CATEGORII DOCUMENTE |
Asp | Autocad | C | Dot net | Excel | Fox pro | Html | Java |
Linux | Mathcad | Photoshop | Php | Sql | Visual studio | Windows | Xml |
Microsoft Corporation
Security Configuration Wizard (SCW) is an attack surface reduction tool for members of the Microsoft Windows Server 2003 family with Service Pack 1 (SP1). This guide provides system requirements, installation instructions, and steps for getting started with SCW.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.
2005 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Security Configuration Wizard Quick Start Guide
Requirements for Installing and Running SCW
Securing Windows Small Business Server 2003
Security Configuration Database
Identify and target similar servers
Test new security policies offline before deployment
Create one complete security policy
Organize similar servers into organizational units (OUs) in Active Directory
Running Security Configuration Wizard
Applying Security Configuration Wizard security policy
Internet Information Services (IIS) role not being detected by SCW
Cannot Process Security Configuration Database
Cannot rollback last applied security policy
Cannot determine the IP address from the computer name. The lookup service is not available
Security Configuration Wizard (SCW) is an attack surface reduction tool for members of the Microsoft Windows ServerT 2003 family with Service Pack 1 (SP1). SCW determines the minimum functionality required for a server's role or roles, and disables functionality that is not required. Specifically, SCW:
Disables unneeded services.
Blocks unused ports.
Allows further address or security restrictions for ports that are left open.
Prohibits unnecessary IIS web extensions, if applicable.
Reduces protocol exposure to server message block (SMB), LanMan, and Lightweight Directory Access Protocol (LDAP).
Defines a high signal-to-noise audit policy.
SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS).
Note:
In some cases, you must be connected to the Internet to use the links in SCW Help. If your computer is not connected to the Internet, you can find the same topic in Help and Support Center by searching for the link text. To open Help and Support Center, click Start, and then click Help and Support Center.
SCW is an optional component included with Windows Server 2003 SP1.You can install and run SCW only on computers running a member of the Windows Server 2003 family with SP1.
The computers you target with SCW (for prototyping to create security policy, or for application of SCW-created security policy) must run a member of the Windows Server 2003 family with SP1.
SCW is not used with Windows XP or other client operating systems.
SCW is not used with Windows Small Business Server 2003.
Several security-related Internet Information Services (IIS) settings can be configured using SCW. You need a server running IIS if you want to do this.
Instead of SCW, Windows Small Business Server 2003 uses the default settings in Setup and in the Configure E-mail and Internet Connection Wizard to help secure your server.
If you have not already run the Configure E-mail and Internet Connection Wizard, you should run it to help secure your server.
To start the Configure E-mail and Internet Connection Wizard on the computer running Windows Small Business Server 2003
1. Click Start and then click Server Management. 2. In the console tree, click Internet and E-mail. 3. In the details pane, click Connect to the Internet. |
This guide is designed to get you up and running quickly with SCW in Windows Server 2003 SP1. SCW Help is installed with Windows Server 2003 SP1, and it contains information beyond what is in this Quick Start Guide, including help for every page of SCW.
After you install SP1, you can access SCW Help through Help and Support Center, or at the command line.
The SCW Help is available even though SCW itself is not installed by default.
To access SCW help through Help and Support Center
1. Click Start, and then click Help and Support. In Search, type SCW or type Security Configuration Wizard, and then press ENTER. 2. Click one of the listed SCW Help topics. |
The procedure title
1. Click Start, and then click Run. 2. Type hh scwhelp.chm and then press ENTER. |
This section contains first steps and basic information you need to use SCW.
After you have installed SP1, you are ready to install SCW.
To install SCW
1. In Control Panel, double-click Add or Remove Programs. 2. Click Add/Remove Windows Components, select the check box for Security Configuration Wizard, and then click Next. |
Note:
SCW can be deployed by using an unattended installation. Consult the SCW Help for information about unattended installation of SCW.
There are three main components that you need to know about in order to get started using SCW. They are Security Configuration Wizard itself (the user interface), the command-line tool, and the Security Configuration Database.
SCW guides you through the process of creating a security policy, based on the roles performed by a given server. Once a policy is created, it can be edited or applied to one or more similarly configured servers. Applied policies can be rolled back in order to undo changes that have caused problems. To edit, apply, or roll back a security policy, the policy must have been created with SCW.
You can use the SCW user interface for the following tasks:
Create a new security policy.
Edit an existing SCW-generated security policy.
Apply an existing SCW-generated security policy.
Roll back the last applies SCW policy.
SCW includes the Scwcmd.exe command-line tool. You can use Scwcmd for the following tasks:
Configure one or many servers with an SCW-generated policy.
Analyze one or many servers with an SCW-generated policy.
View analysis results in HTML format.
Roll back SCW policies.
Transform an SCW-generated policy into native files that are supported by Group Policy.
Register a Security Configuration Database extension with SCW.
When you use scwcmd to configure, analyze, or roll back a policy on a remote server, SCW is required to be installed on the remote server.
To get basic help on the Scwcmd tool
1. Install SCW, as described in "Installing SCW" earlier in this document. 2. Open a command prompt. 3. Type Scwcmd. |
The Security Configuration Database consists of a set of XML documents that list services and ports that are required for each server role that is supported by SCW. These files are installed in %Systemroot%SecurityMsscwKBs. After you select a server, on the Processing Security Configuration Database page, the server is scanned to determine the following:
Roles that are installed on the server
Roles that are likely being performed by the server
Services that are installed but not part of the Security Configuration Database
IP addresses and subnets that are configured for the server
SCW combines this server-specific information into a single XML file named Main.XML. The Security Configuration Wizard displays Main.XML if you click View Security Configuration Database on the Processing Security Configuration Database page.
The directory %Systemroot%SecurityMsscwtransformfiles contains .xsl transform files. These are applied to the .xml policy file for the rendering process when you view analysis results through the scwcmd /view command.
This section tells how to get the most out of SCW.
SCW helps to reduce the attack surface of servers by creating a security policy that is specifically designed for their specific roles. Administrators can simplify policy authoring and distribution by identifying groups of servers that perform the same, or similar, tasks. Here are ways you can do this:
Author one policy for a group of servers. SCW authors a security policy based on the roles, tasks, and functions performed by a server. Others servers that perform the same, or very similar, functions can be configured with the same security policy. Administrators can use SCW once to author a security policy, save it, and apply it to all servers that perform the job function.
Group similar servers in one organizational unit (OU). The SCW transform operation can apply a security policy to a domain or OU by using Group Policy. To simplify policy distribution, an administrator could group servers that perform similar job functions, and use the same security policy, into a single OU. A new security policy can be distributed quickly and easily to the server OU by using the SCW transform operation.
Create policies for similar platforms. For services or ports specific to 64-bit computers, create the policies on a 64-bit computer. Then deploy these policies to other 64-bit computers only (not 32-bit computers) to ensure the services are properly identified and configured.
It is highly recommended that the prototype server from which the security policy will be created matches the target servers to be configured at the service level. The security policy disables any service on the server that is contained in the Security Configuration Database but was not present on the prototype server when the policy was created. For example, if the DCOM Server Process Launcher service is listed in the Security Configuration Database, but is not present on the prototype server, the security policy created based on the prototype server will set the DCOM Server Process Launcher state to disabled. When you apply the security policy to other servers, the DCOM Server Process Launcher service will be disabled on those servers. You can configure unnecessary services in SCW (you can disable the service or leave the startup mode of the service unchanged), but only services that are not in the Security Configuration Database, and therefore are not defined in the security policy that you create with SCW.
The settings configured in the new security policies may cause compatibility issues with applications or services. Therefore, thoroughly test new security policies in a test environment before applying the policies to production servers.
SCW should be used to author a single security policy that contains all desired security settings for a server. This will simplify configuration, rollback, and analysis. For simple configuration and rollback, a single security policy for a machine, or set of machines, is much easier to understand and update than a series of policies. If a security policy defines all the desired settings for a server, a compliance report can be generated by executing one scan, which facilitates analysis when using the scwcmd /analyze command. For more information about scwcmd, see "Scwcmd command line tool" earlier in this document.
Grouping servers by OUs in Active Directory domains facilitates the application of security policy through Group Policy.
There are three principal mechanisms for deploying SCW and the security policies it creates:
Microsoft Systems Management Server. Systems Management Server can be used to deploy SCW to multiple servers.
Group Policy. Group Policy can be used to deploy the security policies created with SCW. To do this, you first create the policy by using SCW user interface, and then use the command-line tool to create a Group Policy-compatible version.
Unattended installation of SCW. Unattended installation of SCW is possible. See SCW Help for more information about unattended installation.
A white paper is being created that will address deployment options in detail.
This section walks you through four basic SCW tasks. The SCW user interface is used for the first two tasks, and the command-line tool for the last two tasks, but the second and third tasks could be done by using either the command-line tool or the user interface.
To create a security policy based on a prototype server
1. Click Start, click Administrative Tools, and then click Security Configuration Wizard. 2. Read the Welcome page and click Next. 3. Select Create a new security policy and then click Next. 4. Type the name of the prototype server and then click Next. 5. When processing is complete, click Next. 6. On the Role-Based Service Configuration page, click Next. 7. On the Select Server roles page, click Next. 8. On the Select Client Features page, click Next. 9. On the Select Administration and Other Options page, click Next. 10. On the Select Additional Services page, click Next. 11. On the Handling Unspecified Services page, select either Do not change the startup mode of the service (default), or Disable the service, and then click Next. Note: The settings on the Handling Unspecified Services page control how SCW treats services that it finds on the prototype server, but that are not defined in the Security Configuration Database, and thus are not known to SCW. A whitepaper about extending the database will be created. 12. On the Confirm Service Changes page, click Next. 13. On the Network Security page, click Next. 14. On the Open Ports and Confirm Applications page, click Next. 15. On the Confirm Service Changes page, click Next. 16. On the Confirm Port Configuration page, click Next. 17. On the Registry Settings page, click Next. 18. On the Require SMB Security Signatures page, click Next. 19. On the Require LDAP Signing page, click Next. 20. On the Outbound Authentication Methods page, click Next. 21. On the Outbound Authentication Methods using Domain Accounts page, click Next. 22. On the Registry Settings Summary page, click Next. 23. On the Audit Policy page, click Next. 24. On the System Audit Policy page, click Next. 25. On the Audit Policy Summary page, click Next. 26. On the Internet Information Services page, click Next. 27. On the Select Web Service Extensions for Dynamic Content page, click Next. 28. On the Select the Virtual Directories to Retain page, click Next. 29. On the Prevent Anonymous Users from Accessing Content Files page, click Next. 30. On the IIS Settings Summary page, click Next. 31. On the Save Security Policy page, click Next. 32. On the Security Policy File Name page, type a name for the prototype policy, and then click Next. Caution: Do not use the name of the prototype computer because scwcmd.exe uses computername.xml to save analysis results, and you don't want the policy to be created to have the same name. Note: The security policy settings that you can configure within SCW are a subset of those that can be set by using security templates (.inf files). On the Security Policy File Name page, you can include a security template if you want to add settings that cannot be configured directly from SCW. If you attach a security template, and it contains settings that conflict with some SCW-configured settings, the SCW-configured settings have precedence. 33. On the Completing the Security Configuration Wizard page, click Finish. |
To apply a security policy to a server
1. Click Start, click Administrative Tools, and then click Security Configuration Wizard. 2. Read the Welcome page and click Next. 3. On the Configuration Action page, select Apply an existing security policy, type in the full path and file name of the policy, and then click Next. 4. On the Select Server page, type in the name of the server to which the policy will be applied and then click Next. Note: To configure multiple servers with a policy, you can use scwcmd configure /p:PolicyFile /i:MachineList at the command prompt, rather than this SCW UI procedure. Type scwcmd configure at the command prompt to learn about the parameters. 5. On the Apply Security Policy page, click Next. 6. On the Applying Security Policy page, wait for processing to finish, and then click Next. 7. On the Completing the Security Configuration Wizard page, click Finish. |
To analyze and view security policy for a server
1. At the command prompt, type scwcmd analyze /m:MachineName /p:PathAndPolicyFileName /o:OutputDirectory Note: Of course you should first replace the italic parameters with your specific ones. When scwcmd analyze is finished processing, you will find that it has saved MachineName.xml. This is the analysis result for that server, saved as XML. 2. When scwcmd analyze processing is complete, type scwcmd view /x:MachineName.xml /s:scwanalysis.xsl Scwanalysys.xsl is one of the files installed with SCW. It formats the analysis results for display. |
To save an SCW security policy in native Group Policy format
1. At the command prompt, type scwcmd transform /p:PathAndPolicyFileName /g:GPODisplayName |
That's it -- just one step.
Here PathAndPolicyFileName is the policy you created earlier with SCW, including its .xml file name extension. GPODisplayName is the name that the Group Policy object (GPO) will show when you view it in Group Policy Object Editor or in Group Policy Management Console (GPMC).
When the scwcmd transform command has completed, the GPO will have been created in Active Directory, but policy it contains will not be applied until the GPO is linked to a site, domain, or organizational unit. For instructions about linking GPOs, see the GPMC Help.
This section lists some error messages and suggestions for handling them, as well as some basic requirements for using SCW.
SCW is supported on members of the Windows Server 2003 family with Service Pack 1 only. For details about SCW requirements, see "Requirements for Installing and Running SCW" earlier in this document.
The security policies that are created with SCW should only be applied to servers and groups of servers. They should not be applied to client operating systems such as Microsoft Windows XP.
If an SCW security policy is applied to a server before IIS is installed, the server will be configured with the Hypertext Transport Protocol (HTTP) Secure Sockets Layer (SSL) service disabled, as HTTP SSL is not required on a computer that is not a Web server. If IIS is then installed on the server and SCW is run, the Administrator must first ensure that IIS is started, in order for IIS to be detected by SCW. IIS cannot run without the HTTP SSL service.
Here are some errors you may encounter with SCW:
The Microsoft XML core services are corrupted or not installed.
There is a problem with Main.XML. Check the Application log, which might have more information.
There is a problem with Main.XML. Check the Application log, which might have more information.
You must be an administrator on the local server to run SCW, or you must specify Administrative credentials on a remote server. If you are trying to apply a policy to a server, then the policy must be available on the server running SCW. You must also be authenticated as an administrator on the computer that is receiving the policy.
Check the Application log, which might have more information.
You can receive this message if you browse to, or type in, an XML file that is not a security policy file. If this is a security policy file that you created, try running SCW again to recreate it.
In the Network Security section of SCW, this message is shown if SCW cannot verify that an approved application exists at the specified path. This is not necessarily a problem, as you may be configuring a policy for a remote server. If the application will exist at the specified path at the time the policy is applied, the Not Found! message can be ignored.
In the Network Security section of SCW, the IP address of the computer name you entered must be resolvable, or you cannot continue. If the computer has a static IP address (not assigned by DHCP), then you can enter the IP address instead of the name.
Politica de confidentialitate | Termeni si conditii de utilizare |
Vizualizari: 1224
Importanta:
Termeni si conditii de utilizare | Contact
© SCRIGROUP 2024 . All rights reserved