SECURITY CONFIGURATION MANAGEMENT

Security Configuration Wizard (SCW)

SCW is a tool that Microsoft has been refining for years. The tool initially came out in the Windows Server 2003 era and has continued to be updated to meet the server operating system needs and changes. The tool is designed to only support Windows Server, as the tool aligns with the server roles that are now a key aspect to configuring Windows Server.

SCW is designed to work around the concept of Server Roles. These roles were developed by Microsoft to help administrators choose what function the server would serve, as well as configure the other key security and services required for the role to be completely configured.

SCW is based on a database, which is really nothing more than the definition of each role and function. You can see in Figure 1 that the database is broken down in different sections.

Figure 1: SCW security database.

Within the Roles area, you can clearly see there are the obvious roles that a Windows Server could be configured to control. Figure 2 illustrates some of these roles.

Figure 2: SCW Roles within security database.

After you start the SCW configuration portion of the wizard, it will take you through the different areas within the SCW controls that you want to configure. The following are the major areas that you will be required to configure in order to produce a SCW security policy.

• Role Based Service Configuration
• Network security
• Registry settings
• Audit policy

Within each of these sections there are many configurations that will allow you to control the firewall, services, functions, authentication protocols, anonymous, and much more. When the wizard finishes you end up with a security policy which can either be applied to another server using SCW or you can produce a Group Policy Object (GPO) which can be deployed to many servers using Active Directory.

Security Compliance Manager (SCM)

Security Compliance Manager (SCM) is a free security configuration tool from Microsoft. You can get the current version (2.5) or join the Beta version evaluation (3.0). You can get both versions from this link.

SCM is based on industry standard compliance regulations and security configurations. The tool is designed to help make security decisions based on client and server functions.

SCM provides pre-built baselines, which define hundreds of security settings for the operating systems by Microsoft. Figure 3 illustrates the baselines that come with SCM v2.5.

Figure 3: SCM baseline options.

SCM v3.0 includes Windows 8, Windows Server 2012 and more baselines.

The baselines that are provided can not be altered without first creating a copy of them. Once a copy is made, then the baseline can be altered to meet the requirements for your environment. SCM is extremely powerful and includes the ability to configure many aspects of the operating system.

SCM is designed to be a three-fold product solution. First, SCM is designed to help you document what each server/role security is to be set to. This is done via the configuration and storage of the baselines, both from Microsoft and custom baselines that you create. Second, SCM is designed to be a configuration enabling technology. SCM itself does not perform any configurations. Rather, SCM baselines can be converted into GPOs. Once the GPO is created it can be integrated into the Active Directory design and of course distributed in that manner. Third, SCM is an audit enabling technology. Again, SCM does not perform the audit, rather the baseline can generate a DCM pack. DCM is the desired configuration management for which these packs are used within SCCM (System Center Configuration Manager). The DCM pack is then compared against each computer which the GPO applied to… reporting on where there is drift from the original settings.

SCM also provides customization of settings that are stored in the Registry. The customization of the baselines, GPOs, and DCM packs allows for nearly any security setting to be included in the documentation, configuration, and auditing of Windows computers.

Summary

Group Policy and security of a Windows system can be a bit complex. Without a guide or tool, the configuration of these settings can be overwhelming. The goal of Group Policy is to provide a centralized technology to deploy settings to Windows computers. Every environment needs to use Group Policy! This is why Microsoft has developed solutions to help organizations more efficiently and completely use Group Policy to secure the computing environment. First, the threats and countermeasures guides can help in the understanding of what each security setting represents. Not only does each security setting have complexity, but if configured incorrectly a wrong configuration could cause communication or stability issues with the computer. Next, Microsoft provided SCW to help with the configuration of Windows Server security configurations. Microsoft introduced Roles and then incorporated Roles into SCW and the operating system itself. This tie between the two helps control firewall, security, Registry, auditing, and more settings. Finally, SCM is the best security configuration provided by Microsoft. This free tool allows an administrator to use industry standard security configurations, or custom security settings. No matter which technology you use to help with the deployment of security via Group Policy, please use something to help you secure your Windows environment!