure the computer as does the Security Configuration Wizard.

Note

We recommend that you use the security policy defined in the file Isa_harden.xml to harden the computer, because it is best optimized to secure the Forefront TMG computer.

Administration and other tasks

For a server to perform necessary tasks, specific services must be enabled in accordance with the roles that you select. Unnecessary services should be disabled. The following table lists possible server tasks for Forefront TMG, describes when they may be required, and lists the services that should be activated when you perform each task.

Server task	Usage scenario	Services required	Startup mode
Installing applications on the local computer using Windows Installer	Required to install, uninstall, or repair applications using the Microsoft Installer service.	Windows Installer	Manual
Backup	Required if a backup program is used on the Forefront TMG computer.	Microsoft Software Shadow Copy Provider Volume Shadow Copy Removable Storage	Manual Manual
Error reporting	Used to enable error reporting, thereby helping improve Windows reliability by reporting critical faults to Microsoft for analysis.	Windows Error Reporting Service	Automatic
Help and Support	Allows collection of historical computer data for Microsoft Product Support Services incident escalation.	Help and Support	Automatic
Forefront TMG: SQL Server Express logging	Required to allow loggingusing SQL Server Express databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the log viewer in offline mode.	SQLAgent$MSFW SQL Server Express (MSFW)	Manual Automatic
Performance data collection	Allows background collection of performance data on the Forefront TMG computer.	Performance Logs and Alerts	Automatic
Printing	Allows printing from the Forefront TMG computer.	Print Spooler TCP/IP NetBIOS Helper Workstation	Automatic Automatic Automatic
Remote Windows administration	Allows remote management of the Windows server (not required for remote management of Forefront TMG).	Server Remote Registry	Automatic Automatic
Time synchronization	Allows the Forefront TMG computer to contact an NTP server to synchronize its clock. From a security perspective, an accurate clock is important for event auditing and other security protocols.	Windows Time	Automatic
Remote Assistance Expert	Allows the Remote Assistance feature to be used on this computer.	Help and Support Remote Desktop Help Session Manager Terminal Services	Automatic Manual Manual

Notes

To function properly, time-synchronizing client applications require that either the Wireless or the Server service is running.
To function properly, performance counters require that both the Remote Registry and Server services are running.
The startup mode for the Server service should be Automatic when you use Routing and Remote Access Management, rather than Forefront TMG Management, to configure a virtual private network (VPN).
The startup mode for the Routing and Remote Access service is manual. Forefront TMG starts the service only if a VPN is enabled.
The Server service is required only if you use Routing and Remote Access Management (rather than Forefront TMG Management) to configure a VPN.

Client features

Servers can be clients of other servers. Client features are dependent on feature-specific services being enabled. The following table lists possible client features for Forefront TMG, describes when they may be required, and lists the services that should be activated when you enable the feature.

Client features	Usage scenario	Services required	Startup mode
Windows Update	Select this feature to allow the automatic detection, download, and installation of updates for Windows and other programs.	Windows Update	Automatic
Background Intelligent Transfer Service (BITS)	Select this feature to enable the transfer of update files in the background using idle network bandwidth.	Background Intelligent Transfer Service	Automatic
DHCP Client	Select this feature if the Forefront TMG computer receives its IP address automatically from a DHCP server.	DHCP Client	Automatic
DNS Client	Select this feature if the Forefront TMG computer needs to receive name resolution information from other servers. Also select the DNS Client feature when Forefront TMG requires name resolution information (DNS and Hosts file).	DNS Client	Automatic
Domain Member	Select this feature if the Forefront TMG computer belongs to an Active Directory domain.	Network Location Awareness Netlogon Windows Time	Automatic Automatic Automatic
DNS Registration Client	Select this feature to allow the Forefront TMG computer to automatically register its name and address information with a DNS server.	DHCP Client	Automatic
Microsoft Networking client	Select this feature if the Forefront TMG computer needs to connect to other Windows clients. If you do not select this role, the Forefront TMG computer will not be able to access shares on remote computers, for example, to publish reports.	TCP/IP NetBIOS Helper Workstation	Automatic Automatic
WINS Client	Select this fetaure if the Forefront TMG computer uses WINS-based name resolution.	Server TCP/IP NetBIOS Helper	Automatic Automatic

Creating a security template

You can create a security template by using the Security Templates Microsoft Management Console (MMC) snap-in. A security template is an .inf file that includes information about which services should be enabled, as well as their startup mode, and can contain security settings that cannot be set with the Security Configuration Wizard. However, you can include a security template in a security policy created with the Security Configuration Wizard and then apply the security policy to your Forefront TMG computer.