Security Configuration Wizard in Windows Server 2003 Service Pack 1

Applies To:Windows Server 2003 with SP1
What does Security Configuration Wizard do?
Security Configuration Wizard (SCW) is a new featurein Windows Server 2003 with Service Pack 1 that provides guided attack
surfacereduction for your servers.SCW is highly recommended for creating security policies for servers based on their roles.
SCW includes thefollowing features:
Remote or local role-based lockdown ensures thatall necessary services areturned on, minimizing risk of breakage.
Any services not specifically needed by therole(s) performed by thetarget system can be disabled.
Firewall and IPsec configuration ensures that theserver presents the minimum possibleattack profile based on the needs
of theselected role(s).
Automated selection of key security settings based on a guided wizard to minimizecompatibility problems and maximize
security.
Selection of appropriateaudit settings.
Inclusion of standard security templates for detailed customization of security policy.
Integration with Group Policy for Active Directory-based deployment of security policies.
Fully functional and scriptablecommand lineinterfacefor automated deployment to multipleservers across the network.
Rollback of policies for testing and troubleshooting purposes.
Declarativeextensibility of roleknowledge baseto allow authoring of new roles.
When you run SCW you will beasked a series of questions to determinethefunctional requirements of your server. Any
functionality that is not required based on your selections can be disabled automatically.
Who does this feature apply to?
SCW can be used with any system running Windows Server 2003 with Service Pack 1 and in any network configuration.SCW
will be of interest to:
Security professionals responsiblefor authoring corporatesecurity policies.
Information technology (IT) professionals responsiblefor deploying,configuring,and managing servers.
Developers of server-based applications who want their applications to be managed with SCW.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Security Configuration Wizard
Detailed description
Security Configuration Wizard uses a roles-based metaphor driven by an extensible XML knowledge basethat defines the
services, ports,and other functional requirements for almost 200 different system roles, including roles for Windows Server
System applications such as Microsoft ISA Server and SQL Server.
SCW uses this extensible XML knowledge baseto perform role discovery, solicit user input,and author security policies that
disableservices, block ports, modify registry values,and configureaudit settings.Even ports thatareleft open can berestricted
to specific subnets or systems using Internet Protocol security (IPsec).SCW also allows you to roll back previously applied
policy settings. It includes a command linetool you use with administrativescripts and other administrative utilities to apply a
security configuration and perform complianceanalysis on groups of servers in your organization.SCW also integrates with
Active Directory to support deployment ofSCW-generated policy settings through Group Policy.
Summary of SCW security coverage
Security Configuration Wizard allows users to easily:
Disable unnecessary services.
Protect Internet Information Services (IIS).
Note
IIS policies cannot be deployed with Group Policy since Group Policy does not currently configureIIS. If a policy containing
IIS settings is converted to a Group Policy object theIIS settings arelost.
Block unused ports, including support for multi-homed scenarios.
Secure ports thatareleft open using IPsec.
Reduce protocol exposurefor Lightweight Directory Access Protocol (LDAP),LAN Manager,and server message block
(SMB).
Configureaudit settings with a high signal-to-noiseratio.
Import Windows security templates for coverage of settings thatare not configured by the wizard.
Summary of SCW operational features
In addition to roles-based guided security policy authoring,SCW also supports:
Rollback.Enables you to return your server to thestateit was in beforeyou applied theSCW security policy.
Analysis.Enables you to check that servers arein compliance with expected policies.
Remote configuration and analysis support. All SCW functionality can be performed on both local and remotesystems.
Command line support. A command-linetool is provided for scripting use.
Active Directory integration.Supports deploying SCW policies using Group Policy.
Editing. A security policy created using SCW can be modified when necessary, such as when machines arerepurposed
or when a system configured with a particular policy does not behaveas expected.
Reports. Provides theability to view the data stored in theknowledge base, policies,and analysis results XML files.
Why is this change important?
Attack surfacereduction is a fundamental security best practice,yet it is often difficult for server administrators to find thetime
to properly secure, test,and deploy a Windows server without breaking required functionality, which can lead to vulnerable
servers within an organization.
Security configuration guides (such as the Windows Server 2003 Security Guide on the Microsoft Web siteat
http://go.microsoft.com/fwlink/?LinkId=14845) provide general settings that supporta broad range of systems but that do not
providean optimal security versus functionality tradeoff for a specific class of systems.SCW automates thelockdown process
of systems providing specific functionality and is fully tested and supported by Microsoft. Reducing theattack surface of
Windows servers can minimizethe number of servers that need to beimmediately patched when a vulnerability is discovered,
as a given vulnerability will not necessarily be present or exploitablein all configurations.
What works differently?
Today,Windows administrators typically definesecurity policies using theSecurity Configuration Editor on their own, in
conjunction with documented guidance, or with existing security templates designed for specific scenarios. In contrast,Security
Configuration Wizard is an authoring tool thatallows you to createa custom security policy by answering a series of questions.
For settings thatare not configured by the wizard,SCW allows theadministrator to importexisting security templates.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
No, butSCW is extensibleso that developers can createtheir own SCW role definitions for their own applications. A
whitepaper about how to extend theSCW knowledge base will beavailable when Windows Server 2003 Service Pack 1 is
released.
What do I need to change in my environment to deploy Windows Server 2003 Service Pack 1?
Nothing, however SCW can be used during the deployment process to ensureservers are deployed with theexpected security
policy.
If unattended setup is used to deploy servers,consider thefollowing:
Install theSCW optional componentautomatically during unattended setup by adding thefollowing entry to the
[Components] section of unattend.txt: SCW = On.
To apply an SCW policy during the unattended installation,also carry out thefollowing steps:
Createthe policy file on a server thatalready has SCW installed.
Either createa Cmdlines.txt file or modify theexisting oneso that it has a [Commands] section containing the
following line: scwcmd configure /p:SCWPolicy.xml
Copy the Cmdlines.txt fileand the previously created policy file(SCWPolicy.xml in this case) to the $OEM$
directory.
If an imaging solution is used to deploy servers,you can apply an SCW on thereference machinethat will beimaged
prior to creating theimage.
For additional information on Security Configuration Wizard go to the Microsoft Web siteat http://go.microsoft.com/fwlink/?
LinkId=45503.