Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Hardening the Microsoft Windows Server 2008 operating system reduces the attack surface by disabling functionality that is not required while maintaining the minimum functionality that is required. When you install Microsoft Forefront Threat Management Gateway as part of the installation of Essential Business Server, the setup program automatically hardens the Windows Server 2008 operating system running on the Forefront TMG computer after the installation of Forefront TMG is completed by launching the Scwcmd.exe command-line tool with the following command:
scwcmd.exe configure /p:isa_harden.xml
This command applies the security policy defined in the file Isa_harden.xml, which is supplied with Forefront TMG. When this security policy is applied, the startup type of numerous services is configured.
The following table lists the services whose startup type is set by the security policy defined in Isa_harden.xml.
| Service Name | Startup Type |
|---|---|
AeLookupSvc |
Automatic |
ALG |
Manual |
Appinfo |
Manual |
AppMgmt |
Manual |
AudioEndpointBuilder |
Disabled |
Audiosrv |
Disabled |
BFE |
Automatic |
BITS |
Automatic |
Browser |
Automatic |
CertPropSvc |
Manual |
clr_optimization_v2.0.50727_32 |
Manual |
COMSysApp |
Manual |
CryptSvc |
Automatic |
CscService |
Disabled |
DcomLaunch |
Automatic |
Dhcp |
Automatic |
Dnscache |
Automatic |
dot3svc |
Manual |
DPS |
Automatic |
EapHost |
Manual |
Eventlog |
Automatic |
EventSystem |
Automatic |
FCRegSvc |
Manual |
fdPHost |
Manual |
FDResPub |
Manual |
gpsvc |
Automatic |
hidserv |
Disabled |
hkmsvc |
Manual |
IKEEXT |
Automatic |
IPBusEnum |
Disabled |
iphlpsvc |
Automatic |
KeyIso |
Manual |
KtmRm |
Automatic |
LanmanServer |
Automatic |
LanmanWorkstation |
Automatic |
lltdsvc |
Manual |
lmhosts |
Automatic |
MMCSS |
Manual |
MpsSvc |
Automatic |
MSDTC |
Automatic |
MSiSCSI |
Manual |
msiserver |
Manual |
napagent |
Manual |
Netman |
Manual |
netprofm |
Automatic |
NlaSvc |
Automatic |
nsi |
Automatic |
pla |
Manual |
PlugPlay |
Automatic |
PolicyAgent |
Disabled |
ProfSvc |
Automatic |
ProtectedStorage |
Manual |
RasAuto |
Disabled |
RasMan |
Manual |
RemoteAccess |
Ignored |
RemoteRegistry |
Disabled |
RpcLocator |
Manual |
RpcSs |
Automatic |
RSoPProv |
Manual |
sacsvr |
Manual |
SamSs |
Automatic |
SCardSvr |
Disabled |
Schedule |
Automatic |
SCPolicySvc |
Disabled |
seclogon |
Automatic |
SENS |
Automatic |
SessionEnv |
Manual |
SharedAccess |
Disabled |
ShellHWDetection |
Automatic |
slsvc |
Automatic |
SLUINotify |
Manual |
SNMPTRAP |
Manual |
SSDPSRV |
Disabled |
SstpSvc |
Ignored |
swprv |
Manual |
SysMain |
Manual |
TapiSrv |
Manual |
TBS |
Manual |
TermService |
Automatic |
Themes |
Disabled |
THREADORDER |
Manual |
TrkWks |
Automatic |
TrustedInstaller |
Manual |
UI0Detect |
Manual |
UmRdpService |
Manual |
upnphost |
Disabled |
UxSms |
Automatic |
vds |
Manual |
VSS |
Manual |
W32Time |
Automatic |
WcsPlugInService |
Manual |
WdiServiceHost |
Manual |
WdiSystemHost |
Manual |
Wecsvc |
Manual |
wercplsupport |
Manual |
WerSvc |
Automatic |
WinHttpAutoProxySvc |
Manual |
Winmgmt |
Automatic |
WinRM |
Automatic |
wmiApSrv |
Manual |
WPDBusEnum |
Manual |
wuauserv |
Automatic |
wudfsvc |
Manual |
DNS |
Disabled |
nfssvc |
Disabled |
nfsclnt |
Disabled |
ADAM_ISASTGCTRL |
Automatic |
AppHostSvc |
Automatic |
aspnet_state |
Manual |
clr_optimization_v2.0.50727_64 |
Manual |
fwsrv |
Automatic |
IAS |
Automatic |
IISADMIN |
Automatic |
isactrl |
Automatic |
isasched |
Automatic |
ISASTG |
Automatic |
MDM |
Manual |
MSSQL$ISARS |
Automatic |
MSSQL$MSFW |
Automatic |
MSSQLServerADHelper |
Disabled |
ose |
Manual |
ReportServer$ISARS |
Automatic |
Rqs |
Manual |
SQLBrowser |
Automatic |
SQLWriter |
Automatic |
W3SVC |
Automatic |
WAS |
Manual |
WMSvc |
Manual |
xmonitor |
Automatic |
The security policy defined in the file Isa_harden.xml also configures your Forefront TMG computer as a client of other servers. The following client features are enabled:
- MSClient
- TimeSync
- DHCPClient
- DNSClient
- DynamicDNS
The remaining sections of this topic assume that you have applied the configurations recommended in the "Windows Server 2008 Security Guide" on the computer running Forefront TMG. Specifically, you should apply the Microsoft Baseline Security Policy security template. However, do not implement the IPsec filters or any of the server role policies.
In addition, you should consider Forefront TMG functionality and consider performing manual hardening of the operating system accordingly.
Note
We recommend that you harden the Windows infrastructure after you have completely installed Forefront TMG.
If you want to harden your server manually, you can configure the service startup mode, as described in this section. You configure the computer as does the Security Configuration Wizard.
Note
We recommend that you use the security policy defined in the file Isa_harden.xml to harden the computer, because it is best optimized to secure the Forefront TMG computer.
For a server to perform necessary tasks, specific services must be enabled in accordance with the roles that you select. Unnecessary services should be disabled. The following table lists possible server tasks for Forefront TMG, describes when they may be required, and lists the services that should be activated when you perform each task.
| Server task | Usage scenario | Services required | Startup mode |
|---|---|---|---|
Installing applications on the local computer using Windows Installer |
Required to install, uninstall, or repair applications using the Microsoft Installer service. |
Windows Installer |
Manual |
Backup |
Required if a backup program is used on the Forefront TMG computer. |
Microsoft Software Shadow Copy Provider Volume Shadow Copy Removable Storage |
Manual Manual |
Error reporting |
Used to enable error reporting, thereby helping improve Windows reliability by reporting critical faults to Microsoft for analysis. |
Windows Error Reporting Service |
Automatic |
Help and Support |
Allows collection of historical computer data for Microsoft Product Support Services incident escalation. |
Help and Support |
Automatic |
Forefront TMG: SQL Server Express logging |
Required to allow loggingusing SQL Server Express databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the log viewer in offline mode. |
SQLAgent$MSFW SQL Server Express (MSFW) |
Manual Automatic |
Performance data collection |
Allows background collection of performance data on the Forefront TMG computer. |
Performance Logs and Alerts |
Automatic |
Printing |
Allows printing from the Forefront TMG computer. |
Print Spooler TCP/IP NetBIOS Helper Workstation |
Automatic Automatic Automatic |
Remote Windows administration |
Allows remote management of the Windows server (not required for remote management of Forefront TMG). |
Server Remote Registry |
Automatic Automatic |
Time synchronization |
Allows the Forefront TMG computer to contact an NTP server to synchronize its clock. From a security perspective, an accurate clock is important for event auditing and other security protocols. |
Windows Time |
Automatic |
Remote Assistance Expert |
Allows the Remote Assistance feature to be used on this computer. |
Help and Support Remote Desktop Help Session Manager Terminal Services |
Automatic Manual Manual |
- To function properly, time-synchronizing client applications require that either the Wireless or the Server service is running.
- To function properly, performance counters require that both the Remote Registry and Server services are running.
- The startup mode for the Server service should be Automatic when you use Routing and Remote Access Management, rather than Forefront TMG Management, to configure a virtual private network (VPN).
- The startup mode for the Routing and Remote Access service is manual. Forefront TMG starts the service only if a VPN is enabled.
- The Server service is required only if you use Routing and Remote Access Management (rather than Forefront TMG Management) to configure a VPN.
Servers can be clients of other servers. Client features are dependent on feature-specific services being enabled. The following table lists possible client features for Forefront TMG, describes when they may be required, and lists the services that should be activated when you enable the feature.
| Client features | Usage scenario | Services required | Startup mode |
|---|---|---|---|
Windows Update |
Select this feature to allow the automatic detection, download, and installation of updates for Windows and other programs. |
Windows Update |
Automatic |
Background Intelligent Transfer Service (BITS) |
Select this feature to enable the transfer of update files in the background using idle network bandwidth. |
Background Intelligent Transfer Service |
Automatic |
DHCP Client |
Select this feature if the Forefront TMG computer receives its IP address automatically from a DHCP server. |
DHCP Client |
Automatic |
DNS Client |
Select this feature if the Forefront TMG computer needs to receive name resolution information from other servers. Also select the DNS Client feature when Forefront TMG requires name resolution information (DNS and Hosts file). |
DNS Client |
Automatic |
Domain Member |
Select this feature if the Forefront TMG computer belongs to an Active Directory domain. |
Network Location Awareness Netlogon Windows Time |
Automatic Automatic Automatic |
DNS Registration Client |
Select this feature to allow the Forefront TMG computer to automatically register its name and address information with a DNS server. |
DHCP Client |
Automatic |
Microsoft Networking client |
Select this feature if the Forefront TMG computer needs to connect to other Windows clients. If you do not select this role, the Forefront TMG computer will not be able to access shares on remote computers, for example, to publish reports. |
TCP/IP NetBIOS Helper Workstation |
Automatic Automatic |
WINS Client |
Select this fetaure if the Forefront TMG computer uses WINS-based name resolution. |
Server TCP/IP NetBIOS Helper |
Automatic Automatic |
You can create a security template by using the Security Templates Microsoft Management Console (MMC) snap-in. A security template is an .inf file that includes information about which services should be enabled, as well as their startup mode, and can contain security settings that cannot be set with the Security Configuration Wizard. However, you can include a security template in a security policy created with the Security Configuration Wizard and then apply the security policy to your Forefront TMG computer.