To ensure policies are adhered to organizations must enforce their security policies. In addition to the preceding general technology controls Windows Server 20003 has integrated many different tools to enforce security policies throughout an organization's Windows based systems. Certificate ServicesWindows Server 2003 has the capability to act as a certificate authority (CA). This service in Windows is called the certificate services and is available on Windows Server 2003 Standard Edition, Enterprise Edition, and Datacenter Edition. Note Windows Server 2003 Enterprise Edition or Datacenter Edition is required to configure version 2 certificate templates for auto-enrollment. To install Windows Server 2003 certificate services, do the following:
Note Windows Server 2003 contains a command-line utility called certutil.exe that can provide a wealth of information about a CA and certificates. Microsoft touts this as a powerful troubleshooting tool and rightly so. Its many capabilities include, but are not limited to, verifying certificates and services, displaying certificate services configuration information, re-associating private keys with the proper certificate, publishing a certificate revocation list, and revoking certificates. As you can see, however, this tool is also very useful for keeping security policies enforced and in the proper configuration. Security Configuration and AnalysisWindows Server 2003's integrated Security Configuration and Analysis tool is used to compare the current security configuration against a database. This database uses one or more predefined security templates. If more than one security template is used, the settings from each security template are merged, which may result in a combination of security configurations. If a conflict occurs between the database and the last-applied security template, the last security template takes precedence. Note The Security Configuration and Analysis tool displays indicators on each security configuration as to how it ranks when compared to the analysis database. For instance, a red X indicates that values between the database and the current configuration do not match. To begin using the Security Configuration and Analysis tool, do the following:
Security Configuration and Analysis is a great tool for standardizing Windows Server 2003 security throughout the network. It is also very useful for ensuring that security configurations are set properly. Use this tool at least every quarter and on new systems to keep security policies enforced. Microsoft Baseline Security AnalyzerThe Microsoft Baseline Security Analyzer (MBSA) is a tool that identifies common security misconfigurations and missing updates through local or remote scans of Windows systems. MBSA scans either a single Windows system or a group of Windows systems and obtains a security assessment, as well as a list of recommended corrective actions. Furthermore, administrators can use the MBSA tool to scan multiple functional roles, such as a Microsoft SQL Server or Exchange system, of a Windows-based server on the network for vulnerabilities to help ensure systems are up-to-date with the latest security-related patches. To run MBSA, do the following:
Security Configuration WizardThe Security Configuration Wizard (SCW) is a tool provided in Windows Server 2003 Service Pack 1 that can significantly improve a computer's or a group of computers' security. As the name implies, SCW is wizard-based, designed to determine the specific functionality required by the server. All other functionality that is not intended or required by the server can then be disabled. This reduces the computer's attack surface by limiting functionality to only that which is required and necessary. SCW reviews the computer's configuration, including but not limited to the following:
Figure 15.3. Analyzing computer roles.Figure 15.4. Analyzing specific tasks.Caution SCW is a very flexible and powerful security analysis and configuration tool. As a result, it is important to keep control over when and how the tool is used. Equally important is testing possible configurations in a segmented lab environment prior to implementation. Without proper testing, environment functionality can be stricken or completely locked. SCW is used to assist in building specific security-related policies and to analyze computers against those policies to ensure compliance. In many ways, SCW can be considered a replacement for other Microsoft security-related tools that have already been mentioned in this chapter. For instance, SCW can take existing security templates created from the Security Configuration and Analysis tool and expand upon the restrictions to meet an organization's security policy requirements. In addition, SCW can create, edit, and apply system security policies to computers, integrate with Group Policy, and provide a knowledge base repository for system security policies. Windows Rights Management ServicesWindows Rights Management Services (RMS) is an unprecedented new feature that enables users to more securely create and control information. It gives the creator of the specific information control over the following:
RMS is intended to complement and co-exist with other security measures within an organization. Security mechanisms, policies, practices, and technologies should work seamlessly together to provide the most effective safeguarding of information and property, but at the same time, they should be as unobtrusive as possible to the end user. Therefore, RMS is not confined to a specific network or Web siteit extends beyond transport layer boundaries. RMS further granularizes security for browsers and applications such as Microsoft Office 2003 that are WRM-aware by using encryption, Extensible Rights Markup Language (XrML)-based certificates, and authentication. Security administrators can establish RMS-trusted entities with users, groups, computers, and applications that are then used to assign security rights to information. The security rights are stored in a publishing license, which is encrypted along with the information. As information is requested, RMS validates credentials and usage rights. |