In Windows NT 4.0 Service Pack 4, Microsoft first released the Security Configuration Editor (SCE). It was a revolutionary tool at its time, both because of its legendary user -unfriendliness, and because it presented most security-relevant settings in one place. However, although the tool shipped with several "security templates" containing specific settings you could apply to a system, use of at least one of those templates was likely to significantly impair the system's ability to function. Several third parties shortly published security guides describing their recommendations for settings to use, based most on the one template that would break everything. Testing of these guides on general purpose systems usually ranged from non-existent to poor, making them a prime call generator for Microsoft's product support services. Some exceptions are noted, but these were exceptions designed for very specific environments, such as military systems, and were completely unsuited for virtually all general purpose systems; as well as most military systems.
Several years ago, in an attempt to decrease the support costs associated with security configuration, as well as provide realistic and actionable guidance on hardening systems, Microsoft embarked on an effort to document security hardening of various products through security guides. The first of these guides was the Windows 2000 Security Hardening Guide (http://go.microsoft.com/fwlink/?LinkId=28591), followed shortly by the Windows Server 2003 Guide (http://go.microsoft.com/fwlink/?LinkId=14845), the Windows XP Guide (http://go.microsoft.com/fwlink/?LinkId=14840), their associated Threats and Countermeasures Guide (http://go.microsoft.com/fwlink/?LinkId=15159), and the Exchange Server 2003 Guide (http://go.microsoft.com/fwlink/?LinkId=25210). The purpose of the guides was to provide more information on security settings that can be configured in these products, as well as how to configure them to provide adequate protection for particular systems filling relatively generic roles. The guides have also been adopted as configuration standards by various organizations.
With Windows Server 2003 Service Pack 1, Microsoft released the Security Configuration Wizard (SCW). SCW is the first new security policy tool from Microsoft in six years. It is designed to assist in configuring security on a particular system, tailoring the security on that system to the specific needs of the organization. Although client systems generally need to be multipurpose systems and there consequently are few specific roles that apply to them, servers can, and in many cases should, be configured to very specific roles.
To assist with authoring security policies in such environments, SCW was designed for relatively advanced administrators who want to tailor the security of their servers to the specific roles those servers should perform. It can also be used by system architects to create new roles and new policies by combining roles. Finally, even relatively junior system administrators can use it to apply policies authored or tailored by others. Contrary to SCE, SCW includes significant intelligence on the needs of a system performing a particular role and allows an analyst to walk through each option for reducing the attack surface on that role.
One way to look at how these two resources relate is to view security configuration as an organizational chart where items get more specific the further down the chart you move, as shown in Figure 12-2.
Figure 12-2. Server roles can be viewed as an organizational chart.
The base operating system provides a default level of security, but because systems can be deployed in different roles, security can, and should, be tailored to that role to achieve a lower attack surface. A default installation cannot account for these roles since the security settings in a default installation must allow for a greater range of use of the system. To that end, the guides, as well as SCW, provide security configuration for a wide range of roles, accounting for many, if not most, deployment scenarios for servers and clients . Note that the roles shown in Figure 12-2 are only a sampling and may not be available for all operating systems. The diagram is merely meant to show that the guides, in general, provide more generic configurations, with more specific configuration offered by a customized role designed using SCW.
The hardening guides include a relatively small set of roles. They also include settings for several levels of each role to tailor the role to a particular threat level in the environment. Those levels allow use of the guides in extremely hostile environments, such as military facilities, as well as in environments where interoperability with legacy systems is required, necessitating a decreased security posture . The guides should be used by administrators who need to configure security on more generic systems, by architects who simply want to learn more about the settings available on the operating systems and other products, and by administrators who are required to configure a system in accordance with an approved configuration based on the assurance level needed at their site. This latter category primarily applies to government agencies and facilities that are subject to regulatory requirements, such as those subject to HIPAA or Sarbanes-Oxley requirements.
The roles in the hardening guides are designed specifically to be deployed using Group Policy (GP). SCW does not produce GP configurations, but rather portable XML files. Those files cannot be directly used in a GP object (GPO). To use an SCW role in a GPO, it must be transformed into a GPO using the scwcmd transform command.
The decision of which of these tools to use depends on your objective. Although all options are supported, they serve different purposes:
SCW provides the ability to operate in conjunction with the security guides by importing a template, such as provided with the guides. This functionality, however, should be used with great caution. It is possible, even likely, that the settings made by SCW are overridden by the guides, and vice versa, with the result that the system will not perform the functions intended by either.