Date post: | 08-Jan-2018 |
Category: |
Documents |
Upload: | adam-marshall |
View: | 215 times |
Download: | 0 times |
Security Configuration WizardSecurity Configuration Wizard
Keith D MillerKeith D Miller
Microsoft European Support Readiness ManagerMicrosoft European Support Readiness Manager
Why are you here?Why are you here?
We need a proactive way to take the guess work out of which operating system components (ports, services etc) are required for my applications to function. Having this knowledge by default means that we can turn off everything else.
SCW’s knowledge base defines the requirements of each application, and you can extend the knowledge base to include bespoke 3rd party applications.
AgendaAgenda
What is Security?What is Security?
Overview of SCWOverview of SCWTool summaryTool summary
Server rolesServer roles
Operational coverage/scopeOperational coverage/scope
Policy authoring and deploymentPolicy authoring and deployment
Extending SCWExtending SCW
The Security Management ProblemThe Security Management Problem
Security management is aboutSecurity management is aboutspending good moneyspending good money
to have nothing happento have nothing happen
If nothing happens, your doing you’re a good job!!If nothing happens, your doing you’re a good job!!
The Security Management ProblemThe Security Management Problem
Your network is not secure!Your network is not secure!
At best, it’s protectedAt best, it’s protected
Protected networks are well-designed, well Protected networks are well-designed, well managed networks with smart users!managed networks with smart users!
So what is SCW?So what is SCW?
Security policy authoring tool Security policy authoring tool Focused on attack surface reduction Focused on attack surface reduction
Disables functionality not required for a given roleDisables functionality not required for a given roleDisables unnecessary servicesDisables unnecessary servicesBlocks unused portsBlocks unused portsRestricts or secures ports that are left openRestricts or secures ports that are left openReduces protocol exposure for LDAP, NTLM, and SMB Reduces protocol exposure for LDAP, NTLM, and SMB Configures audit settings Configures audit settings Prohibits unnecessary web extensionsProhibits unnecessary web extensions
Ships in Windows Server 2003 SP1 as an optional componentShips in Windows Server 2003 SP1 as an optional component
Security Policy ManagementSecurity Policy ManagementAuthoringAuthoring
Define new system roleDefine new system role
Takes great skillTakes great skill
RiskyRisky
5% can perform5% can perform
TailoringTailoringCustomizing existing roleCustomizing existing role
Moderately complexModerately complex
Less riskyLess risky
15% can perform15% can perform
ApplyingApplyingShould be risk freeShould be risk free
80% can perform80% can perform
So What is so special about a server?So What is so special about a server?
Servers have can have many rolesServers have can have many roles
SCW Server RolesSCW Server Roles
Certificate ServerCertificate ServerCluster ServerCluster ServerDomain ControllerDomain ControllerDFS ServerDFS ServerDHCP ServerDHCP ServerDNS ServerDNS ServerFile ServerFile ServerPrint ServerPrint ServerWeb ServerWeb ServerWINS ServerWINS ServerTerminal ServerTerminal Server……
Biztalk ServerBiztalk ServerCommerce ServerCommerce ServerExchange ServerExchange ServerISA ServerISA ServerMOMMOMIdentity Management ServerIdentity Management ServerSharePoint Portal ServerSharePoint Portal ServerSMSSMSSQL ServerSQL Server……
Base OS
Server Client
Domain Mbr
Laptop
Stand-AloneDomain Controller
MemberServer
IIS ServerFile Server
DatabaseServer
ExchangeServer
CertificateServer
Bastion Host(Stand-alone)
SMS Server
InfrastructureServer
DNSDHCPWINS
Print Server
Front endBack endClustered
ASP.NETPOP3 ServerWeb Server
Base RoleSCW
Targeting Configuration GuidanceTargeting Configuration Guidance
Words to the wiseWords to the wise
Follow the guides, then run SCWFollow the guides, then run SCW
SCW is not designed to work on clients as they do not as a SCW is not designed to work on clients as they do not as a norm perform a role, they are mainly general purpose norm perform a role, they are mainly general purpose boxesboxes
SCW is designed for servers only, however you can apply SCW is designed for servers only, however you can apply SCW policies to clients, there are a couple of ways of SCW policies to clients, there are a couple of ways of doing this, however it may boot, or it may not bootdoing this, however it may boot, or it may not boot
You can apply it to a windows 2000 system, but DO NOT You can apply it to a windows 2000 system, but DO NOT do it.do it.
SCW Operational CoverageSCW Operational Coverage
Secure configurationSecure configurationCompliance analysisCompliance analysis
Is this machine in compliance with its policy?Is this machine in compliance with its policy?What are the differences between the defined policy and current system?What are the differences between the defined policy and current system?
RollbackRollbackRemote UsabilityRemote Usability
Configure, analyze, rollback, or build policy based on a remote serverConfigure, analyze, rollback, or build policy based on a remote server
ExtendableExtendableExtend the knowledge base (“Define your own roles”)Extend the knowledge base (“Define your own roles”)
Enterprise policy deploymentEnterprise policy deploymentActive Directory Integration for Group Policy-based deploymentsActive Directory Integration for Group Policy-based deployments
Command line tool (scwcmd.exe)Command line tool (scwcmd.exe)For configuration, analysis and reportingFor configuration, analysis and reporting
SCW Benefits over SCESCW Benefits over SCE
Covers more areasCovers more areas
Much less risk of destroying systemMuch less risk of destroying system
Policy will be better optimizedPolicy will be better optimized
Better rollback supportBetter rollback support
Much improved testing of knowledge baseMuch improved testing of knowledge base
Much less skill requiredMuch less skill required
ExtendableExtendable
How does SCW deal with Roles and How does SCW deal with Roles and TasksTasksPolicies consist of roles and tasksPolicies consist of roles and tasks
Server RolesServer RolesServices, ports, settings, features, etc…Services, ports, settings, features, etc…
TasksTasksServices, ports, settings, features, etc…Services, ports, settings, features, etc…
Client rolesClient rolesServices, ports, settings, features, etc…Services, ports, settings, features, etc…
Think About itThink About it
Sometimes it helps to slow down,
And analyze the problem that you are trying to solve!!!
Where are all the files?Where are all the files?
C:\windows\security\msscwC:\windows\security\msscw
Steps To Build ExtensionsSteps To Build Extensions
Steal an existing extensionSteal an existing extension
Modify to suit your needsModify to suit your needs
Replace role, task, service, and port definitionsReplace role, task, service, and port definitions
Edit the localized versionEdit the localized version
Combine both into a single templateCombine both into a single template
Validate against the XSD from the “Extending the Security Validate against the XSD from the “Extending the Security Configuration Wizard” white paperConfiguration Wizard” white paper
Run scwcmd register /kbname:<your extension name> /kbfile:<xml Run scwcmd register /kbname:<your extension name> /kbfile:<xml file name>file name>
Example ExtensionExample Extension<?xml version="1.0" ?><SCWKBRegistrationInfo>
<KB Type="Extensions" Update="TRUE"><ApplicableVersions>
<Version OSVersionMajorInfo="5" OSVersionMinorInfo="2“ServicePackMajor="1" ServicePackMinor="0" ProductType="Server"/>
</ApplicableVersions><KnowledgeBase>
<SCWKnowledgeBase>...
Example ExtensionExample Extension...
<Roles><Role Type="Server" Name="MACSSAMPLE">
<DependsOn><Roles>
<Role Name="File" /></Roles>
</DependsOn><Selected Value="DEFAULT" />
<Services><Service Name="ADTServer" />
</Services><Ports>
<Port Name="MACSSAMPLE" /></Ports>
</Role><Role Type="Client" Name="MACSAgent">
<Selected Value="DEFAULT" /><Services>
<Service Name="AdtAgent" /><Service Name="DNSCache" />
</Services></Role>
</Roles>...
SCW SupportSCW Support
Currently supported on Windows Server 2003 SP1, R2 and LH peer-Currently supported on Windows Server 2003 SP1, R2 and LH peer-to-peer onlyto-peer only
SCW public newsgroupSCW public newsgroupMicrosoft.public.security.scwMicrosoft.public.security.scw
Public ResourcesPublic Resourceshttp://go.microsoft.com/fwlink/?linkid=42434http://go.microsoft.com/fwlink/?linkid=42434 (public homepage) (public homepage)
Requesting redirect: Requesting redirect: http://www.microsoft.com/scwhttp://www.microsoft.com/scw
SCW beta newsgroup at:SCW beta newsgroup at:News server: betanews.microsoft.comNews server: betanews.microsoft.com
Newsgroup: microsoft.beta.srv2003sp1.scwNewsgroup: microsoft.beta.srv2003sp1.scw
SCW Quick Start GuideSCW Quick Start Guide
Thanks for attending this TechNet EventThanks for attending this TechNet Event
FREE fortnightly technical newsletter: “The TechNet Flash”FREE fortnightly technical newsletter: “The TechNet Flash”
FREE regular technical events hosted across the UKFREE regular technical events hosted across the UK
FREE weekly UK & US led technical webcastsFREE weekly UK & US led technical webcasts
FREE comprehensive technical web siteFREE comprehensive technical web site
FREE quarterly technical magazineFREE quarterly technical magazine
Monthly CD / DVD subscription with the latest technical tools & resources and full-Monthly CD / DVD subscription with the latest technical tools & resources and full-version evaluation and beta software.version evaluation and beta software.
What do you get from TechNet? In case you weren’t aware, we offer all of the below and aim to be the central point of information and the community resource for IT professionals in the UK:
To find out more about TechNet and what information and resources are available to you, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the breaks
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.