Many organizations struggle with implementing the proper
security features on a new Windows Server 2003 installation, and some just add
security as needed. As far as resources go, there are multiple sources for
checklists and guides available, including SANS, NSA, NIST, and a host of others.
However, rather than reading through hundreds of pages of documentation and
creating custom security templates, there’s an easier way—the Security
Configuration Wizard

This wizard contains an XML database that includes every
service, feature, and administration option for every different server deployment
type. Regardless of whether you’re deploying a DNS, Exchange, File and Print,
Domain Controller, or any other Windows server, this tool has the settings you
need to lock it down.

Run the wizard

The main purpose of this wizard is to implement role-based
security on Windows Server 2003. By defining the server’s role on the network, you
can disable unnecessary services, block unused ports, implement additional
address or security restrictions for ports necessary for operation, disable
unnecessary IIS Web extensions, and restrict access to server message block
(SMB), LanMan, and Lightweight Directory Access Protocol (LDAP) services.

You must have Windows Server 2003 Service Pack 1 installed to
run this wizard. To access the wizard, go to Start |
All Programs | Administrative Tools | Security Configuration Wizard (Scw.exe).

When you first run the tool, it will prompt you to start or
install any network applications (e.g., IIS, Exchange, SQL, etc.) that the
server will use, so it can define the server role and apply the proper security
settings. The wizard will also ask whether you want to create a new security
policy, edit an existing policy, apply a policy, or roll back a policy. For
this example, we’re using this tool after initial installation, so select Create
A New Security Policy.

Define the role

At this point, you can select a predefined role for your
server from the wizard’s security configuration database. After you select the
server role, the wizard will prompt you to select the client features,
additional administrative options, additional services (for non-Microsoft
applications), and any special handling for these services.

Now, let’s take a look at the different sections of the
Security Configuration Wizard.

Network security

This section configures inbound ports using the built-in Windows
Firewall. The tool bases the displayed settings on the roles and administration
options that you’ve selected. If your organization uses IPSec, you can add
further restrictions to access IP services and ports as well as configure encryption
for port traffic using IPSec.

Registry settings

This section configures protocols used to communicate with
computers on the network. If you have legacy Windows systems operating on your
network (pre-Windows 2000), these systems create an additional vulnerability to
password-cracking and man-in-the-middle attacks, and they require special
configuration to interoperate with Windows Server 2003. You can adjust the
security settings of SMB and LDAP services as well as inbound/outbound
authentication protocols for these legacy systems.

Audit policy

This section configures the auditing of the server based on
your organization’s auditing policy. The Audit Policy Editor allows you to
configure the server to not audit any events, audit only successful events, or
audit both successful and unsuccessful events.

Warning: If you
use the wizard to apply the built-in audit security template to set the System
Access Control Lists (SACLs), you cannot remove these settings through the
rollback feature.

Internet Information Services

If this server will function as an IIS server, the wizard
will prompt you to configure the security for the Web server. You can select
the Web service extensions used for dynamic content, virtual directories used
for your Web server, and allow or deny anonymous users from accessing Web site

Final thoughts

While some people might still prefer the pre-Windows Server 2003
method of securing their servers, the Security Configuration Wizard provides a
powerful and easy opportunity to create a role-based security template that you
can apply consistently to every server you own. If you’ve been looking for a
way to standardize and simplify security settings for your Windows Server 2003
servers, don’t overlook the Security Configuration Wizard.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter
, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security