New in Windows Server 2003 SP1 and R2, Microsoft has made available a tool that will help you to determine exactly what is running on your Windows Server 2003 system and be able to reduce the surface area of your server, thereby making it less vulnerable to an attack. In short, through the use of the Security Configuration Wizard, you can take a very granular look at your system and disable non-required functionality.
The Security Configuration Wizard does not automatically install when you install SP1 or R2. Follow these steps to install:
- Go to Start | Settings | Control Panel
- Choose Add or Remove Programs.
- Choose Add/Remove Windows Components
- Select the check box for Security Configuration Wizard, click Next. Make sure you have your source media available.
After installation is complete, the Security Configuration Wizard is available from Start > All Programs | Administrative Tools | Security Configuration Wizard.
When you initially run the tool, you need to provide a server to use as a baseline (you'll probably have multiple security policies based on the role each server plays in your organization). Further in the Wizard, you will see a complete list of the potential roles for your server, from both a server and a client perspective. For example, you might have one server that runs the SMS 2003 server, and another that has the SMS 2003 client installed. Select the roles for this server. You can also choose whether to enable administrative services, such as BITS (Background Intelligent Transfer Service), Browser, Browse Master, Remote Desktop, SQL Server Agent, and more. Microsoft can't be on top of every possible service on your server, so the Wizard also provides you with the capability to either ignore or disable any services that are not on the lists.
Beyond services, the Wizard also allows you to specifically allow or deny specific TCP/IP ports. Also, you can use the tool to restrict access to a specific TCP/IP port to a single computer or a range of IP addresses. For example, if you want to allow only people on your administrative network permission to establish any kind of connection using Remote Desktop, you could restrict port 3389 to just that subnet.
You can also make policy changes that affect the handling of SMB file and print traffic. For example, if your server has enough excess capacity, you can require signing for all SMB traffic to prevent man-in-the-middle type attacks on your clients. The same goes for signing all LDAP traffic. In the policy, you can indicate that all clients that connect run a version of at least SP3 for Windows 2000 to help protect LDAP information on your network.
Other areas addressed in the tool:
- Audit settings: Determine if you want to enable auditing and, if so, if you want to log successful, or both successful and unsuccessful activities.
- IIS: Which IIS extensions do you want to enable? For example, ASP.NET 1.1, ASP.NET 2.0, Server Side Includes, WebDAV, etc. Also, which virtual directories should be enabled? You might want, for example, to block access to the IISAdmin folder.
All in all, the Security Configuration Wizard is extremely thorough and will take a huge amount of time to get "just right," but has the potential to be a huge boon for your security efforts.
Miss a tip?
Check out the Windows Server 2003 Archive, and catch up on the most recent tips from this newsletter.
Stay on top of the latest WS2K3 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!