Security Configuration Wizard in Windows Server 2003 Service Pack 1

  • Article

Applies To: Windows Server 2003 with SP1

What does Security Configuration Wizard do?

Security Configuration Wizard (SCW) is a new feature in Windows Server 2003 with Service Pack 1 that provides guided attack surface reduction for your servers. SCW is highly recommended for creating security policies for servers based on their roles. SCW includes the following features:

  • Remote or local role-based lockdown ensures that all necessary services are turned on, minimizing risk of breakage.

  • Any services not specifically needed by the role(s) performed by the target system can be disabled.

  • Firewall and IPsec configuration ensures that the server presents the minimum possible attack profile based on the needs of the selected role(s).

  • Automated selection of key security settings based on a guided wizard to minimize compatibility problems and maximize security.

  • Selection of appropriate audit settings.

  • Inclusion of standard security templates for detailed customization of security policy.

  • Integration with Group Policy for Active Directory-based deployment of security policies.

  • Fully functional and scriptable command line interface for automated deployment to multiple servers across the network.

  • Rollback of policies for testing and troubleshooting purposes.

  • Declarative extensibility of role knowledge base to allow authoring of new roles.

When you run SCW you will be asked a series of questions to determine the functional requirements of your server. Any functionality that is not required based on your selections can be disabled automatically.

Who does this feature apply to?

SCW can be used with any system running Windows Server 2003 with Service Pack 1 and in any network configuration. SCW will be of interest to:

  • Security professionals responsible for authoring corporate security policies.

  • Information technology (IT) professionals responsible for deploying, configuring, and managing servers.

  • Developers of server-based applications who want their applications to be managed with SCW.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

Security Configuration Wizard

Detailed description

Security Configuration Wizard uses a roles-based metaphor driven by an extensible XML knowledge base that defines the services, ports, and other functional requirements for almost 200 different system roles, including roles for Windows Server System applications such as Microsoft ISA Server and SQL Server.

SCW uses this extensible XML knowledge base to perform role discovery, solicit user input, and author security policies that disable services, block ports, modify registry values, and configure audit settings. Even ports that are left open can be restricted to specific subnets or systems using Internet Protocol security (IPsec). SCW also allows you to roll back previously applied policy settings. It includes a command line tool you use with administrative scripts and other administrative utilities to apply a security configuration and perform compliance analysis on groups of servers in your organization. SCW also integrates with Active Directory to support deployment of SCW-generated policy settings through Group Policy.

Summary of SCW security coverage

Security Configuration Wizard allows users to easily:

  • Disable unnecessary services.

  • Protect Internet Information Services (IIS).

Note

IIS policies cannot be deployed with Group Policy since Group Policy does not currently configure IIS. If a policy containing IIS settings is converted to a Group Policy object the IIS settings are lost.

  • Block unused ports, including support for multi-homed scenarios.

  • Secure ports that are left open using IPsec.

  • Reduce protocol exposure for Lightweight Directory Access Protocol (LDAP), LAN Manager, and server message block (SMB).

  • Configure audit settings with a high signal-to-noise ratio.

  • Import Windows security templates for coverage of settings that are not configured by the wizard.

Summary of SCW operational features

In addition to roles-based guided security policy authoring, SCW also supports:

  • Rollback. Enables you to return your server to the state it was in before you applied the SCW security policy.

  • Analysis. Enables you to check that servers are in compliance with expected policies.

  • Remote configuration and analysis support. All SCW functionality can be performed on both local and remote systems.

  • Command line support. A command-line tool is provided for scripting use.

  • Active Directory integration. Supports deploying SCW policies using Group Policy.

  • Editing. A security policy created using SCW can be modified when necessary, such as when machines are repurposed or when a system configured with a particular policy does not behave as expected.

  • Reports. Provides the ability to view the data stored in the knowledge base, policies, and analysis results XML files.

Why is this change important?

Attack surface reduction is a fundamental security best practice, yet it is often difficult for server administrators to find the time to properly secure, test, and deploy a Windows server without breaking required functionality, which can lead to vulnerable servers within an organization.

Security configuration guides (such as the Windows Server 2003 Security Guide on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=14845) provide general settings that support a broad range of systems but that do not provide an optimal security versus functionality tradeoff for a specific class of systems. SCW automates the lockdown process of systems providing specific functionality and is fully tested and supported by Microsoft. Reducing the attack surface of Windows servers can minimize the number of servers that need to be immediately patched when a vulnerability is discovered, as a given vulnerability will not necessarily be present or exploitable in all configurations.

What works differently?

Today, Windows administrators typically define security policies using the Security Configuration Editor on their own, in conjunction with documented guidance, or with existing security templates designed for specific scenarios. In contrast, Security Configuration Wizard is an authoring tool that allows you to create a custom security policy by answering a series of questions. For settings that are not configured by the wizard, SCW allows the administrator to import existing security templates.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

No, but SCW is extensible so that developers can create their own SCW role definitions for their own applications. A whitepaper about how to extend the SCW knowledge base will be available when Windows Server 2003 Service Pack 1 is released.

What do I need to change in my environment to deploy Windows Server 2003 Service Pack 1?

Nothing, however SCW can be used during the deployment process to ensure servers are deployed with the expected security policy.

If unattended setup is used to deploy servers, consider the following:

  • Install the SCW optional component automatically during unattended setup by adding the following entry to the [Components] section of unattend.txt: SCW = On.

  • To apply an SCW policy during the unattended installation, also carry out the following steps:

    • Create the policy file on a server that already has SCW installed.

    • Either create a Cmdlines.txt file or modify the existing one so that it has a [Commands] section containing the following line: scwcmd configure /p:SCWPolicy.xml

    • Copy the Cmdlines.txt file and the previously created policy file (SCWPolicy.xml in this case) to the $OEM$ directory.

  • If an imaging solution is used to deploy servers, you can apply an SCW on the reference machine that will be imaged prior to creating the image.

For additional information on Security Configuration Wizard go to the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=45503.