Security Policies Step-by-Step Guide: Creating and Deploying Role-Based Policies
Applies To: Windows Server 2008
In the Windows Server® 2008 operating system, you can use the Security Configuration Wizard (SCW) to reduce the attack surface of your servers by modifying security settings for roles, role services, and features. Use SCW to help maintain a secure server configuration after initial role installation with Server Manager.
About This Guide
This guide provides step-by-step procedures for using SCW to create and apply a security policy to a prototype server in a test environment.
Safe use of any technology that affects the settings, configuration, or behavior of multiple computers requires planning before deployment. Safe use of SCW includes testing tools and policies prior to applying policies in a production environment.
Perform the steps in this guide—the test scenario—by using a prototype server that represents server configurations in your production environment. When you have verified that the SCW policy you created and applied in this test scenario provides the security you need for your prototype server, you can apply the policy or policies you have created in the test environment to servers in your production environment.
As you proceed through the scenario, you will perform the following tasks:
Create a single security policy that contains all the desired security settings for a server based on the server's roles by using SCW.
Apply the security policy to a target computer by using SCW and the Scwcmd command-line tool.
View and analyze the security policy by using the Scwcmd command-line tool.
Save a security policy in Group Policy object (GPO) format by using the Scwcmd command-line tool.
In the context of SCW, "policy prototyping" means creating a security policy on a prototype computer for a group of servers with the same role or roles. The prototype computer is a model server whose configuration is representative of every computer in the group.
There are three primary components you will use to create and apply your security policy:
Scwcmd command-line tool
Security Configuration Database
SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the server roles configured with Server Manager. The security policies that are created with SCW are XML files that, when applied, configure services, network security, specific registry values, and audit policy.
In this scenario, you will use SCW to create a policy and apply it to the prototype server.
Scwcmd Command-Line Tool
SCW includes the Scwcmd.exe command-line tool. You can use Scwcmd for the following tasks:
Configure one or many servers with an SCW-generated policy.
Analyze one or many servers against an SCW-generated policy.
View analysis results in HTML format.
Roll back SCW policies.
Transform an SCW-generated policy into files that are supported by Group Policy.
Register a Security Configuration Database extension with SCW.
You can use Scwcmd to configure, analyze, or roll back a policy on a remote server running Windows Server 2008.
In this scenario, you will use Scwcmd to:
Apply a security policy to one or more remote servers.
Analyze and view the security policy for a server.
Save a policy in GPO format.
Security Configuration Database
The Security Configuration Database consists of a set of XML documents that list services and ports that are required for each server role that is supported by SCW. These files are installed in %Systemroot%\Security\Msscw\Kbs. After you select a server, the server is scanned to determine the following:
Roles that are installed on the server
Roles that are likely being performed by the server
Services that are installed but not part of the Security Configuration Database
IP addresses and subnets that are configured for the server
SCW combines this server-specific information into a single XML file named Main.xml. SCW displays Main.xml if you click View Security Configuration Database on the Processing Security Configuration Database page.
You can extend the Security Configuration Database by creating custom role definitions for non-Microsoft applications. SCW includes a number of extensions in the %Systemroot%\Security\Msscw\Kbs directory that can be used to build new extensions (role definitions).
This section briefly describes other technologies associated with creating and applying security policies with SCW. When you create a security policy with SCW, you have different options for applying that policy. This section reviews these options and how they affect the precedence rules applied to security settings.
Applying Polices in an Active Directory Environment
For remote administration, you can use Active Directory® Domain Services (AD DS) organizational units (OUs) to easily apply SCW policy to servers with GPOs. Once you create a prototype policy for a server with SCW, you can convert it into a GPO by using the Scwcmd command-line tool, and then you only need to link the GPO to one or more OUs.
Group Policy Management Console
The Group Policy Management Console (GPMC) is integrated into the Windows Server 2008 operating system. You use the GPMC to link GPOs to OUs. Linking is the mechanism by which GPOs are applied to the users and computers within the OUs.
For information about using the GPMC to manage Group Policy across the enterprise, see Group Policy Management Console (http://go.microsoft.com/fwlink/?LinkId=105933).
In addition to using SCW to create security policies, you can also use SCW to apply security settings with security templates. Security templates are .inf files located by default in %Systemroot%\security\templates. You can view the security template settings in the GPMC in the following location: GPO_Name\Computer Configuration\Windows Settings\Security Settings.
Some security setting changes can be made by using either SCW or the Security Templates snap-in, some can be made only by using SCW, and others can be made only by using the Security Templates snap-in. For example, SCW includes firewall settings that are not included in any security template. Conversely, security templates can include such items as software restriction policies, which cannot be configured by using SCW. Some configuration changes, such as audit policies, can be set by using SCW, or by attaching a security template when creating or editing an SCW policy, or by using both methods. If you use both methods, however, conflicting policy settings are resolved by using precedence rules.
For more information about using Security Templates, see Security Templates How To (http://go.microsoft.com/fwlink/?LinkId=106530).
In an Active Directory environment that uses Group Policy, SCW, and multiple security templates, use the following guidelines to anticipate the precedence of security settings:
Security policy applied through GPOs has higher precedence than security policy applied remotely through SCW or the Scwcmd command-line tool by using a policy file (.xml files).
How each GPO was created (by using Scwcmd or not) does not affect the precedence among GPOs. Only the standard Active Directory inheritance rules (in which local, site, domain, and OU GPOs are applied in succession) and link order determine precedence for GPOs.
Security policy set in SCW has higher precedence than conflicting policy set in .inf security templates that are attached to the .xml policy file.
If multiple security templates are attached to the .xml file, a template that is listed higher in the Include Security Templates dialog box in SCW has precedence over a template that appears lower in the list.
With Windows Server 2008, server roles are configured with recommended security settings by default, and the settings are applied as soon as you install the role. When configuring a role, Server Manager automatically installs all required services and features, and automatically configures any firewall rules that are required to support the new role. Similarly, when you use Server Manager to remove any specific role, the server's services and firewall configuration are modified to help ensure that the server's configuration remains secure and that the operation of other server roles is not affected. However, you cannot customize security settings by using Server Manager.
Server Manager and SCW are complementary tools. The focus of Server Manager is to ease the deployment of servers, whereas SCW is a tool for long-term maintenance of security settings. SCW enables detailed control over a server's attack surface and helps you secure a server against attacks based on the security needs of your organization.
Windows Firewall with Advanced Security
SCW is integrated with Windows Firewall with Advanced Security in Windows Server 2008. SCW configures Windows Firewall with Advanced Security to permit inbound network traffic to important ports that the operating system requires as well as listening applications. If additional firewall rules (or firewall exceptions) are required, you can use the wizard to create them. This capability simplifies the management of network hardening. You also can use SCW to simplify the configuration of network filters for services that use remote procedure call (RPC) and dynamic ports.
If you configure settings in the Network Security section of SCW, unneeded firewall rules are removed.
For more information about Windows Firewall with Advanced Security, see Windows Firewall (http://go.microsoft.com/fwlink/?LinkID=98308).
Best Practices for Creating and Applying Security Policies
SCW helps to reduce the attack surface of servers by creating a security policy that is designed for their specific roles. Administrators can simplify policy creation and distribution by identifying groups of servers that perform the same, or similar, tasks before creating security policies. To help you accomplish these goals, review the following best practices before you begin the scenario.
Model your prototype server after the target servers to be configured at the service level. The prototype server from which the security policy will be created should have the same service level as the target servers. The security policy disables any service on the server that is contained in the Security Configuration Database but was not present on the prototype server when the policy was created. For example, if the DCOM Server Process Launcher service is listed in the Security Configuration Database but is not present on the prototype server, the security policy created from the prototype server will set the DCOM Server Process Launcher state to disabled. When you apply the security policy to other servers, the DCOM Server Process Launcher service will be disabled on those servers.
Group servers performing the same functions in one OU. To simplify policy distribution, group servers that perform the same functions and have the same configuration into a single OU. A new or modified security policy targeted at all the servers in the OU can be saved in a GPO format that will make it easy to distribute by using Group Policy.
Create one policy for a group of servers. SCW configures a security policy based on the roles and functions performed by a server. Other servers that perform the same, or very similar, functions can be configured with the same security policy. You can use SCW to create a security policy once, save it, and apply it to all servers that perform the same role or set of roles. A single security policy that contains all desired security settings for a specific type of server also simplifies configuration, rollback, and analysis.
Create different policies for different software editions. For services or ports specific to 64-bit version software, create the policies on a 64-bit computer. Then apply these policies to other 64-bit computers only (not 32-bit computers) to ensure the services are properly identified and configured.
Test new security policies offline before deployment. The settings configured in the new security policies may cause compatibility issues with applications or services. Therefore, thoroughly test new security policies before applying the policies to production servers.
Requirements for This Scenario
All components of SCW are automatically installed with Windows Server 2008, and you can access SCW in Server Manager or Administrative Tools. Servers to which you will apply the prototype security policy must also be running Windows Server 2008.
SCW cannot be used with client operating systems or Windows Small Business Server.
The following are considerations for using SCW:
SCW disables unnecessary services and provides Windows Firewall with Advanced Security support.
Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file.
You can deploy security policies that you create with SCW by using Group Policy.
SCW does not install or uninstall the components necessary for the server to perform a role. You can install role-specific components through Server Manager.
SCW enables those services that are necessary for the server, based on the roles that you select on the Select Server Roles page.
Unnecessary services are disabled, and if you configure settings in the Network Security section of SCW, unneeded firewall rules are removed.
To begin this scenario you need:
One prototype server with Windows Server 2008 installed to create your security policy and one or more additional Windows Server 2008–based servers to apply your policy to.
The servers to which you will apply the security policy configured the same way as your prototype server.
The configuration of the target computers must match the configuration of the prototype server. SCW policies created on a Windows Server 2008–based computer are not compatible with SCW policies created on a Windows Server 2003–based computer. If the operating systems or roles differ, settings can be improperly configured, necessary roles or services can be disabled, or other problems can occur.
- An Active Directory server OU structure where servers in an OU have the same configuration, including the operating system, roles and features, and applications to represent your production environment.
Steps for Creating and Applying a Role-Based Security Policy
You can use these steps to create one or more prototype policies based on the different types of servers you have in your production environment.
In this scenario, you will be creating a security policy based on the existing configuration of a prototype server that represents a server in your production environment.
Step 1: Create the Prototype Security Policy
This procedure steps you through a simple policy creation, where you will not be making changes to the default selections.
To create and apply a security policy based on a prototype server
Click Start, point to Administrative Tools, and click Security Configuration Wizard.
Read the Welcome page, and click Next.
On the Configuration Action page, click Create a new security policy, and click Next.
On the Select Server page, type the name of the prototype server, and then click Next.
The local computer is selected by default.
On the Processing Security Configuration Database page, click Next when processing is complete.
At this point, the Security Configuration Database is configured based on the server roles.
On the Role-Based Service Configuration page, click Next.
On the Select Server Roles page, ensure that the wizard has detected and selected all of the installed server roles on your prototype server, and then click Next.
On the Select Client Features page, ensure that the wizard has detected and selected all of the installed features on your prototype server, and then click Next.
On the Select Administration and Other Options page, ensure that the wizard has detected and selected all of the installed options on your prototype server, and then click Next.
On the Select Additional Services page, ensure that the wizard has detected and selected all of the required services on your prototype server, and then click Next.
If you have configured your prototype server with all required roles and installed any additional required software such as backup agents or antivirus software, you should not need to modify any of the previous Role-based Service Configuration pages.
- On the Handling Unspecified Services page, click Next.
Unspecified services are services that do not appear in the Security Configuration Database and are not currently installed on the selected server but might be installed on other servers to which you want to apply the security policy. They might also be installed on the selected server in the future. Any unknown service will appear in SCW on the Unspecified Services page.
On the Confirm Service Changes page, review the service mode changes that SCW will include in the resulting security policy, and then click Next.
On the Network Security page, click Next.
On the Network Security Rules page, ensure that SCW has detected the appropriate ports and applications it will use to configure Windows Firewall with Advanced Security, and then click Next.
On the Registry Settings page, select the Skip this section check box, and click Next.
On the Audit Policy page, select the Skip this section check box, and click Next.
Registry settings and audit policy are optional selections that you will not configure in this scenario.
On the Save Security Policy page, click Next.
On the Security Policy File Name page, type a name for the prototype policy, and then click Next.
Do not use the name of the prototype computer because Scwcmd uses computername.xml to save analysis results, and the policy you create should not have the same name.
By default, the XML-based policy files are saved to the Security\msscw\policies folder under the server's installation folder (typically this is located at C:\Windows). However, SCW allows you to specify any location.
On the Apply Security Policy page, click Apply later, and click Next.
On the Completing the Security Configuration Wizard page, click Finish.
At this point, you have created and saved the policy, but it has not yet been applied to a computer.
Step 2: Apply the Security Policy to a Server
For this step, you will first apply the policy to the local computer by using the wizard. In the second part of this step, you use Scwcmd to apply the policy to one or more remote computers.
To apply the security policy to a server by using the wizard
Click Start, point to Administrative Tools, and click Security Configuration Wizard.
On the Welcome page, click Next.
On the Configuration Action page, click Apply an existing security policy, and click Next.
If more than one policy has been created, click Browse, and then double-click the name of the policy.
On the Select Server page, type the name of the server to which the policy will be applied, and then click Next.
On the Apply Security Policy page, click Next.
You can click View Security Policy to verify all the policy settings first.
On the Applying Security Policy page, wait for processing to finish, and then click Next.
On the Completing the Security Configuration Wizard page, click Finish.
To apply a security policy to multiple computers by using the Scwcmd command-line tool
At a command prompt, type:
scwcmd configure i:MachineList.xml
MachineList.xml includes the list of computers and corresponding policies to apply. A sample file is located at %windir%\Security\SampleMachineList.xml.
You can type scwcmd configure at the command prompt to learn about the parameters.
Step 3: Analyze and View the Security Policy for a Server
You can view the settings for an SCW security policy applied to a server by using the Scwcmd command-line tool. To do this, you first need to analyze the server settings.
To analyze and then view the security policy by using the Scwcmd command-line tool
At the command prompt, type:
scwcmd analyze /m:Machine /p:Policy.xml /o:Resultdir
Replace Machine with the name of the computer to analyze, replace Policy.xml with the file name of the security policy that should be used to perform the analysis, and replace Resultdir with the location for the analysis results file.
When analysis is complete, type:
scwcmd view /x:xmlfile.xml /s:scwanalysis.xsl
Replace xmlfile.xml with the analysis results file that was created in the previous step. Scwanalysis.xsl is a file installed with SCW that formats the analysis results for display. Both files must be in the same directory.
Step 4: Save a Security Policy in GPO Format
Use this procedure when you want to use Group Policy to apply SCW security policies to multiple servers in an Active Directory environment. This procedure saves the policy in GPO format.
An SCW security policy applied through Group Policy cannot be rolled back.
To save an SCW security policy in GPO format
At the command prompt, type:
scwcmd transform /p:Policy.xml /g:GPOName
Policy.xml is the policy you created earlier with SCW. GPOName is the name that the GPO will display when you view it in the Local Group Policy Editor or in the GPMC.
When the scwcmd transform command has completed, the GPO will have been created in AD DS, but the policy it contains will not be applied until the GPO is linked to a site, domain, or OU. For instructions about linking GPOs, see Group Policy Management Console (http://go.microsoft.com/fwlink/?LinkId=105933).