Server Security Policy Management in Windows Server 2008
Updated: May 1, 2008
Applies To: Windows Server 2008
In Windows Server 2008, there are many tools that you can use to help keep your computers secure. This discussion focuses on three tools that you can use alone or together to manage the security policies on your servers:
Security Configuration Wizard (SCW) and the Scwcmd command-line tool
Security Templates snap-in
Security Configuration and Analysis snap-in
While these tools are not new, the ways in which you use them are.
Additional technologies and tools for securing your network and computers, such as Network Access Protection (NAP), Active Directory Domain Services (AD DS), and Group Policy, are not included in this overview.
Server security policy management means keeping security settings up to date as your various server configurations change over time. Securing your servers through policy management includes:
Analyzing server security settings to ensure the policy applied to a server is appropriate for the server role.
Updating a server policy when the server configuration is modified.
Creating a policy for a new application or server role not included in Server Manager.
Using security policy management tools to apply server security policy settings that are unique to your environment.
In Windows Server 2008, servers are designed to be secure by default. This means that when you install roles, role services, and features through Server Manager, security settings for that particular server's configuration are automatically configured. However, you cannot use Server Manager to make custom security setting changes. Instead, security policy management tools can be used for this purpose. For example, if you need to modify settings for a particular server role, you can use SCW to easily edit the provided firewall rules for more restrictive controls or access. You may need to install a role or feature not available in Server Manager, or you may want to easily deploy policy changes to many computers. You can accomplish these and other security policy management tasks with these tools.
The tools that you use to help keep your servers secure will depend on the size of your organization, your security requirements, and the frequency with which you modify your server configurations.
Securing servers with SCW
SCW functionality in Windows Server 2008 is very similar to the version of this wizard included in Windows Server 2003 Service Pack 1 (SP1). You can still use SCW to create and apply server security policy, but in most cases you do not need to use SCW to secure your servers at installation.
After initial server role installation, use SCW to help keep your servers secure by checking for vulnerabilities as server configurations change over time and making updates to policy settings as required. Use SCW to create and apply server security policies when you:
Modify the configuration of a default component on a Windows Server 2008 computer.
When you change the configuration of a component that was not installed through Server Manager, you need to use SCW to update the server's security policy.
Create and apply policy for server roles that were not installed through Server Manager, such as SQL Server or Exchange Server.
SCW includes many server roles and features that cannot be installed with Server Manager.
Define new roles for non-Microsoft applications, and create and apply policy for those roles.
SCW has a public schema for organizations to use to create new roles. Run SCW whenever a non-Microsoft application is added or removed.
In small-sized and medium-sized organizations, you can use the default settings in SCW to quickly and easily create a policy to help secure a server based on its role and ensure that security settings are up to date. You can also incorporate custom security templates you create with the Security Templates snap-in into an SCW policy. This allows you to include settings in addition to those set by SCW. You can then apply the SCW policy to the local computer by using the wizard or apply it to many computers by using Group Policy.
For information about using SCW, see Security Configuration Wizard.
Creating custom policies by using security templates
When you configure Windows Server 2008, polices that meet the security requirements of most organizations are automatically put into place. However, in some organizations it may be necessary to further restrict some privileges or local policies for your network. When this is the case, you can use the Security Templates snap-in to create a custom security policy.
In Windows Server 2008, there are no predefined security templates.
With the Security Templates snap-in, you can create a security policy for a computer or for your network. Security templates can be used to define policy settings for the following security areas:
Account policies: Password policy, account lockout policy, and Kerberos policy
Local policies: Audit policy, user rights assignment, and security options
Event log: Application, system, and security event log settings
Restricted groups: Membership of security-sensitive groups
System services: Startup and permissions for system services
Registry: Permissions for registry keys
File system: Permissions for folders and files
After you have created the custom policy, in the form of a template, you can apply it in a variety of ways, including the following:
Import the template into a role-based SCW policy and apply it to one or many computers.
Import the template into a Group Policy object (GPO) and apply it to many computers through Group Policy.
Apply the template to the local computer by using the Security Configuration and Analysis snap-in.
For information about using the Security Templates snap-in, see Analyze and configure security.
To learn how you can mitigate threats to server (as well as client) computers, see the Threats and Countermeasures guide (http://go.microsoft.com/fwlink/?LinkId=106667). This guide includes all security settings that provide countermeasures for specific threats against Windows operating systems.
Applying security policies by using Group Policy objects
As in Windows Server 2003, you can apply security templates created with the Security Templates snap-in or policies created with SCW to multiple computers by importing a template or policy into a GPO. After the GPO is created, you can link the GPO to a target organizational unit (OU) by using the Group Policy Management Console (GPMC). For information about using GPMC, see Group Policy Management Console (http://go.microsoft.com/fwlink/?LinkId=105933).
For information about applying security policies by using GPOs in Windows Server 2008, see the Windows Server 2008 Security Guide (http://go.microsoft.com/fwlink/?LinkId=105788).
Analyzing server security
You can also use the server security policy management tools to analyze the security settings on local or remote computers. Regular analysis enables you to ensure an adequate level of security on each computer as part of an enterprise risk management program. You can modify the security levels and, most importantly, detect any security flaws that may occur in the system over time.
You can analyze security policy settings by using the Security Configuration and Analysis snap-in or SCW.
Security configuration and analysis
How you use the Security Configuration and Analysis snap-in has not changed in Windows Server 2008. You can still use this snap-in to analyze and configure local computer security. You use the snap-in to compare the local computer policy to an analysis database and determine if any discrepancies exist between the desired settings in the database and the local policy. You use an existing database, or import one or more templates created with the Security Templates snap-in, to create a new database with updated settings. The analysis presents recommendations with current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. You can resolve any discrepancies that an analysis reveals and directly configure local system security by using the template or templates that you imported.
For information about using the Security and Configuration Analysis snap-in, see Analyze and configure security.
To analyze multiple remote computers, you can use SCW.
Security Configuration Wizard
You can use the Scwcmd command-line tool to analyze the security policy settings for a local computer or multiple remote computers. You can compare a server's current security settings with the most up-to-date settings for that server's configuration. You use scwcmd analyze to determine whether a computer is in compliance with a specified policy that was created by using the wizard. To analyze multiple computers, you specify a policy file to use in the analysis and a list of the computers to be analyzed. You then view the results of the analysis by using the scwcmd view command.