What is Server Security Policy Management?

Applies To: Windows Server 2008

Server security policy management includes keeping security settings up to date as your various server configurations change over time. The steps to help secure your servers through policy management include:

  • Analyze server security settings to ensure that the security policy applied to a server is appropriate for the server role.

  • Update a server security policy when the server configuration is modified.

  • Create a security policy for a new application or server role not included in Server Manager.

  • Use security policy management tools to apply security policy settings that are unique to your environment.

This discussion focuses on three tools that you can use alone or together to manage the security policies on your servers:

  • Security Configuration Wizard

  • Security Templates snap-in

  • Security Configuration and Analysis snap-in

The tools you choose to use to help keep your servers secure will depend on the size of your organization, your security requirements, and the frequency with which you modify your server configurations.

Note

This technical reference does not describe all Windows Server 2008–based tools that are available for managing security policy settings but focuses on those tools that work together to provide solutions for small-sized to medium-sized organizations.

Server security policy management components

The following components are included in this discussion of server security policy.

Security Configuration and Analysis snap-in

Administrators can use this snap-in to keep a server's security policy current by quickly analyzing settings and updating local computer policy with a security template. You can compare a baseline policy with actual system settings. The associated command-line tool, Secedit.exe, can be used in a non-domain environment in conjunction with other administrative tools, such as Microsoft System Center Configuration Manager 2007, to configure and apply policies.

Security Templates snap-in

Administrators can use this snap-in to create security policies for servers deployed in new scenarios and to modify existing policies prior to deployment. With this snap-in, many security settings are available to the administrator to configure individually. The policy created with a security template can be imported into a Group Policy object (GPO) to configure multiple servers or applied to a single server by using the Security Configuration and Analysis snap-in.

Security settings database

This database consists of the .inf files created by using the Security Templates snap-in. The database is used for configuration or analysis of the local computer by using the Security Configuration and Analysis snap-in or the Secedit command-line tool.

Security Configuration Wizard

The Security Configuration Wizard (SCW) is an administrative tool for maintaining a secure server configuration after initial role installation, updating role-based policies when server configurations change, and creating policies for server roles not installed with Server Manager. You can apply role-based policies created with SCW in a non-domain environment as well as an Active Directory environment. By using the command-line version of this tool, Scwcmd.exe, you can perform additional tasks such as analyzing the security policy for multiple servers or converting policies to GPOs.

Security Configuration Database

The SCW Security Configuration Database (also referred to as the knowledge base) consists of a set of XML documents that list services, dependencies across server roles, and firewall rules that are required for each server role that is supported by SCW.

Security configuration engine

The security configuration engine applies the policies created with the Security Templates snap-in and a subset of policy settings that SCW supports, such as audit settings.

Security policy management tasks

The following table provides an overview of common server security policy management tasks performed in various environments, the recommended tools for each, and references for more information about using the tools.

Security policy management tasks

Task Tool Reference

Create and apply a server security policy for a server role in a workgroup environment

Security Configuration Wizard (SCW)

Security Policies Step-by-Step Guide: Creating and Deploying Role-Based Policies

Modify role-based server security policies for servers in an Active Directory environment

SCW to edit policies and Scwcmd to apply them

Security Configuration Wizard

Apply role-based policies to multiple servers in an Active Directory environment

Scwcmd

Security Policies Step-by-Step Guide: Creating and Deploying Role-Based Policies

Configure individual security settings for a server in a workgroup environment

Security Configuration and Analysis snap-in and the Security Templates snap-in

Security Configuration and Analysis

Create a security policy by using individual security settings for a server in a specialized environment

Security Templates snap-in

Security Templates

Edit individual security settings on the local computer

Local Security Policy

(Administrative Tools)

Modify Local Security Policy

Analyze the security settings of one or more servers based on a server's role to check for vulnerable configurations

Scwcmd

Security Policies Step-by-Step Guide: Creating and Deploying Role-Based Policies

Analyze the local computer security settings

Security Configuration and Analysis snap-in

Security Configuration and Analysis

Server security policy management tools and processes work in conjunction with technologies such as Active Directory Domain Services (AD DS) and Group Policy. Network Access Protection (NAP) provides an additional way to help secure your servers.

Active Directory Domain Services

AD DS in the Windows Server 2008 operating system stores information about users, computers, and other resources on a network. AD DS helps administrators manage this information securely. AD DS is required for a variety of applications and Windows Server–based technologies, such as Group Policy.

For more information about AD DS, see Active Directory Domain Services.

Group Policy

The primary purpose of Group Policy is to apply policy settings to computers and users in an Active Directory domain. The Group Policy Management Console (GPMC) provides a single user interface for managing all Group Policy–related tasks. You can transform security policies into GPOs and apply them to organizational units (OUs) with the GPMC, as well as edit policy settings for GPOs.

You use Local Security Policy in Administrative Tools to edit or adjust individual security settings on a computer.

For more information about Group Policy tools, see Windows Server Group Policy (https://go.microsoft.com/fwlink/?LinkID=106146).

Network Access Protection

Network Access Protection (NAP) is a system policy enforcement platform included with Windows Server 2008 and Windows Vista. A network administrator configures NAP policies and enforcement behavior on a computer running Windows Server 2008 and the Network Policy Server (NPS) service. NAP policies and enforcement behavior settings consist of connection request policies, network policies, health policies, and NAP settings; these help determine the compliance of a computer and limit the access of noncompliant computers.

For more information about NAP, see Network Access Protection (https://go.microsoft.com/fwlink/?LinkId=113053).