New in Windows Server 2003 SP1 and R2, Microsoft has made
available a tool that will help you to determine exactly what is running on
your Windows Server 2003 system and be able to reduce the surface area of your
server, thereby making it less vulnerable to an attack. In short, through the
use of the Security Configuration Wizard, you can take a very granular look at
your system and disable non-required functionality.
The Security Configuration Wizard does not automatically
install when you install SP1 or R2. Follow these steps to install:
- Go to
Start | Settings | Control Panel
Add or Remove Programs.
Add/Remove Windows Components
the check box for Security Configuration Wizard, click Next. Make sure you
have your source media available.
After installation is complete, the Security Configuration
Wizard is available from Start > All Programs | Administrative Tools |
Security Configuration Wizard.
When you initially run the tool, you need to provide a
server to use as a baseline (you'll probably have multiple security policies
based on the role each server plays in your organization). Further in the Wizard,
you will see a complete list of the potential roles for your server, from both
a server and a client perspective. For example, you might have one server that
runs the SMS 2003 server, and another that has the SMS 2003 client installed. Select
the roles for this server. You can also choose whether to enable administrative
services, such as BITS (Background Intelligent Transfer Service), Browser,
Browse Master, Remote Desktop, SQL Server Agent, and more. Microsoft can't be
on top of every possible service on your server, so the Wizard also provides
you with the capability to either ignore or disable any services that are not
on the lists.
Beyond services, the Wizard also allows you to specifically
allow or deny specific TCP/IP ports. Also, you can use the tool to restrict
access to a specific TCP/IP port to a single computer or a range of IP
addresses. For example, if you want to allow only people on your administrative
network permission to establish any kind of connection using Remote Desktop,
you could restrict port 3389 to just that subnet.
You can also make policy changes that affect the handling of
SMB file and print traffic. For example, if your server has enough excess
capacity, you can require signing for all SMB traffic to prevent
man-in-the-middle type attacks on your clients. The same goes for signing all
LDAP traffic. In the policy, you can indicate that all clients that connect run
a version of at least SP3 for Windows 2000 to help protect LDAP information on
Other areas addressed in the tool:
settings: Determine if you want to enable auditing and, if so, if you want
to log successful, or both successful and unsuccessful activities.
Which IIS extensions do you want to enable? For example, ASP.NET 1.1,
ASP.NET 2.0, Server Side Includes, WebDAV, etc. Also, which virtual
directories should be enabled? You might want, for example, to block
access to the IISAdmin folder.
All in all, the Security Configuration Wizard is extremely
thorough and will take a huge amount of time to get "just right," but has the
potential to be a huge boon for your security efforts.