Windows Server 2003 provides new security tools and features that differ significantly from previous Windows Server products. Specifically, Windows Server 2003 is installed in a locked-down state, providing the fewest services and permissions possible while still providing standard functionality. The improved security tools make configuring, analyzing, troubleshooting, and maintaining security easier. These security tools, collectively called the Security Configuration Tool Set or Security Configuration Manager, include:
Security Configuration and Analysis snap-in to Microsoft Management Console
Security Templates snap-in to Microsoft Management Console
Command-line tool secedit.exe
Security Extensions to Group Policy
Hfnetchk.exe and Microsoft Baseline Security Analyzer
Each of these tools is used to configure, analyze, and modify security settings in a Windows Server 2003 environment.
The Security Configuration and Analysis snap-in, accessed via the MMC, is used to compare current computer security settings to another set of security settings. By importing a security template containing a specific set of predefined settings, you can compare the settings and determine where security settings on the computer differ from a template. The template can be one of the predefined templates provided in Windows Server 2003, or it can be a custom template you create from scratch or by copying and then modifying one of the predefined templates. After analyzing the settings, you can configure the computer with the settings from the template or modify individual settings. The configure command only allows you to configure the local computer and cannot be used to configure other computers. However, once youve analyzed settings, you can apply those security settings to other computers by using the Security Extensions to Group Policy.
The MMC snap-in Security Templates provides access to all the predefined templates. You can copy, modify, and save security settings in this snap-in. The templates include the baseline template, Setup security.inf, as well as DC security.inf, Compat*.inf, Secure*.inf, Hisec*.inf, Rootsec.inf, and Notssid.inf. Each template configures a group of security settings commonly used in different scenarios such as DC, secure server, or file server.
An alternative to the Security Configuration and Analysis snap-in is the command-line tool secedit.exe . Using the various command-line parameters, including /import , /export , /analyze , and /configure , you can manage security on a local or remote computer. If the secedit command is included in a batch file or scheduled task, the security settings can be applied at any time across the network to any one or group of computers.
Using Security Extensions to Group Policy is the easiest way to apply a security template or any set of security policies to various GPOs. When applied in this manner, the application follows standard Group Policy rules, which apply group policies by local computer, domain, site, and OU. Account and password policies are applied only at the domain level. When applying security via GP, the settings will be updated when the GP is refreshed. The earlier command, secedit /policyrefresh . is replaced by the gpupdate command-line tool, which will force a policy refresh without waiting for the specified interval.
Each predefined security template provided in Windows Server 2003 is configured to provide the best overall security settings for each role. Although these templates can be modified, you should analyze the results of any changes prior to implementing them on a live system, as any changes can create unintended security holes. The templates are applied cumulatively, and other than the baseline template, Setup security.inf , will not establish default values. A template can have a security policy enabled, disabled, set to a particular value, or not defined. If it is not defined, it is not included in the template. It will not affect those settings in any manner and will leave whatever settings exist on the computer in place.
The Setup security.inf template establishes baseline security on a Windows Server 2003 system. It is used on a clean installation of Windows Server 2003. For systems that are upgraded from earlier versions, this template is not applied by default. However, to establish sound baseline security settings, it is recommended that you apply the Setup security.inf template to upgraded systems before applying other security templates. To reset portions of the security settings on a computer, you can use the secedit.exe command and specify a particular security area to configure, such as FILESTORE or USER_RIGHTS. Applying higher security templates, including the secure*.inf and hisec*.inf, can cause connectivity issues with down-level clients because these templates require the use of NTLM v2 or better authentication and SMB packet signing, for example. Down-level clients can install Directory Services (if available) to provide some additional functionality, but applying these templates should be tested thoroughly before implementation. The compat*.inf template is used to relax Registry and file security settings to allow legacy applications to run on the Windows Server 2003 platform. Using this template relaxes security and should be applied only if necessary, only in a limited manner and never on a DC.
Computers in Windows Server 2003 can be configured for various server roles. In some network situations, it is appropriate to configure a server with only one role where security and/or network demand is high. In other scenarios, it is appropriate to configure a server in multiple roles. Each server role installs and uses a set of services to enable that server function. Server functions (and related services) should not be enabled if not needed. In fact, one of the major changes in Windows Server 2003 is that IIS is no longer installed by default. This reduces the vulnerability of the server significantly.
Security best practices, especially with regard to servers, includes securing the computer in an access-controlled location to physically prevent unauthorized access. Additional security measures can be taken, depending on the role of the server. Applying security templates provides baseline security levels, and additional security can be implemented via Group Policy settings. These can include using the IPSec protocol to encrypt and secure network communications, using VPN tunneling to secure connections, SMB packet signing, among others.
Once security settings for various server roles have been analyzed and tested, these settings can be rolled out to computers via GPOs to servers in sites, domains, and OUs. Rolling out security settings in this way helps ensure consistent security application and management and can assist in troubleshooting security problems as well.