Appendix D: Testing the Windows Server 2003 Security Guide
Published: December 31, 2003 | Updated: April 26, 2006 OverviewThe Windows Server 2003 Security Guide is designed to provide proven and repeatable configuration guidance to secure computers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) in a variety of environments. The Windows Server 2003 Security Guide was tested in a lab environment to ensure that the guidance works as expected. The documentation was checked for consistency and all recommended procedures were tested by the Windows Server 2003 Security Guide test team. Tests were performed to verify functionality, but also to help reduce the amount of resources that are needed by those who use the guidance to build and test their own implementations. ScopeThe Windows Server 2003 Security Guide was tested in a lab that simulated three different security environments—Legacy Client (LC), Enterprise Client (EC), and Specialized Security – Limited Functionality (SSLF). These environments are described in Chapter 1, "Introduction to the Windows Server 2003 Security Guide." Tests were conducted based on the criteria that are described in the following "Test Objectives" section. A vulnerability assessment of the test lab environment that was used to secure the Windows Server 2003 Security Guide solution was out of scope for the test team. Test ObjectivesThe Windows Server 2003 Security Guide test team was guided by the following test objectives:
Finally, the guidance should be repeatable and reliably usable by a Microsoft Certified Systems Engineer (MSCE) with two years of experience. Test EnvironmentThe test lab networks that were developed to test this guide were similar to those that were used in the previous version of the guide. Three separate but similar networks were developed, one for each of the defined environments. Each test network consisted of a Windows Server 2003 with SP1 Active Directory® directory service forest, computers for infrastructure server roles that provided domain controller, DNS, WINS and DHCP services, and other computers for application server roles that provided file, print, and Web services. The EC network also included computers for the Certificate Services and IAS server roles, and the Bastion Host (BH) server role was included in the SSLF network. Also, the EC and SSLF networks included Microsoft Operations Manager (MOM) 2005 and Systems Management Server (SMS) 2003 to manage and monitor the domain member servers and client computers. These networks also included Microsoft Exchange Server 2003 for e-mail service. The client computers in the different networks used Windows XP Professional with SP2 and Windows 2000 Professional with SP4. The LC network also included client computers that ran the Windows 98 SR2 and Windows NT® 4.0 workstation with SP6a operating systems. The following diagram shows the test lab network that was developed for the EC environment. Figure D.1 Logical diagram of the test lab network for the EC environment See full-sized image
To verify replication scenarios between hardened domain controllers, the Active Directory forest consisted of two sites. One site was the main office site with an empty root domain and a child domain that consisted of the previously mentioned server and client computers. The second site consisted merely of a single second domain controller of the child domain. The following diagram shows the test lab network that was developed for the SSLF environment. Figure D.2 Logical diagram of the test lab network for SSLF environment See full-sized image
Testing MethodologyThis section describes the procedures that were followed to test the Windows Server 2003 Security Guide. The test team established a lab that incorporated the three networks that are described in the previous section. A quick proof of concept (POC) test pass and then two more robust test cycles were executed. During each pass the team strove to stabilize the solution. A test cycle was defined as a sequence of the following phases:
The details of each phase are provided in the following "Phases in a Test Pass" section. The "Test Preparation Phase" section describes the steps that were performed to ensure that the lab environment was free of any issues that could cause a misinterpretation of the actual test results after the three environments were hardened through the first two incremental build phases. It is also referred to as the “baseline” state. Phases in a Test PassThe test pass phases are described in the following subsections. Any critical issues that were found during the build phase were identified as bugs and resolved in that phase before the test team moved to the test execution phase. This method ensured that correct security configuration was implemented in the network and validated the accuracy of the test results that were obtained. Test Preparation PhaseThis phase set up the baseline configuration to which the solution is applied during the Security Configuration Build phase. The following steps were performed for each of the three environments—LC, EC, and SSLF: To complete the test preparation phase
Security Configuration Build PhaseThe objective of this phase was to follow the procedures in the guide to configure the domain, domain controllers, and member servers to a more secure level than the baseline configuration. Manual Configuration PhaseThis phase is often the first security build phase. The manual hardening recommendations that were provided in each chapter were implemented during this phase. Note: Some of these steps may be applicable for your network and some may not. Review each procedure carefully to understand its impact on your network. To perform the manual configuration phase
Group Policy Configuration PhaseThe purpose of this phase is to create and apply the Group Policy objects (GPOs) at the domain and organizational unit (OU) levels. GPOs are applied to the different OUs based on the recommendations in Chapter 2, "Windows Server 2003 Hardening Mechanisms." Service Pack 1 for Windows Server 2003 introduced some new tools and features that caused the Group Policy implementation design to change from its previous version. SCW is an attack-surface reduction tool that is used to create the required set of security policies for each of the server roles that are discussed in this guide. The availability of SCW caused the following two significant changes for the Group Policy Configuration Phase:
The following steps were repeated for each of the three security environments: To create Group Policy objects
After the GPOs are successfully created, compare the settings with the guidance in the chapters to identify any incorrect configurations. At this stage, all the domain member servers reside in the Computers OU. These servers are then moved to their respective OUs under the Member Server OU. The next task (detailed in the following procedure) is to apply each of these GPOs to the respective OUs. The Group Policy Management Console (GPMC) tool was used to link the GPO with the OU. The Domain Controller Policy GPO was linked last. The following steps were performed to complete the rest of the Security Configuration Build phase: To apply Group Policy objects
Verifying Group Policy Download on the Member Server ComputersThe previous procedures created GPOs and applied them to OUs to configure the computers in those OUs. Complete the following steps to confirm the successful download of Group Policy from domain controllers to member server computers. (It is assumed that the member server computers were restarted after the GPO was linked to the OU.) To verify Group Policy download on a member server computer
Test Execution PhaseThis phase executes the test cases that were developed by the test team. The test execution phase seeks to identify the following:
The test team executed the set of test cases that are included in \Windows Server 2003 Security Guide Tools and Templates\Test Tools folder. (The tools and templates are included with the downloadable version of this guide.) These tests were executed on each of the three separate networks except for those that tested components that were only available in one network—such as Certificate Services, which was only available in the EC environment. In addition to these test cases, manual testing was performed at various time—for example, to periodically check Event Viewer logs or to verify any specific issues that were discovered in the previous version of the guide. All issues that were found were logged in a database and triaged with members of the development team until they were resolved. More detailed information about the different types of tests that were performed is provided in the next section. Types of TestsThe test team performed the following types of tests during the test phases to ensure that the secured domain, domain controllers, and member servers did not experience any significant loss of functionality. You may want to refer to the Excel workbooks in the \Windows Server 2003 Security Guide Tools and Templates\Test Tools folder that is included in the download for this guide, which contain the complete list of test cases that were executed for domain–based as well as stand-alone servers that run Windows Server 2003 with SP1. Details such as test scenarios, execution steps, and expected results are also provided. These tests were executed multiple times. More importantly, they were executed before and after the security settings that are described in this guide were implemented. This approach helped the test team to identify potential errors and any variations in functionality for the listed server roles. Client Side TestsThese test cases were executed on the client computers in the network. The main purpose of these tests was to ensure that domain services (such as authentication, access rights, name resolution, and so on) and application based services (such as File, Print, and Web) are available to the client computers after the network servers are hardened. For the LC environment, these tests ensured that those client computers that run Windows NT 4.0 SP6a and Windows 98 were able to authenticate with the Windows Server 2003 Active Directory domain. Documentation Build TestsThese tests validate that the statements, procedures, and functions that are documented in the implementation guidance are accurate, unambiguous, and complete. No separate test cases are listed for these tests. Script TestsSome of the client test scenarios were scripted in VBScript. These test cases are primarily concerned with proper functionality of Windows XP client computers that use network–based services, such as domain logon, password change, and print server access. The VBScript files for these test cases are available in the \Windows Server 2003 Security Guide Tools and Templates\Test Tools folder that is included in the downloadable version of this guide. Server Side TestsThese test cases were developed to verify functionality and the effect of the build procedures on Windows Server 2003 with SP1 servers that were secured with the recommendations in this guide. All the server roles that are described in this guide were tested. The additional server roles that were included in the test network, such as Exchange, MOM, and SMS, were also tested. Pass and Fail CriteriaBefore tests were performed, the following criteria were defined to ensure defect prevention and bug resolution:
Release CriteriaThe primary release criterion for the Windows Server 2003 Security Guide was related to the severity of bugs that were still open. However, other issues that were not being tracked through bugs were also discussed. The criteria for release are:
Bug ClassificationThe bug severity scale is described in the following table. The scale is from 1 to 4, with 1 as the highest severity and 4 as the lowest severity. Table D.1 Bug Severity Classification
SummaryThis appendix enables an organization that uses the Windows Server 2003 Security Guide to understand the procedures and steps that were used to test the implementation of the solution in a test lab environment. The actual experience of the Windows Server 2003 Security Guide test team is captured in this appendix, which includes descriptions of the test environment, types of tests, the release criteria, and bug classification details. All of the test cases that were executed by the test team passed with the expected results. The test team confirmed that the requisite functionality was available after the recommendations from the Windows Server 2003 Security Guide for the defined environments were applied. |
|