7/28/2019 Secure Configuratuion Manager

1/5

Security

Using Security Coniguration Wizardon Windows Server 2008

Jesper M Johansson

Back in 2005, Microsot shipped Windows

Server 2003 SP1. That service pack

introduced the frst roles-based security

management tool or Windows: the

Security Confguration Wizard (SCW).

Microsot designed SCW to be an attack

surace reduction tool frst and oremost.

Its purpose was to analyse what you were

actually doing with your computer

and automatically confgure it to sup-

port those roles you needed, while dis-

abling roles and services that were not

being used.

Windows Server 2008 retains SCW,

which has been updated with new

roles and integration with the new

Windows Firewall. However, it re-

mains as advanced an administration

tool as it ever was.

Windows Server 2008 also includes

the new roles-based Server Manager

tool and its kin, the Add Roles and Add

Features Wizards. In Windows Serv-

er 2008, rather than adding individu-

al components through the old-styleAdd/Remove Windows Components

control panel, you now use the roles

management tools to confgure your

server. Byron Hynes covers these tools

in the article Confguring roles with

Server Manager, also in this issue o

TechNet Magazine.

The Add Roles and Add Features

Wizards are designed to confg-

ure your server with the right com-

ponents to support the roles youve

chosen. These also confgure the built-

in frewall to ensure these roles unc-

tion correctly. Given this, you may

be wondering whether there is still

any need or SCW. Granted, there

are many administrators that will no

longer have a need or SCW. Howev-

er, there are two groups o people or

whom SCW can be an invaluable tool.

The frst is the paranoid security olks.

These are people who appreciate how

SCW takes security to the next level.

You can think o the Add Roles and

Add Features Wizards as the tools that

take a deault server and confgure it to

securely support the roles and eatures

you want. SCW, on the other hand, isthe tool that confgures your server to

support only the roles and eatures you

want. SCW also has a pedagogical e-

ect in that it helps you understand

more about how the server is confg-

ured. Thereore, I highly recommend

that you run SCW ater the server has

been confgured with its complement

o roles and eatures.

The second group consists o those

users who want to understand the

relationships between the various

components. SCW comes with a set

o XML fles that document the rela-

tionships between roles and eatures,

services and network ports. I you are

interested in understanding what vari-

ous components need, SCW is a very

valuable tool.

In this column, I will describe how

SCW works and how you would use it

to protect your server. And I will pro-

vide a comparison between SCW and

the Server Manager tools. Note that this

column is adapted rom my book, Win-

dows Server 2008 Security Resource Kit

(Microsot Press, 2008).

Overview o the Security

Confguration Wizard

To set the stage, I want to present some

statistics about the attack surace on

Windows Server 2008. Beore you con-fgure a server by adding your person-

al selection o roles and eatures, it still

has a relatively signifcant ootprint o

services. By deault, Windows Server

2008 has 105 services 42 o which are

set to auto start, 55 are set to manual

and 8 are disabled. Contrast that with

a clean installation o Windows Server

2003 R2 SP2, which has 86 services in-

stalled by deault 34 o these are set

to start automatically, 32 are set to de-mand start and 20 are disabled.

Even with the roles metaphor and

the reduction in deault roles support-

ed, Windows Server 2008 still has a larg-

er ootprint and requires that you take

additional care when hardening your

servers. SCW will walk you through

This column is based on a prerelease

version of Windows Server 2008. All

information herein is subject to change.

60 To get your FREE copy of TechNet Magazine subscribe at: www.microsot.com/uk/technetmagazine

7/28/2019 Secure Configuratuion Manager

2/5

creating a custom security confgura-

tion or your particular servers.

SCW takes a completely dierent

approach to server hardening than

existing tools. It works with a roles

metaphor to confgure the system to

support those roles and little, i any-

thing, else. While SCW helps confg-ure the frewall, as the Add Roles and

Add Features Wizards do, SCW also

disables unnecessary services and con-

fgures some additional security set-

tings. Finally, while the Add Roles and

Add Features Wizards are only able

to install and confgure roles that are

built into Windows, SCW is extensi-

ble. A developer or an administrator

can write a custom role or eature con-

fguration fle and use SCW to confg-ure any product.

SCW is designed to be used ater you

have installed all the roles and eatures

the server is supposed to have. I you

also have third-party applications on

your server, you should install those,

too, beore you run SCW.

To demonstrate how this works, I

have confgured a server with three

roles (Application Server, DNS Server

and Web Server) and two eatures (Mi-

crosot .NET Framework 3.0 Features

and Windows Process Activation Ser-

vice). This is not a particularly logical

set o roles and eatures, but it serves as

a good example or this discussion.

To start SCW, run it rom the Admin-

istrative Tools menu. You will see the

dialog shown in Figure 1.

The frst step is to choose whether

you want to create a new security pol-

icy, edit or apply an existing policy, or

roll back a policy so the system will re-turn to the original settings. The choic-

es are relatively sel-explanatory.

When you choose to create a new

security policy, SCW creates a new

policy using some computer as the

template or what the policy must

support. It analyses the computer and

determines what eatures and roles it

supports, ensuring that those work but

also that many unnecessary eatures

are not enabled.

SCW works on a prototype model.

It uses XML fles to speciy what theroles and eatures look like in terms o

which fles are installed, which services

are confgured, and so on. This is why

you need everything installed on the

computer that you are developing the

policy against. I you have third-party

programs that install SCW defnitions

when they install, those will integrate

seamlessly. However, i your third-par-

ty programs do not install SCW de-

initions, you will need to confgure

them manually.

You can create a policy on one sys-

tem and then apply it to many systems.

I you are building out a network with

many systems, you should frst defne

host classes that are all confgured sep-

arately. Then you can create a policy

using one o them as a prototype and

easily apply the policy to all the others

with little or no modifcations.

When you click Next (in the dialog

shown in Figure 1), the wizard askswhich computer you want to use as

the baseline, or prototype, or this new

policy. You would typically choose the

local computer, but you also have the

option to use a remote computer as

the prototype.

Ater speciying which system to

use, you enter the analysis phase. Here,

SCW enumerates which roles and ea-

tures you have installed and matches

those up against the database o roles

and eatures. The database contains

inormation regarding which services

are used by each role and eature, what

network ports they need, and other

important confguration inormation.

Ater the analysis is complete, you can

click View Confguration Database to

see what the Security Confguration

Wizard has ound. Note that this is a

read-only view that presents compre-

hensive inormation about the confg-

uration o the computer. In act, i youare truly interested in understanding

what is on your computer, you can

spend a signifcant amount o time

studying this inormation.

Confguring your server with SCW

When you click Next, you enter the

frst o our sections in SCW: Role-

Based Service Confguration. You

might notice that the roles you fnd in

SCW, as shown in Figure 2, are not the

Figure 1 SCWbegins by askingwhat you wantto do

SCW disables

unnecessary

services and

confgures some

additional security

settingsTechNet Magazine March 2008 61

7/28/2019 Secure Configuratuion Manager

3/5

same set that you fnd in the Add Roles

Wizard. Most o the roles available in

the Add Roles Wizard are also present

here, and SCW also oers some that

are not included in the Add Roles Wiz-

ard. For example, the Application Ser-

ver role that I selected is not present.

This is because SCW uses a slightly di-erent metaphor or roles. I will discuss

this in more detail shortly.

You will oten have the right set o

roles already selected in this dialog.

So just veriy that the analysis ound

what you think it should have ound.

I something is wrong, check whether

the role has been installed and install it

i it is missing beore you rerun SCW.

I you make a mistake, it is not the end

o the world. The rollback eature inSCW will bring you back to where

you started by undoing any changes

the policy has made.

The answers you give in this section

are very important because they deter-

mine what you will see later on in the

network section. Fortunately, the de-

tection logic is quite good and the cor-

rect set o roles is usually selected.

Note also that, by deault, you see

Installed Roles, which are the roles

that the server is capable o support-

ing with the bits laid down on the disk.

The selected roles are the ones that it

is currently supporting. You can also

elect to see all roles in the database. To

do this, just select All Roles rom the

dropdown list. This is useul primarily

when you have to build a policy using

a prototype server that does not yet

have all the roles it needs installed.

Ater roles confguration, you select

the client eatures you want to sup-port. The eature set is similar but not

identical to that in the Add Features

Wizard, and there are ewer eatures in

the set. Again, the metaphors are not

exactly the same and SCW can be ex-

tended, so what you will see is dier-

ent rom the Add Features Wizard.

When you click Next on the Cli-

ent Features page in SCW, you go to

the Select Administration and Other

Options dialog, as shown in Figure 3.

An Option in SCW is something that

does not neatly ft into either a role or

a eature. It may provide administra-

tive support or it may just be a single

service, such as the Interactive Servic-

es Detection. Again, most o the op-

tions you need should be selected here.

It is worth pointing out the dropdown

menu, too. This is populated with op-

tions relevant to the roles and eatures

you selected earlier, and it will be di-

erent on dierent computers.Next up is the Additional Services

dialog. Although SCW ships with a

very large database o services, not ev-

erything is described here. Those ser-

vices that SCW fnds on a computer

that are not present in the database

are shown on the Additional Services

page. All built-in services should be de-

scribed, and you should not see this di-

alog unless you have some third-party

service installed.

The wizard then lets you select what

to do with services that you are notconfguring. This option is meant or

when you plan to take the policy you

are creating and apply it to a dierent

computer. I that computer has dier-

ent services than the one you created

the policy on, SCW needs to know

what to do with them. One option is

to leave them alone, which is the de-

ault. The other option is to disable

them, which is more secure but may

break things. But i you ollow the ad-

vice o only applying policies to serv-

ers that are identical to the one you

created them on, your choice on this

page will be irrelevant.

Now you are fnished with the Roles

Confguration portion o SCW and

the wizard recaps what youve done.

As you can see in Figure 4, even i you

just click right through, you will signi-

icantly aect the attack surace o the

computer. For instance, because this

computer is not a Print Server, and ithas no printers installed, you have no

reason to run the Print Spooler ser-

vice. SCW disables all services that

are not necessary. On our test server,

SCW disables 17 services that were set

to automatic start and sets 42 manual

start services to disabled. Your results,

o course, will vary depending on how

your server is confgured, but you can

see that SCW lets you easily tailor a

policy specifc to your unique servers,

Figure 2Using SCWto select theroles you want

your server tosupport

The rollbackeature in SCW

will bring you

back to where

you started

TechNet Magazine March 2008 63

7/28/2019 Secure Configuratuion Manager

4/5

thereby drastically reducing their at-

tack surace.

You now move on to arguably the

most important section o SCW: net-

working. Ater the initial welcome

page, you see the Network Security

Rules dialog, which is shown in Figure

5. This contains a list o all the frewallrules SCW proposes, which are based

on the role support you selected in the

previous sections.

I no urther confguration is made

in the Network section, SCW will

build frewall rules that lock down the

network interaces so that only these

roles and eatures are supported but all

clients can access them. But to really

optimise security on your servers, you

should use SCW as an integral part in

building a Server Isolation strategy. To

learn more about server isolation (and

its close sibling, domain isolation), take

a look at technet.microsot.com/net-

work/bb545651.

In Windows Server 2008 Security Re-

source Kit, there is a chapter on se-

curing the network with server anddomain isolation. It also discusses how

you can use network threat modelling

to analyse your network to help ease

deployment o server isolation. SCW

is a valuable tool in this process.

You can confgure restrictions on

the proposed rules by selecting the

rule and clicking Edit. This takes you

to the dialog shown in Figure 6. This

is one o our pages that all let you put

urther restrictions on the networking

rules. For instance, you can require IP-

sec authentication. I you choose this,

you can also tie the port to only cer-

tain endpoints. For example, you can

confgure it so that you permit re-

mote administration only rom cer-

tain hosts. As you can see, this is a key

advantage over the Add Roles and AddFeatures Wizards.

This ability to build connection se-

curity rules based on the roles youve

selected serves two important purpos-

es. First, it provides a golden learning

opportunity to understand what your

servers are doing. You dont even need

to build out a server. You can just run

the wizard, make dierent selections

and see how they aect the options on

later pages. Second, it allows you to tiethe very abstract concept o a port to

a much more logical concept o a ser-

vice and confgure network restric-

tions based on exactly what the system

is actually doing.

Done right, this permits you to de-

velop a very tight confguration or

your servers. The Networking sec-

tion o SCW is undoubtedly the place

where you should be spending the ma-

jority o your time when building the

security policy or your servers.

The remainder o SCW allows you

to confgure auditing and a ew reg-

istry settings. The deault settings o

these parameters are adequate or most

organisations and, unless you have spe-

cial requirements, you should not need

to do much here.

Ater you create your policy, you

can save it and apply it to the comput-

er you are working on. Or you can ap-

ply it to other computers. You can alsotransorm your policy to a Group Poli-

cy Object (GPO) using the scwcmd.exe

/transorm command.

However, i you have computer-spe-

cifc settings in the policy, this may not

succeed or it may give very strange

results. For instance, i you create end-

point restrictions that include local

adaptors in the networking section,

the policy is deemed computer-speci-

ic and will not successully transorm.

Figure 4 SCWsummarises thechanges youvemade

Figure 3Selecting otherservices andeatures inSCW

64 To get your FREE copy of TechNet Magazine subscribe at: www.microsot.com/uk/technetmagazine

Security

7/28/2019 Secure Configuratuion Manager

5/5

This is because those adaptors must be

specifed using GUIDs. The GUID or

an adaptor on one computer is mean-

ingless on another computer.

Thereore, SCW is oten better used

on a server-by-server basis and as a

learning tool. For large server arms,

you can use SCW as a way to learnabout the computers and develop a ba-

sic policy. Then you can take that poli-

cy and recreate it to be rolled out using

whatever tool you use to confgure the

servers, such as Group Policy or an En-

terprise Management System (such as

Microsot Systems Center).

SCW vs Server Manager

One thing youve seen so ar is that the

metaphor used or roles and eaturesdiers. A eature in SCW is some-

thing the computer does to act as a cli-

ent. A role, meanwhile, is something

it does to act as a server.

This diers rom the metaphor used

in the Server Manager tools, where a

role is a collection o services and ea-

tures that can be thought o as a unit

and a eature is something that sup-

ports roles. In essence, Server Manag-er considers a role to be the thing you

bought the server to do. Features are

important, but not what you bought

the server or. The two metaphors and

the two dierent uses o the same

terms are bound to conuse people.

You will need to stop and think about

this careully beore you switch be-

tween the tools.

In addition, the Server Manager tools

are not extensible. They are designed to

manage only the components that ship

with Windows. By contrast, third-party

programs that you install can add roles

and eatures to SCW. You can even write

your own roles and eatures. The white

paper Extending the Security Confg-

uration Wizard (available at go.micro-

sot.com/wlink/?LinkId=107397)

explains how to do this.

SCW also disables components youdo not need. The Server Manager tools,

on the other hand, merely deploy com-

ponents that you ask or they do not

touch anything else on the computer.

I you need help determining which

components you may not need, SCW

is the tool to use.

Moreover, while both the Server

Manager tools and SCW will confgure

your network, SCW is ar more pow-

erul in this regard. I you are building

out a server isolation strategy, SCW

can be a gold mine o inormation and

your best riend or deployment. This

is obviously an advanced security ad-

ministration topic, but SCW is an ad-

vanced security tool.

Finally, SCW will also confgure

some additional security settings that

the Server Manager tools do not con-

fgure. However, those are largely su-perseded by more eective controls

or already set by deault on Win-

dows Server 2008.

Jesper M Johansson is a Security

Engineer working on software security

issues and is a contributing editor to

TechNet Magazine. He holds a PhD

in MIS and has more than 20 years of

experience in security.

When building a

server isolation

strategy, SCW can

be your best riend

or deployment

Figure 5 SCWlists all the rulesit determines

you need

Figure 6 SCWallows you tobuild frewalland IPsec rules

TechNet Magazine March 2008 65