The Security Configuration Tool Set consists of five separate tools that are used to configure, analyze, and apply security settings.
The Security Configuration and Analysis snap-in is used to configure and analyze security settings on a local computer.
The predefined security templates can be accessed, modified, and saved via the Security Templates snap-in.
The command-line tool, secedit.exe , is used to configure, analyze, and apply security settings via the command line. Entire templates or particular security areas can be applied to local or remote computers in real time, batch files, or scheduled tasks .
Security Extensions to Group Policy provide a way to roll out security templates and custom settings via GPOs.
The Microsoft Baseline Security Analyzer checks for security misconfigurations that might cause security problems.
The MBSA also includes the command-line utility Hfnetchk.exe , which checks the system to ensure all available hotfixes, updates, and patches have been applied.
The baseline security template provided in Windows Server 2003 is Setup security.inf. It is applied only to clean installations of Windows Server 2003.
Other security templates include DC security.inf, compat*.inf, secure*.inf, hisec*.inf, rootsec.inf, and notssid.inf. Each is used in a particular setting to configure security accordingly .
Predefined templates should be copied before being modified to preserve the settings in case default values need to be re-established.
Configurable security areas include account policies, local policies, event log, restricted groups, system services, Registry, and file system.
Microsoft Windows Server 2003 identifies the following server roles: file, print, application, mail, terminal, remote access, DC, DNS, DHCP, WINS, and streaming media.
Each server role can be configured via the Configure Your Server Wizard, which installs appropriate services for each server role selected. Each server role can be managed via the Manage Your Server tool.
Server roles determine preset security configurations. Modifications can be made by editing a security template and applying that template to a group of servers in the same role.
Reviewing the common threats to each server role helps determine the security measures that should be established as a baseline for each role.
Best practices for servers include physically securing the server, implementing NTFS on the system volumes , securing well-known accounts, removing/disabling unused services and protocols, keeping updates and patches up to date, and installing and maintaining current signature files for virus protection.
High-profile servers, such as DCs and computers running IIS, should use the highest level of security possible, while still accounting for network performance and down-level clients .
Higher security typically slows response time, so finding a balance between security and usability is important.
Once templates have been tested , they can be applied across sites, domains, and OUs via group policy. This helps ensure that all servers in a particular role are set with the same security settings. This helps establish and maintain baseline security for your network.