Security Configuration WizardSecurity Configuration Wizard

Keith D MillerKeith D Miller

Microsoft European Support Readiness ManagerMicrosoft European Support Readiness Manager

Why are you here?Why are you here?

We need a proactive way to take the guess work out of which operating system components (ports, services etc) are required for my applications to function. Having this knowledge by default means that we can turn off everything else.

SCW’s knowledge base defines the requirements of each application, and you can extend the knowledge base to include bespoke 3rd party applications.

AgendaAgenda

What is Security?What is Security?

Overview of SCWOverview of SCWTool summaryTool summary

Server rolesServer roles

Operational coverage/scopeOperational coverage/scope

Policy authoring and deploymentPolicy authoring and deployment

Extending SCWExtending SCW

The Security Management ProblemThe Security Management Problem

Security management is aboutSecurity management is aboutspending good moneyspending good money

to have nothing happento have nothing happen

If nothing happens, your doing you’re a good job!!If nothing happens, your doing you’re a good job!!

The Security Management ProblemThe Security Management Problem

Your network is not secure!Your network is not secure!

At best, it’s protectedAt best, it’s protected

Protected networks are well-designed, well Protected networks are well-designed, well managed networks with smart users!managed networks with smart users!

So what is SCW?So what is SCW?

Security policy authoring tool Security policy authoring tool Focused on attack surface reduction Focused on attack surface reduction

Disables functionality not required for a given roleDisables functionality not required for a given roleDisables unnecessary servicesDisables unnecessary servicesBlocks unused portsBlocks unused portsRestricts or secures ports that are left openRestricts or secures ports that are left openReduces protocol exposure for LDAP, NTLM, and SMB Reduces protocol exposure for LDAP, NTLM, and SMB Configures audit settings Configures audit settings Prohibits unnecessary web extensionsProhibits unnecessary web extensions

Ships in Windows Server 2003 SP1 as an optional componentShips in Windows Server 2003 SP1 as an optional component

Security Policy ManagementSecurity Policy ManagementAuthoringAuthoring

Define new system roleDefine new system role

Takes great skillTakes great skill

RiskyRisky

5% can perform5% can perform

TailoringTailoringCustomizing existing roleCustomizing existing role

Moderately complexModerately complex

Less riskyLess risky

15% can perform15% can perform

ApplyingApplyingShould be risk freeShould be risk free

80% can perform80% can perform

So What is so special about a server?So What is so special about a server?

Servers have can have many rolesServers have can have many roles

SCW Server RolesSCW Server Roles

Certificate ServerCertificate ServerCluster ServerCluster ServerDomain ControllerDomain ControllerDFS ServerDFS ServerDHCP ServerDHCP ServerDNS ServerDNS ServerFile ServerFile ServerPrint ServerPrint ServerWeb ServerWeb ServerWINS ServerWINS ServerTerminal ServerTerminal Server……

Biztalk ServerBiztalk ServerCommerce ServerCommerce ServerExchange ServerExchange ServerISA ServerISA ServerMOMMOMIdentity Management ServerIdentity Management ServerSharePoint Portal ServerSharePoint Portal ServerSMSSMSSQL ServerSQL Server……

Base OS

Server Client

Domain Mbr

Laptop

Stand-AloneDomain Controller

MemberServer

IIS ServerFile Server

DatabaseServer

ExchangeServer

CertificateServer

Bastion Host(Stand-alone)

SMS Server

InfrastructureServer

DNSDHCPWINS

Print Server

Front endBack endClustered

ASP.NETPOP3 ServerWeb Server

Base RoleSCW

Targeting Configuration GuidanceTargeting Configuration Guidance

Words to the wiseWords to the wise

Follow the guides, then run SCWFollow the guides, then run SCW

SCW is not designed to work on clients as they do not as a SCW is not designed to work on clients as they do not as a norm perform a role, they are mainly general purpose norm perform a role, they are mainly general purpose boxesboxes

SCW is designed for servers only, however you can apply SCW is designed for servers only, however you can apply SCW policies to clients, there are a couple of ways of SCW policies to clients, there are a couple of ways of doing this, however it may boot, or it may not bootdoing this, however it may boot, or it may not boot

You can apply it to a windows 2000 system, but DO NOT You can apply it to a windows 2000 system, but DO NOT do it.do it.

SCW Operational CoverageSCW Operational Coverage

Secure configurationSecure configurationCompliance analysisCompliance analysis

Is this machine in compliance with its policy?Is this machine in compliance with its policy?What are the differences between the defined policy and current system?What are the differences between the defined policy and current system?

RollbackRollbackRemote UsabilityRemote Usability

Configure, analyze, rollback, or build policy based on a remote serverConfigure, analyze, rollback, or build policy based on a remote server

ExtendableExtendableExtend the knowledge base (“Define your own roles”)Extend the knowledge base (“Define your own roles”)

Enterprise policy deploymentEnterprise policy deploymentActive Directory Integration for Group Policy-based deploymentsActive Directory Integration for Group Policy-based deployments

Command line tool (scwcmd.exe)Command line tool (scwcmd.exe)For configuration, analysis and reportingFor configuration, analysis and reporting

SCW Benefits over SCESCW Benefits over SCE

Covers more areasCovers more areas

Much less risk of destroying systemMuch less risk of destroying system

Policy will be better optimizedPolicy will be better optimized

Better rollback supportBetter rollback support

Much improved testing of knowledge baseMuch improved testing of knowledge base

Much less skill requiredMuch less skill required

ExtendableExtendable

Deployment Deployment ArchitectureArchitecture

SCW ArchitectureSCW Architecture

How does SCW deal with Roles and How does SCW deal with Roles and TasksTasksPolicies consist of roles and tasksPolicies consist of roles and tasks

Server RolesServer RolesServices, ports, settings, features, etc…Services, ports, settings, features, etc…

TasksTasksServices, ports, settings, features, etc…Services, ports, settings, features, etc…

Client rolesClient rolesServices, ports, settings, features, etc…Services, ports, settings, features, etc…

Think About itThink About it

Sometimes it helps to slow down,

And analyze the problem that you are trying to solve!!!

Lets do the DemoLets do the Demo

Where are all the files?Where are all the files?

C:\windows\security\msscwC:\windows\security\msscw

Extending the databaseExtending the database

Steps To Build ExtensionsSteps To Build Extensions

Steal an existing extensionSteal an existing extension

Modify to suit your needsModify to suit your needs

Replace role, task, service, and port definitionsReplace role, task, service, and port definitions

Edit the localized versionEdit the localized version

Combine both into a single templateCombine both into a single template

Validate against the XSD from the “Extending the Security Validate against the XSD from the “Extending the Security Configuration Wizard” white paperConfiguration Wizard” white paper

Run scwcmd register /kbname:<your extension name> /kbfile:<xml Run scwcmd register /kbname:<your extension name> /kbfile:<xml file name>file name>

Example ExtensionExample Extension<?xml version="1.0" ?><SCWKBRegistrationInfo>

<KB Type="Extensions" Update="TRUE"><ApplicableVersions>

<Version OSVersionMajorInfo="5" OSVersionMinorInfo="2“ServicePackMajor="1" ServicePackMinor="0" ProductType="Server"/>

</ApplicableVersions><KnowledgeBase>

<SCWKnowledgeBase>...

Example ExtensionExample Extension...

<Roles><Role Type="Server" Name="MACSSAMPLE">

<DependsOn><Roles>

<Role Name="File" /></Roles>

</DependsOn><Selected Value="DEFAULT" />

<Services><Service Name="ADTServer" />

</Services><Ports>

<Port Name="MACSSAMPLE" /></Ports>

</Role><Role Type="Client" Name="MACSAgent">

<Selected Value="DEFAULT" /><Services>

<Service Name="AdtAgent" /><Service Name="DNSCache" />

</Services></Role>

</Roles>...

SCW SupportSCW Support

Currently supported on Windows Server 2003 SP1, R2 and LH peer-Currently supported on Windows Server 2003 SP1, R2 and LH peer-to-peer onlyto-peer only

SCW public newsgroupSCW public newsgroupMicrosoft.public.security.scwMicrosoft.public.security.scw

Public ResourcesPublic Resourceshttp://go.microsoft.com/fwlink/?linkid=42434http://go.microsoft.com/fwlink/?linkid=42434 (public homepage) (public homepage)

Requesting redirect: Requesting redirect: http://www.microsoft.com/scwhttp://www.microsoft.com/scw

SCW beta newsgroup at:SCW beta newsgroup at:News server: betanews.microsoft.comNews server: betanews.microsoft.com

Newsgroup: microsoft.beta.srv2003sp1.scwNewsgroup: microsoft.beta.srv2003sp1.scw

SCW Quick Start GuideSCW Quick Start Guide

Thanks for attending this TechNet EventThanks for attending this TechNet Event

FREE fortnightly technical newsletter: “The TechNet Flash”FREE fortnightly technical newsletter: “The TechNet Flash”

FREE regular technical events hosted across the UKFREE regular technical events hosted across the UK

FREE weekly UK & US led technical webcastsFREE weekly UK & US led technical webcasts

FREE comprehensive technical web siteFREE comprehensive technical web site

FREE quarterly technical magazineFREE quarterly technical magazine

Monthly CD / DVD subscription with the latest technical tools & resources and full-Monthly CD / DVD subscription with the latest technical tools & resources and full-version evaluation and beta software.version evaluation and beta software.

What do you get from TechNet? In case you weren’t aware, we offer all of the below and aim to be the central point of information and the community resource for IT professionals in the UK:

To find out more about TechNet and what information and resources are available to you, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the breaks

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.