Windows Server 2003 Security Policy Toolbox


To ensure policies are adhered to organizations must enforce their security policies. In addition to the preceding general technology controls Windows Server 20003 has integrated many different tools to enforce security policies throughout an organization's Windows based systems.

Certificate Services

Windows Server 2003 has the capability to act as a certificate authority (CA). This service in Windows is called the certificate services and is available on Windows Server 2003 Standard Edition, Enterprise Edition, and Datacenter Edition.

Note

Windows Server 2003 Enterprise Edition or Datacenter Edition is required to configure version 2 certificate templates for auto-enrollment.


To install Windows Server 2003 certificate services, do the following:

1.

Choose Start, Control Panel and then select the Add or Remove Programs icon.

2.

Select Add/Remove Windows Components to display the Windows Components Wizard window.

3.

Check the Certificate Service box. When you see a warning message, click Yes to proceed. Click Next to Continue.

4.

Choose the type of CA to install. You can choose from the following options:

  • Enterprise Root CA This CA requires Active Directory, and is the topmost level of the certificate services hierarchy. It can issue and sign its own certificates.

  • Enterprise Subordinate CA This type of CA is subordinate to the enterprise root CA. It requires Active Directory and can obtain certificates from an enterprise root CA.

  • Standalone Root CA This CA is the topmost level of the certificate services hierarchy and can issue and sign its own certificates. Standalone CAs do not require Active Directory.

  • Standalone Subordinate CA Similar to the enterprise subordinate CA, this CA is subordinate to the standalone root CA.

5.

Checking this box and then clicking Next allows you to select the cryptographic service provider (CSP), hash algorithm, and key pair configuration as shown in Figure 15.1.

Figure 15.1. Customizing the CA.


6.

Identify the CA by entering the appropriate common name. You can also set how long the CA is valid (the default is five years). Click Next to continue.

7.

Verify the location of the certificate database, logs, and shared folder. Click Next to continue.

8.

Click Finish to complete the CA creation.

Note

Windows Server 2003 contains a command-line utility called certutil.exe that can provide a wealth of information about a CA and certificates. Microsoft touts this as a powerful troubleshooting tool and rightly so. Its many capabilities include, but are not limited to, verifying certificates and services, displaying certificate services configuration information, re-associating private keys with the proper certificate, publishing a certificate revocation list, and revoking certificates. As you can see, however, this tool is also very useful for keeping security policies enforced and in the proper configuration.


Security Configuration and Analysis

Windows Server 2003's integrated Security Configuration and Analysis tool is used to compare the current security configuration against a database. This database uses one or more predefined security templates. If more than one security template is used, the settings from each security template are merged, which may result in a combination of security configurations. If a conflict occurs between the database and the last-applied security template, the last security template takes precedence.

Note

The Security Configuration and Analysis tool displays indicators on each security configuration as to how it ranks when compared to the analysis database. For instance, a red X indicates that values between the database and the current configuration do not match.


To begin using the Security Configuration and Analysis tool, do the following:

1.

Choose Start, Run and type MMC. Click OK.

2.

Select File, Add/Remove Snap-In.

3.

Click the Add button and choose Security Configuration and Analysis. Click the Add button in the Add Standalone Snap-in page.

4.

Click Close and then OK to return to the Microsoft Management Console.

5.

Click Security Configuration and Analysis in the left pane. If this is your first time using the tool, you'll see instructions on how to open a Security Configuration and Analysis database or create a new one.

6.

If you want to create a new database, right-click Security Configuration and Analysis in the left pane and select Open Database.

7.

Browse to the location you want to store the database and then type in its filename.

8.

Click Open to create the new database.

9.

In the Import Template dialog box, choose which security template to use and then click Open. In this example, use setup security.inf.

10.

Select Action, Analyze Computer Now.

11.

In the Perform Analysis window, specify the location and name of the log file you want to use. Click OK when you're done.

12.

After the Security Configuration and Analysis tool finishes analyzing the system against the analysis database, you can browse and review the security configurations, as shown in Figure 15.2. At this point, you can either selectively configure security settings or select Action, Configure Computer Now to set the security settings.

Figure 15.2. Using the Security Configuration and Analysis tool to determine security configurations.


Security Configuration and Analysis is a great tool for standardizing Windows Server 2003 security throughout the network. It is also very useful for ensuring that security configurations are set properly. Use this tool at least every quarter and on new systems to keep security policies enforced.

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) is a tool that identifies common security misconfigurations and missing updates through local or remote scans of Windows systems. MBSA scans either a single Windows system or a group of Windows systems and obtains a security assessment, as well as a list of recommended corrective actions. Furthermore, administrators can use the MBSA tool to scan multiple functional roles, such as a Microsoft SQL Server or Exchange system, of a Windows-based server on the network for vulnerabilities to help ensure systems are up-to-date with the latest security-related patches.

To run MBSA, do the following:

1.

Download the latest security XML file to use with MBSA. This file contains a list of current service packs and updates that should be applied to a system.

2.

Keep the default settings and scan the server(s).

Security Configuration Wizard

The Security Configuration Wizard (SCW) is a tool provided in Windows Server 2003 Service Pack 1 that can significantly improve a computer's or a group of computers' security. As the name implies, SCW is wizard-based, designed to determine the specific functionality required by the server. All other functionality that is not intended or required by the server can then be disabled. This reduces the computer's attack surface by limiting functionality to only that which is required and necessary.

SCW reviews the computer's configuration, including but not limited to the following:

  • Services SCW limits the number of services in use.

  • Packet filtering SCW can configure certain ports and protocols.

  • Auditing Auditing can be configured based on the computer's role and the organization's security requirements.

  • IIS SCW can secure IIS, including Web Extensions and legacy virtual directories.

  • Server roles and tasks The role (file, database, messaging, Web server, client, and so on), specific tasks (backup, content indexing, and so on), and placement in an environment that a computer may have is a critical component in any lock-down process or procedure. Some of the roles and tasks that are evaluated are illustrated in Figures 15.3 and 15.4. Application services are also evaluated from products such as Exchange Server 2003, SQL Server 2000, ISA Server, SharePoint Portal Server 2003, and Operations Manager.

  • IPSec SCW can be used to properly configure IPSec.

  • Registry settings After careful analysis, SCW can modify the LanMan Compatibility level, SMB security signatures, NoLMHash, and LDAP Server Integrity parameters based on down-level computer compatibility requirements.

Figure 15.3. Analyzing computer roles.


Figure 15.4. Analyzing specific tasks.


Caution

SCW is a very flexible and powerful security analysis and configuration tool. As a result, it is important to keep control over when and how the tool is used. Equally important is testing possible configurations in a segmented lab environment prior to implementation. Without proper testing, environment functionality can be stricken or completely locked.


SCW is used to assist in building specific security-related policies and to analyze computers against those policies to ensure compliance. In many ways, SCW can be considered a replacement for other Microsoft security-related tools that have already been mentioned in this chapter. For instance, SCW can take existing security templates created from the Security Configuration and Analysis tool and expand upon the restrictions to meet an organization's security policy requirements. In addition, SCW can create, edit, and apply system security policies to computers, integrate with Group Policy, and provide a knowledge base repository for system security policies.

Windows Rights Management Services

Windows Rights Management Services (RMS) is an unprecedented new feature that enables users to more securely create and control information. It gives the creator of the specific information control over the following:

  • What can be done with the information

  • Who can perform actions or tasks with the information, such as who can review or print a document or whether a message can be forwarded

  • The lifetime of the information meaning the time the information can be reviewed or used

RMS is intended to complement and co-exist with other security measures within an organization. Security mechanisms, policies, practices, and technologies should work seamlessly together to provide the most effective safeguarding of information and property, but at the same time, they should be as unobtrusive as possible to the end user. Therefore, RMS is not confined to a specific network or Web siteit extends beyond transport layer boundaries.

RMS further granularizes security for browsers and applications such as Microsoft Office 2003 that are WRM-aware by using encryption, Extensible Rights Markup Language (XrML)-based certificates, and authentication. Security administrators can establish RMS-trusted entities with users, groups, computers, and applications that are then used to assign security rights to information. The security rights are stored in a publishing license, which is encrypted along with the information. As information is requested, RMS validates credentials and usage rights.




Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net