Windows Server Reference Guide

Windows Server Super Security Policy Construction Kit

Last updated Jan 19, 2007.

By now, you're probably familiar with the distinctions between what desktop computer users consider a "hardware firewall" and a "software firewall." The latter is typically a program which may monitor the traffic on various IP ports, like a hardware firewall typically does, but may also restrict Internet access to given programs — for instance, ZoneAlarm. Windows XP introduced desktop users to a Windows Firewall, whose functionality has been expanded for Vista in the new Microsoft Defender suite.

On the server side, you can't really afford for port monitoring to be conducted by a little utility on the side. Certainly I have nothing against third parties providing security for systems, but such utilities are typically designed to run in the background. Port monitoring on a Web server or other Internet-enabled server is not some background process. It should be part of policy, which is why with Windows Server 2003 Service Pack 1, the concept of port monitoring was tied in with policy.

In previous editions of WS2K3, admins developed sets of restrictions that were embryonic policies of a sort, managed through something called the Security Configuration and Analysis Tool. That little MMC snap-in is still present, although with SP1, a new wizard for security configuration leads you by the hand — kicking and screaming, though leads you nonetheless — through the myriad world of policy settings for services and the ports they run on.

You'll find this wizard in the Administrative Tools menu. Using this wizard is easily an all-day affair. You'll want to go over this procedure in full (it'll take three weeks for us just to post it all), plus read up on additional material, before starting with it bright and early. Once you're finished, you'll have a complete XML security template that can be applied to this server, as well as to others in your network that are similarly configured. Here's how it works:

1. Read the little introduction to the wizard, weep, and click Next.
2. If a security policy does not exist on the network, then leave the option on the second panel set to Create a new security policy. Otherwise, to load an XML file to be used as a template to create a new policy, set the Edit an existing security policy option, click Browse, then locate the XML file in the \Windows\security\msscw\policies folder. Click Next.
3. Enter the name of the server to which the security policy will apply, then click Next. During the next few moments, the system will either load the existing security configuration database or generate the new one.


Figure 2: A sample entry from the security configuration database. In this example, the configuration database viewer reveals there is no default setting for the POP3 service on this particular server. It doesn't explain why that's the case, although we just happen to know it's because Exchange Server is installed.

4. Click View Configuration Database to reveal a page that lets you browse through every default security setting. There are hundreds, and this page isn't for making your own settings or changes, but it will let you hunt down the important defaults by category.
5. Click Next to continue. The configuration database window will remain on-screen.
6. The next panel warns you that you are about to enter the uncharted and dangerous realm of role-based service configuration. You Are Not Ready. Click Next… if you dare!
7. The next panel lists the various roles your server currently performs, in a succinct but useful manner. There are checkmarks beside each installed role. You can create policies for roles you haven't installed yet (for instance, through the Manage Your Server Wizard), or decide not to create policies for existing roles. But your purpose here is to limit your server's outside accessibility to only those services required by the roles you expect your server to perform. Use caution when deciding to not include a category, but when the checkmarks represent the important categories for your needs, click Next.


Figure 3: A list of "features" your server is most likely capable of providing.

8. The "features" listed here are not roles per se but what, on the Internet level, a network engineer might consider "applications" — for example, FTP, DHCP, and DNS clients. Microsoft doesn't explain this very well, so I'll try: Notice these are all faculties that you would engage intentionally as a system administrator, rather than things a user of the network expects the server to provide for her through that network. Microsoft describes them all as "services," though that's not exactly accurate since your formal list of running services in WS2K3 doesn't look like this list. It's safe here to include policies for features that Windows doesn't believe are installed yet — those policies may yet apply once they are installed. Click Next to go on.
9. Earlier, Microsoft described server roles as "functions," which is fair except that it then described those functions as providing "services." Then it described "features" in the next panel as "services." Now in this next panel is a list of "options." What are those, Microsoft? A list of "features," it responds. Lovely.
10. Actually, these are operating system options, including those you'd install as system components from the Add/Remove Windows Components panel. Security policies may apply to these as well. There are also some more general feature categories, such as "Audio," which isn't really a service or a function or a role as much as an integral part of the operating system which, like other parts of the OS, is susceptible to exploit for the silliest of unavoidable reasons. These options are typically independent of any particular role or roles you've delegated to your server. While Microsoft says the checkmarked options are the only ones active, this isn't accurate, either: Audio deserves a checkmark. Notice IIS 5.0 compatibility mode is listed here as well, for older Web-driven applications that depended on the old IIS 5 security model (or the lack thereof). Check all the options to which policies should apply, and click Next.
11. The Select additional services panel gives the wizard an opportunity to include entries for categories that don't apply to WS2K3 by default — for example, Microsoft Exchange features. Check the boxes that should apply, and click Next to continue.
12. With Handling unspecified services, you have an important choice to make. This is where you designate whether the operating system should disable Internet access by default to any of the things you left unchecked. This is if you set the Disable the service option. If you choose Do not change the startup mode of the service, you're letting the service decide its own accessibility. Some security engineers advise that you perform a complete security audit prior to running this wizard, so that you feel safe disabling unlisted services in order to reduce the attack service of any unauthorized function portraying itself as part of the system. Make your choice, then click Next.
13. Here is where you go over a list of the policy changes that would be made as a result of your choices, to the various system services. Now, these are actually services — the real items that show up in your services list. As you know, each of these startup modes may be set to Manual (you start it yourself), Automatic (it starts at boot time), or Disabled (treated as though it were not installed). Notice that after the policy is applied, some services may be opened up to Automatic where they had been Manual before, so your selections don't necessarily create new restrictions.
14. Despite appearances, you can't actually edit your choices from this list. If something's wrong, you have to click Back to make the appropriate change to the role/service/function/option/thingie, which would produce the desired result here. It's also important to note that clicking Next does not apply the changes now. Instead, it saves them in the security template that's being written by the wizard, to be applied once the wizard is completed, or at some future date using the saved template. Click Next after you've regained your wits and are ready for more of this.

[to be continued…]

Books and E-books

• Huggins, Diana; Zandri, Jason. MCSE 70-293 Exam Cram: Planning and Maintaining a Windows Server 2003 Network Infrastructure, 2nd Edition. Que Publishing, 2006. Preview System Services from Chapter 6, "Planning and Maintaining Network Security," on Safari.

Online Resources

• Role-based Service Configuration." Documentation from Microsoft TechNet.