The Security Configuration Wizard for Windows 2003SP1 | Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)

The Security Configuration Wizard for Windows 2003/SP1

The biggest addition to Windows 2003/SP1 (as far as Group Policy is concerned ) is the Security Configuration Wizard, or SCW. I know, I know. You hate wizards. But this one is really super powerful. So powerful, in fact, that it has its own home page at Microsoft.com at www.microsoft.com/scw . Wow!

In the last section, you learned how to leverage security templates and secure your workstations. You then linked a GPO, slurped in the security template, and secured a gaggle of workstations all in one goal.

In this section, the goal is similar. You'll run the SCW on one of your Windows 2003 machines, say, your Domain Controller. You'll tell the SCW which "roles" the Domain Controller has. For instance, perhaps in addition to being a Domain Controller, it's also a print server and a file server and also maybe a DHCP server. Once you've told it what the machine will be used for, it will pop out a security policy that describes how to secure this Windows 2003 server. Next , you'll convert the policy into a GPO. Finally, you'll link the GPO to an OU in Active Directory, which contains the collection of Windows 2003 servers you want to secure! Hence, all servers in the OU will have the same security policy.

The true goal of the SCW is to "reduce the attack surface." That's the common phrase used when we want to stop all unused services and close up any remaining unused doors. We won't be able to go over all the ins and outs of the SCW. But we will go through a simple example. And, as icing on the security cake, put a Group Policy cherry on top at the end. It'll be sweet.

One note before we get going here: The tasks you perform with the SCW are strictly to secure your Windows 2003 and Windows 2003/SP1 machines. The output produced by the SCW is notNOT meant to secure your Windows XP or Windows 2000 machines. Doing so could render your Windows XP or Windows 2000 machines wounded and perhaps unrecoverable.

Installing the SCW

As stated, the SCW is available only on Windows 2003 machines after SP1 is loaded. Once performed, the SCW's help icon should automatically appear on the desktop. However, this does not mean that the SCW is actually installed. To install the SCW, you need to sojourn to Add/ Remove Programs and specifically add it. Let's do that now. To install the SCW:

Log on to your Windows 2003/SP1 Domain Controller as Administrator.
Click Start ˜ Programs ˜ Control Panel ˜ Add or Remove Programs.
Click the Add/Remove Windows Components button.
In the Components list, locate and select Security Configuration Wizard, as seen in Figure 6.30.
Click Next to load the component and close Add/Remove Programs.

Figure 6.30: The Security Configuration Wizard's help file automatically appears on the desktop after SP1 is loaded. However, you need to specifically add in the SCW components via Add/Remove Programs.

Once loaded, you're ready to rock.

A Practical SWC Example

In this example, we'll produce an SCW policy that turns off all unnecessary services for our Domain Controller. And, we'll additionally leverage this policy for additional Domain Controllers (later) if more come aboard. To create a SCW policy, you'll run the wizard in several big-ish steps.

Initial SCW Kickoff

Start the SCW by clicking Start ˜ Programs ˜ Administrative Tools ˜ Security Configuration Wizard.
At the first screen of the wizard, click Next.
At the "Configuration Action" screen ensure that "Create a new security policy" is selected and click Next, as seen in Figure 6.31.
At the "Select Server" screen, ensure that the WINDC01 server is selected and click Next. This is the machine that we'll leverage as the baseline machine. That is, the SCW will inspect this machine and see what's running on it so it can make some determinations about which services and such you might want to secure. When you do, the SCW will inspect this machine and try to determine what its current roles are.
After the SCW checks out your system, you'll receive a "Processing Complete" message and be given the opportunity to "View Configuration Database." The Configuration Database is simply a list of all possible roles the server might play. So, at this time, just click Next.

Figure 6.31: Kick off the SCW by creating a new security policy.

Role-Based Configuration Section

Now, you'll be at the first screen of the "Role-Based Service Configuration." This section of the wizard helps you add or remove roles this server might be playing. Again, as a Domain Controller, you might also have plans for it to be a print server. Click Next to continue.
When you do, you'll be at the "Select Server Roles" screen, where you are viewing a list of "Installed Roles," as seen in Figure 6.32. The SCW takes a "best guess" about what it thinks this server is already trying to do, and selects those as "Installed Roles." If you have future plans for this machine (or for others later, as you add to the OU) and want to add a role, go ahead at this point. You can select from the list presented here or use the "View" drop-down list and select to see "All Roles." Perhaps some day you'll also use certificate services on this machine. In that case, you would need to locate "Certificate Server" from the list and check it. When you've selected the services you want, click Next.
Now, you'll be at the "Select Client Features" screen. Here, you'll specify which client components your server runs. Again, by default, it chooses which components it thinks are already in use. Note that for some reason, the "Group Policy Administrative Client" isn't selected, even though the GPMC is detected . I'm not sure why this is overlooked and unselected by default. But, in short, if you plan on running the GPMC on the servers that will get this policy, be sure to also select "Group Policy Administrative Client."
Choose any additional features you know you are using or want to eventually use and click Next.
You'll be at the "Select Administration and Other Options" page. Like the pages before it, it makes a best guess about which options you want to use. Choose any additional features you know you are using or want to eventually use and click Next.
At the "Select Additional Services" page, the SCW looks to see if there are any services you might have also loaded. By default, those are checked to continue to run. Click Next to continue.
At the "Handling Unspecified Services" page, you're asked how to handle the services you loaded on the Windows 2003 machine. Select to "Do not change the startup mode of the service" and click Next.
At the "Confirm Service Changes" page, you can see what will happen to the myriad of services running on your Domain Controller. In Figure 6.33, you can see that many services, currently set to "Automatic," will now be configured to "Disabled."
When you click Next, you'll proceed to the Network Configuration Section.

Figure 6.32: The SCW shows you the roles it thinks are currently running on your server.

Figure 6.33: The SCW will make your system less vulnerable to attack by disabling unused services.

Network Security Section

This part of the wizard is optional. And that's a good thing.

Right on this opening page of this section, you can click the "Skip this section" check box and click Next to proceed to the next section.

If you choose to continue with this section, you'll encounter the following pages (which are similar in idea to the already-examined pages). That is, the wizard tries to determine what you're already doing on this system and keeps those parts enabled and available for use; it will also close off sections that it thinks are not being used.

However, if you zip through this section, you're basically telling the SCW to turn on the Windows firewall for servers that this security policy will affect. That's a risky game because if you fail to open a port, your clients won't be able to access a program running on your server. So, proceed down this section with caution.

For our examples, we'll select to "Skip this section" and proceed.

Registry Settings Section

Like the previous section, this section is optional. Here you can make decisions about SMB signing, which operating systems can connect to this server, LDAP signing, Outbound and Inbound Authentication Methods, and more.

If you're interested in the materials in this section, be sure to read the materials on www.microsoft.com/scw .

For our examples, we're going to skip the Registry Settings Section by selecting "Skip this section" and clicking Next.

Audit Policy Section

Again, this section is optional. And I think you'll likely want to skip it. We've examined Audit Policy earlier in this chapter, and, it's likely you've already manually configured your audit policy and set it upon the OUs containing the servers you already want to audit.

Moreover, as the warning on this page describes, after these settings are set, they are permanently tattooed.

For our purposes, we'll select to "Skip this section" and click Next.

Save Security Policy section

At this point, you're ready to save your policy. But it doesn't get saved as a GPO. No, no! That would be too easy! Instead, it is saved as an XML file! On the "Security policy file name" line, enter in a legal path on this server and a name for the file, say, c:\OurSecureDCPolicy.xml . In the Description field, enter in something useful as well, as seen in Figure 6.34.

Figure 6.34: Here you can add in additional security templates or just save your SCW policy out as an XML file.

However, before you click Next, note that you can also, optionally , choose to "Include Security Templates." Yes! These are the same security templates you could have created in the previous section. Here's the idea: The SCW is easy to use and lets you manipulate a lot of stuff, but not everything. Security templates are hard to use, but let you manipulate (just about) everything. So, if you created any security templates for that additionally increased security for your Windows 2003 servers, you could add them here. Note, however, that if there's a settings conflict between a security template and the SCW, the "winner" will be the SCWnot the setting contained within the security template.

When ready, click Next.

You'll be asked if you want to apply the policy now or later. At this point, choose "Apply later" and click Next.

At the final page of the wizard, click Finish.

Converting Your SCW Policy to a GPO

At this point, you've got a nice XML file that you, well, can't do a lot with in its current form. However, the goal is to convert this XML file to a bona-fide GPO that you can then link to an OU of your choosing. In this case, you will link it to your Domain Controllers OU.

You can covert the GPO with the scwcmd .exe command. The syntax of the command line is as follows :

 scwcmd transform  /p:name_of_xml_file_ /g:name_of_GPO_we_want_to_create

So, because you saved the XML file as c:\OurSecureDCPolicy.xml , and you arbitrarily call the GPO OurSecureDCGPO, the syntax will be:

 scwcmd transform /p:c:\ourSecureDCPo1icy.xml /g:OurSecureDCGPO

Once performed, you should get a "Command completed successfully" message. A GPO is now created with the name you've provided after the /g (in this case, OurSecureDCGPO).

Warning

IIS configuration that is defined in the SCW policy is not parlayed into a transformed GPO. It is lost.

Viewing and Applying Your Transformed GPO

At this point, fire up the GPMC to see if the GPO you just created by transforming the XML file there. It should be in the Group Policy Objects node, but not linked to any site, domain, or OU. Note that you might have to refresh the list of GPOs in the Group Policy Objects node to see the new GPO.

When ready, link the GPO you created to the final destination. In our working example, you would link the GPO to the Domain Controllers OU. You don't really need to do this now. but you can do so if you so choose. Again, the GPO will just sit there in the Group Policy Objects node swimming pool doing nothingunless it's actually linked to a GPO.

One quick word of warning about the resulting GPO that is created. That is, if you click on the Settings tab inside the GPMC to see the resulting GPO that is created, you might not see anything! However, if you actually edit the GPO, you'll be able to see the settings that are actually contained within the GPO (see Figure 6.35.) This is a micro-bug that I'm sure will be fixed with a hotfix . Stay tuned on GPanswers.com because I'll update you with a newsletter as soon as I know of an update.

Figure 6.35: The Settings tab might not show any settings from the transformed GPO. However, editing the GPO will show that the settings are, indeed, changed inside the GPO.

Note that if you change any settings within the GPO, the problem magically fixes itself, and then you can see the settings contained within the GPO by clicking the Settings tab. Something about editing the GPO inside the Group Policy Object editor fixes the converted GPO and makes it viewable. Again, this is a bug that I'll try to keep an eye on for an update.

SCW Caveats

There are two additional warnings when using the SCW to create XML policies and then convert them to GPOs.

Don't use the SCW (and corresponding GPOs) to apply settings to machines other than Windows 2003/SP1 That's the official word from Microsoft. The SCW is simply not meant to be used to deploy settings to Windows 2000, Windows XP, or even Windows 2003 without SP1. That's right, so don't do it! Microsoft did not test the SCW with these operating systems, so applying GPOs transformed from SCW's XML files could be very, very dangerous if not applied to Windows 2003/SP1.

Don't expect File and Registry ACLs to be able to "roll back" After you lay down file or Registry ACLs using GPOs (either transformed from SCW's XML files, via security templates, or by hand), you cannot roll these settings back. They are always permanently tattooed on the target system.