Service Pack 1 for Windows Server 2003 is due to be released soon. You can download the RC1 from TechNet (more info and download here).
Besides some other interesting features (mostly XP SP2 features reintegrated) there is a new “Security Configuration Wizard” which is supposed to assist admins doing a local hardening of machines. interesting.
The SCW is an optional component that you have to install via Add/Remove Software. When you start the SCW you have the choice of creating a new policy or applying an existing one. SCW policy files are XML files (thanks for that – compared to IPSec policies) – and can be created on one machine and applied to several (similar configured) other machines. A cool feature is, that you can turn policy files to group policies for central deployment (using the scwcmd.exe tool).
When you want to create a new policy SCW analyzes your current configuration and creates a policy according to that – so first of all you have to configure your server with the required functionality – I chose the Application Server Role (what else?) and gave it a try.
Here are the config choices the wizard gave me:
Role Based Configuration
You start with selecting which roles the server will perform, e.g. Web Server, ASP.NET Session State Server, COM+ and which client features the server requires, e.g. DNS, DHCP, Automatic Updates.
You then chose the various remote admin/access and additional services you want to have enabled/disabled. A nice feature is, that SCW disables all other services that you didn’t select – and – if applied periodically (via a GPO e.g.) this is also true for services that get installed in the future. After that you get a nice overview of all services, their dependencies and startup configuration after applying the policy.
In this section you select to which inbound network ports you server should listen – and – even better – you can place IP restrictions on the inbound traffic and configure IPSec negotiation (e.g. Terminal Services are only allowed from the admin subnet). This configures a combination of ICF and IPSec settings.
If you don’t know the exact ports used at runtime (e.g. DCOM/RCP) you can also approve applications as opposed to protocols and port number (a feature of the new built-in firewall which can also be found in XPSP2).
You can turn on required SMB signing here. And choose between the various LM, NTLM, NTLMv2 send/reply options. The following registry keys are adjusted accordingly:
These settings basically configure which sort of computer-to-computer authentication protocols should be used – I clearly opt for using NTLMv2 only which also means that you don’t have to store the weaker (and much more vulnerable) LM password hashes on the local machine).
You can choose between no auditing, success, and success and failure. I chose the last option and this turns on all available auditing options (besides privilege use), which seems a little like an overkill to me. Additionally SACLS are added to OS files as configured in ASCAudit.inf (located in %WINDIR%SecurityMsscwKbs).
You first select the required web service extensions (e.g. ASP.NET) and can disable all unknown extensions. Then you have the option to physically remove all IIS pre-installed vdirs (IISSamples, MSADC, AdminScripts, IISHelp, IISAdmin) and if you want to deny anonymous write access (good choice).
That’s it. You now can save your policy and apply it to the local machine or to different similar machines.
A quick inspection of the system configuration shows that the wizard has done his work. Disabled services, less visible ports a.s.o.
While not as rigorous as doing a manual hardening (e.g. removing services/protocols vs. just disabling them) i really like the way how the wizard present the information to the user. This makes it much easier for non security-experts to make the right choices.
I would like to see SCW as a non-optional install and a nag screen (like the XPSP2 Security Center) which “reminds” the admin that he still has to run the wizard. nice work!