Security Configuration Tools
In Windows NT 4.0 Service Pack 4, Microsoft first released the Security Configuration Editor (SCE). It was a revolutionary tool at its time, both because of its legendary user-unfriendliness, and because it presented most security-relevant settings in one place. However, although the tool shipped with several "security templates" containing specific settings you could apply to a system, use of at least one of those templates was likely to significantly impair the system's ability to function. Several third parties shortly published security guides describing their recommendations for settings to use, based most on the one template that would break everything. Testing of these guides on general purpose systems usually ranged from non-existent to poor, making them a prime call generator for Microsoft's product support services. Some exceptions are noted, but these were exceptions designed for very specific environments, such as military systems, and were completely unsuited for virtually all general purpose systems; as well as most military systems.
Several years ago, in an attempt to decrease the support costs associated with security configuration, as well as provide realistic and actionable guidance on hardening systems, Microsoft embarked on an effort to document security hardening of various products through security guides. The first of these guides was the Windows 2000 Security Hardening Guide (http://go.microsoft.com/fwlink/?LinkId=28591), followed shortly by the Windows Server 2003 Guide (http://go.microsoft.com/fwlink/?LinkId=14845), the Windows XP Guide (http://go.microsoft.com/fwlink/?LinkId=14840), their associated Threats and Countermeasures Guide (http://go.microsoft.com/fwlink/?LinkId=15159), and the Exchange Server 2003 Guide (http://go.microsoft.com/fwlink/?LinkId=25210). The purpose of the guides was to provide more information on security settings that can be configured in these products, as well as how to configure them to provide adequate protection for particular systems filling relatively generic roles. The guides have also been adopted as configuration standards by various organizations.
With Windows Server 2003 Service Pack 1, Microsoft released the Security Configuration Wizard (SCW). SCW is the first new security policy tool from Microsoft in six years. It is designed to assist in configuring security on a particular system, tailoring the security on that system to the specific needs of the organization. Although client systems generally need to be multipurpose systems and there consequently are few specific roles that apply to them, servers can, and in many cases should, be configured to very specific roles.
To assist with authoring security policies in such environments, SCW was designed for relatively advanced administrators who want to tailor the security of their servers to the specific roles those servers should perform. It can also be used by system architects to create new roles and new policies by combining roles. Finally, even relatively junior system administrators can use it to apply policies authored or tailored by others. Contrary to SCE, SCW includes significant intelligence on the needs of a system performing a particular role and allows an analyst to walk through each option for reducing the attack surface on that role.
One way to look at how these two resources relate is to view security configuration as an organizational chart where items get more specific the further down the chart you move.
The base operating system provides a default level of security, but because systems can be deployed in different roles, security can, and should, be tailored to that role to achieve a lower attack surface. A default installation cannot account for these roles since the security settings in a default installation must allow for a greater range of use of the system. To that end, the guides, as well as SCW, provide security configuration for a wide range of roles, accounting for many, if not most, deployment scenarios for servers and clients.
The hardening guides include a relatively small set of roles. They also include settings for several levels of each role to tailor the role to a particular threat level in the environment. Those levels allow use of the guides in extremely hostile environments, such as military facilities, as well as in environments where interoperability with legacy systems is required, necessitating a decreased security posture. The guides should be used by administrators who need to configure security on more generic systems, by architects who simply want to learn more about the settings available on the operating systems and other products, and by administrators who are required to configure a system in accordance with an approved configuration based on the assurance level needed at their site. This latter category primarily applies to government agencies and facilities that are subject to regulatory requirements, such as those subject to HIPAA or Sarbanes-Oxley requirements.
The roles in the hardening guides are designed specifically to be deployed using Group Policy (GP). SCW does not produce GP configurations, but rather portable XML files. Those files cannot be directly used in a GP object (GPO). To use an SCW role in a GPO, it must be transformed into a GPO using the scwcmd transform command.
The decision of which of these tools to use depends on your objective. Although all options are supported, they serve different purposes:
- If you need to configure security on clients, use the guides. SCW does not support client security configuration.
- An administrator who wants to apply a relatively generic security configuration to a single server or a set of servers, to allow them to perform various roles at different times, should use the hardening guides. The "member server" and "standalone server"configurations are designed primarily for this purpose, although they will usually require that certain features be unlocked to work properly. They are essentially baseline policies that allow systems to function without providing specific services to users and clients.
- An architect who is designing generic security guidance for a specific environment should build upon either the configurations provided in the hardening guides or develop a new policy for use with SCW. The choice of route to take would depend primarily on personal preference.
- An advanced administrator or architect who is tailoring configurations for single-or multi-role servers in a specific environment may chose one of three options:
- Develop a new role for SCW.
- Use SCW to tailor a custom role based on one or more existing roles.
- Develop a custom configuration based on the hardening guides, resulting in a new security template.
- An administrator, who needs to deploy a finished SCW policy on a single- or multi-role server, or set of identical servers, may use SCW to deploy this role.
- An administrator who needs to configure a single- or multi-role server for which neither the guides nor SCW has a tailored configuration should either use a generic role in the guides, or leave the system in a default configuration. Although the "member server baseline" and "standalone" roles in the guides are designed for generically described systems, it is likely that some function of the server will not operate properly after they are applied. Creation of a rollback template is highly encouraged in this situation. If a role exists in SCW that is close to the role performed by the system, the administrator may choose to customize and test this role for adequate functionality. SCW includes rollback functionality, making such testing simpler. Be extremely careful applying such a "near-match" role to a production system, however. Doing so is likely to result in an immediate need for an up-to-date resume.
- An administrator or architect who is interested in learning about a specific product, about security settings used with that product, and about the threats they mitigate, should refer to the guides.
SCW provides the ability to operate in conjunction with the security guides by importing a template, such as provided with the guides. This functionality, however, should be used with great caution. It is possible, even likely, that the settings made by SCW are overridden by the guides, and vice versa, with the result that the system will not perform the functions intended by either.
In this tutorial:
- Protecting Hosts
- Security Configuration Myths
- Myth 1: Security Guides Make Your System Secure
- Myth 2: If We Hide It, they Not Find It
- Myth 3: The More Tweaks, the Better
- Myth 4: Tweaks Are Necessary
- Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
- Myth 6: "High Security" Is an End Goal for All Environments
- Myth 7: Start Securing Your Environment by Applying a Security Guide
- Myth 8: Security Tweaks Can Fix Physical Security Problems
- Myth 9: Security Tweaks Will Stop Worms/Viruses
- Myth 10: An Expert Recommended This Tweak as Defense in Depth
- Server Security Tweaks
- Software Restriction Policies
- Do Not Store LAN Manager Hash Value
- Anonymous Restrictions
- Security Identifiers (SIDs)
- Password Policies
- SMB Message Signing
- Networking LAN Manager Authentication Level
- TCP Hardening
- Restricted Groups
- Audit Settings
- Client Security Tweaks
- Firewalls
- IPsec Filters
- SafeDllSearchMode
- Local Administrator Account Control
- Limit Local Account Use of Blank Passwords to Console Logon Only
- Logon Events
- Allowed to Format and Eject Removable Media
- The Caution ListChanges You Should Not Make
- Crash on Audit Failure
- Clear Virtual Memory Page File
- Security Configuration Tools