Windows 2003 Server features a Security Configuration Wizard designed to harden the server. The Security Configuration Wizard does this by analyzing the roles that you have created for the server and eliminating any unnecessary roles and services. Additionally the Security Configuration Wizard can improve a Win2k3 servers network security, registry settings and audit policy.

Once you’ve created a policy, you can save the policy and use it in your Group Policy for deployment on other Win2k3 servers in your network. Clearly, this capability speeds up the process of setting up and hardening servers, as well as insures a level of homogeneity across your environment. For our purposes, we are going to install and run the Security Configuration Wizard on a VPN (Virtual Private Network) server.

Misleading Article
By reading the first of article links to Microsoft’s SCW for Windows 2003 Server page, you might think that the Security Configuration Wizard should be accessible through the Administrative Tools, once you’ve installed Service Pack 1. In my experience, this isn’t the case. (I tend to not add on services until later.) It’s not that the writers don’t know what they’re doing, it’s just that they don’t have the opportunity to do hands-on work. (I know the mistakes. I’ve been in his shoes, albeit in a different field.)

Yes. The Security Configuration Wizard does come with Service Pack 1, but it’s an add-on component. And once you’ve installed it, it will show up where the Redmond Magazine writer says it should. (ComputerWorld at least gets it right.)

Install It
To install the Security Configuration Wizard, go to the control panel and click on Add/Remove Programs. Click on Add/Remove Windows Components. Scroll down until you find Security Configuration Wizard and click Next.

Windows will proceed to install the necessary files. When the install is done, click Finish.

Now, the Security Configuration Wizard will show up in your Administrative Tools as the articles say it should.

Security Configuration Wizard
Start the Security Configuration Wizard and you will see a familiar Welcome screen appear. In order for the SCW to do its job, all applications and services need to be running. Click Next.

On the next page we have the choice of creating a new policy, editing an existing policy, applying an existing policy or rolling back the last applied policy (useful!). With Create selected, click Next.

Then, select the server. By default the name of the server on which the Security Configuration Wizard is running appears. Click Next.

Then the Security Configuration Wizard will process the security configuration database.

View Roles
Click on the View Configuration Database to see the Security Configuration Wizard viewer. The Security Configuration Wizard correctly lists VPN as installed, enabled.

Close out of the Security Configuration Wizard Viewer and click on Next to arrive at the Role-Based Service Configuration Wizard page. The next few steps will verify what the Security Configuration Wizard found and your intentions for the server. (A common security practice is to keep the server as secure as possible, reduce the amount of roles and services listed, until something critical ceases to function.) Click Next.

The Security Configuration Wizard found that our server was listing itself as a File Server. Which isn’t one of the roles we’d intended. We unchecked that box and proceeded to the next screen.

Next, the Security Configuration Wizard will verify the client services. Verify these and click Next.

The Security Configuration Wizard proceeds to list on two similar subsequent screens the Administration and Other Options (e.g. Remote Desktop) and any Additional Services (e.g. anti-virus) on the server. Verify these and click Next.

Then, the Security Configuration Wizard asks how it should handle unspecified services. It can either leave the startup mode of the service alone or disable the service. Click Next.

Ch-Ch-Ch-Changes
The Security Configuration Wizard follows all this with a confirmation screen that lists all the service changes it is going to make based on its analysis and verification. On our box, we noted, 24 changes. Click Next.

Before finishing the Security Configuration Wizard will look at network security, which basically involves the Windows Firewall, which can’t be run on a VPN server, registry settings and audit policy. Upon finishing these sections, or skipping them, the Security Configuration Wizard will save the template as an XML file by default in C:\WINDOWS\security\msscw\Policies\. Finally, the Security Configuration Wizard will ask you if you want to apply the policy now or later.

Results
After running the Security Configuration Wizard , I ran the Microsoft Baseline Security Analyzer against the VPN server. MBSA gave the box a clean bill of health, noting that the password on the Guest account, which was disabled, wasn’t set to expire.

Advertisements