by September 6, 2005 0 comments

Configuring security policies on a vanilla Windows server is a nightmare, even for the seasoned administrator. And when you add other programs and components to the box, keeping just the right ports open, given exactly the right files the desired access and generally locking down the server becomes a process few administrators would rarely dare to venture into. Most simply backup pre-created registry and policy files and
import them on all servers. But all that wincing is no longer necessary.

Applies to: Enterprise administrators
USP: Create and apply security policies using a simple wizard interface
Primary Link: 
Google keywords: 2003 security wizard

In Windows Server 2003 Service Pack 1 (all editions of that OS), there is a new wizard that makes life much simpler and painless.

Just a little trouble
However, like all good things, it is well hidden. Before you start searching for the tool, you need to install it. No, its already there in the system, you just need to go to Add/Remove Programs, open the Add/Remove Windows Components box and scroll down a bit. Check on the ‘Security Configuration Wizard’ item there, click on Next on all screens till you Finish. You won’t need the Windows CD for this. The wizard is now available under ‘Administrative Tools’.

Run the tool
The tool runs in two phases. You create a policy (file) and then you apply it. Any policy you apply can be rolled back, with one or two exceptions. The wizard warns you well in advance when something you do cannot be rolled back. Nothing is applied to the system until you go through the application process. And you know what else? You can create the policy using a single server for reference and apply it across your enterprise in one click!

The configuration database viewer shows you information collected about the reference server

On the first screen of the wizard, you select which type of run you want to do. This is our first time through, so we select ‘Create a new security policy’. The next screen is where you specify the server to use as the reference server. Read the text with the warning icons at the bottom carefully. You need to have administrative access to the server you specify. And, if you’re using the IIS bits of the wizard, you need to have the IIS 6.0 common files (available in Win XP and 2003) on the system you are running the wizard from. When you go to the next screen, the wizard will scan the reference system and collect information about what is installed. 

At this point, you can click on the ‘View Configuration Database’ to see what it found. The screen is exhaustive yet simply organized and self-explanatory. Close that screen to return to the wizard.

The wizard-a long process
The whole wizard consists of atleast 21 screens for a ‘barebones’ server with just
Active Directory and IIS installed. As you saw in the configuration database screen, there’s a lot more the wizard can handle and the screens will only increase in number with more of those programs installed. 

Configure required services and roles as per the administration options. The dropdown lists the common options

Typically, you would select what roles you want the server to play and then what services you want it to be running. Checking a role on or off does not uninstall it, but merely disables that role through the security policy you create. The wizard has a nice screen at the end of the first set that asks you what to do if a role or service not on the
reference system is found on the system you’re applying the policy to. The options are to leave it untouched or
disable it.

At the end of every set of screens, there is a nice summary screen that tells you the current setup and how it will be changed in the policy. You will also encounter a few options you don’t get to see elsewhere. For example, you may want that all computers that connect to your
domain controller be in sync with that servers clock and run atleast Win NT 4.0 SP6a. If you attempt to change a pre-selected setting and it does not exist on the reference server, the wizard prompts you to that. 
Policy chains This is something administrators of Small Business Server systems are quite used to. For the others, chained policies are nothing but a set of policies that are added one inside the other, to create an inherited/derived policy that contains one or more
attribute from each. As with all security related configurations, the ‘deny’ in an attribute gains precedence if there is a
conflict in settings between two chained policies. To do this normally, in the Group Policy Editor, you right click on a policy node and select ‘Add Template’ and then add a new
policy into it. You can chain any number of policies (atleast there seems to be no documented limit).

The Security Configuration & Analysis snap-in allows management of security policies in a Group Policy Editor style interface

The security wizard allows you to embed/chain policies into the one you just created, at the end of the create sequence. In 
order to be able to find your created policies later, make sure you enter a good description of it in the large description box shown on that screen. Policy files from the wizard are stored as XML files. Once again, you’re given a peek into the configuration database. If you took a print of the original information, you can now
compare to check what’s been changed.
Finally, you get the option to apply it later (if you want to do this on another system) or do it immediately. Whenever you apply the policy, you would need to restart that system. So plan for that too.

The power-administrator view
The big-daddy of the wizard is of course the Security Configuration and Analysis snap-in (MMC). To use this application, run ‘mmc’ from RUN and add this snap-in. Save the console file to your Programs\Administrative Tools folder. This program, 
however, has been available without needing to install or enable anything. The program mostly resembles the Group Policy 
Editor (gpedit.msc). To use this program, open it, right click on the root node (Security configuration and analysis) and select ‘Open Database’. If there is no database yet, you will be prompted to create one-strangely in an ‘Open’ box-provide a name and click on Open to continue. Then right click on the root node again and select ‘Analyze Computer Now’. The application will create a log file during this and you will now be prompted for the path to store this file at. The system will analyze various components and provide an item-wise analysis in the respective view. For instance, to see the analysis results for password policies, you would open Account Policies and then look there under Password Policy. You can enable or disable the option from here. Then you save the database. To actually apply the options, you must select ‘Configure computer now’ from the context-menu.

With these two tools, most of your security configuration processes should now become much easier. But don’t forget to
keep your firewalls on and your system completely updated for the latest patches and fixes.

Sujay V Sarma

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.