Hardening the Forefront UAG server

Updated: August 23, 2010

Applies To: Unified Access Gateway

Using the Security Configuration Wizard (SCW) in Windows Server® 2008 R2 2008, you can reduce the attack surface of a computer that is running the Windows Server 2008  R2 operating system, by modifying security settings for roles, role services, and features. This topic describes how to apply a policy provided by the Forefront Unified Access Gateway (UAG) security template, and how to roll back an applied Forefront UAG template, if required.

Warning

This topic provides information about modifying the registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Backing up the configuration

Settings applied with the Forefront UAG security template cannot be completely rolled back using the SCW. Rollback using the SCW reverts only modified Windows and Forefront UAG services to their former state.

Before running the template to harden your configuration, back up settings as follows.

To back up the configuration

  1. Back up either the entire registry or specific registry settings, as described in Back up the registry. Note that if you back up the entire registry, and then restore the backup in order to roll back hardened settings, you will lose all registry modifications made since the backup. Alternatively, you can back up only those registry settings that were modified by the template, as follows:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Speech

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports

    • HKEY_LOCAL_MACHINE\System

    • HKEY_LOCAL_MACHINE\SYSTEM\Clone

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles

    • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots

  2. Back up the files and folders that will be modified by the Forefront UAG template, as follows:

    • %ProgramFiles%\Common Files\SpeechEngines\Microsoft\TTS20

    • %ProgramFiles(x86)%\Common Files\SpeechEngines\Microsoft\TTS20

    • %SystemRoot%\ServiceProfiles\LocalService

    • %SystemRoot%\ServiceProfiles\NetworkService

    • %SystemDirectory%\wbem\mof

    • %SystemDrive%\inetpub\logs\wmsvc

    • %SystemRoot%\SysWOW64\inetsrv\Config\Export

    • %SystemDirectory%\config\RegBack\default

    • %SystemDirectory%\config\systemprofile\ntuser.dat

    • %SystemDirectory%\config\RegBack\sam

    • %SystemDirectory%\config\RegBack\security

    • %SystemDirectory%\config\RegBack\software

    • %SystemDirectory%\config\RegBack\system

  3. In the Forefront UAG Management console, make sure that all required configuration changes are activated, and then back up your current configuration by exporting the configuration from each Forefront UAG server that you want to harden. For instructions, see Backing up and restoring with export and import.

Hardening the configuration with the security template

Download and install the template as follows.

To apply the security template

  1. Download the zip file available from the Microsoft Download Center, and extract the XML template.

  2. On each Forefront UAG server that you want to harden, click Start, point to Administrative Tools, and then click Security Configuration Wizard.

  3. On the Welcome page, click Next.

  4. On the Configuration Action page, click Apply an existing security policy, and then click Browse to locate the XML template file. Then click Next.

  5. On the Select Server page, type the name of the server to which the policy will be applied, and then click Next.

  6. On the Apply Security Policy page, click Next. You can click View Security Policy to verify all the policy settings before applying them.

  7. Complete the Security Configuration Wizard.

    Tip

    Alternatively, you can apply the template by using the following command:

    scwcmd.exe configure /p:<XMLFile.xml, where XMLFile is the xml file that you extracted from the downloaded zip file.

Rolling back the security template

Rolling back the Forefront UAG security template with the SCW will not result in a complete rollback. Instead, rollback requires the following:

  1. Roll back with the SCW to undo modifications to services.

  2. Restore registry settings.

  3. Restore files and folders.

To roll back services

  1. On each Forefront UAG server for which you want to remove the security template, click Start, point to Administrative Tools, and click Security Configuration Wizard.

  2. On the Welcome page, click Next.

  3. On the Configuration Action page, click Rollback the last applied security policy, and then click Next.

  4. Complete the Security Configuration Wizard.

    Tip

    Alternatively, you can uninstall the template by using the following command:

    scwcmd.exe rollback /m:<computer_name

    where computer_name is the host name, NetBios name, FQDN, or IP address, of the computer on which the rollback operation should be performed.

  5. Restore the registry settings in accordance with the backup you did before you applied the Forefront UAG hardening template.

  6. Restore the folder and file settings in accordance with the backup you did before you applied the Forefront UAG hardening template.