Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 2. Configuring Windows Server 20... > Using the Security Configuration Wiz...

2.4. Using the Security Configuration Wizard

Windows Server 2008 improves on the Security Configuration Wizard introduced in Windows Server 2003 to help administrators fine-tune security on a server. The wizard configures security settings based on server roles. The wizard prompts for information about the server and its roles, and then stops all services not required to perform those roles, locks down ports as needed, modifies registry settings, and configures settings for IIS and other components to apply the desired level of security.


Rather than cover the wizard step by step, this section explains the purpose of the wizard and its general function. You should have no trouble following through in the wizard once you understand this background information.

The Security Configuration Wizard is now installed by default. You no longer have to add it like you did with Windows Server 2003.

The first step in the wizard is to specify the policy action you want to take:

  • Create a New Security Policy. Create a new policy based on the server's roles.

  • Edit an Existing Security Policy. Modify a policy created previously on the server or another server.

  • Apply an Existing Security Policy. Apply a previously created policy to the server.

  • Rollback the Last Applied Security Policy. Roll the server back to its previous state prior to the last security policy application.

After you select the policy action and specify a server to use as the baseline for the policy set (you can choose the local server or a remote server), the Security Configuration Wizard steps you through several key areas:

  • Selecting server roles. In this phase of the wizard, you specify the roles that the target server will perform. As explained earlier in this section, the wizard does not add or remove server roles.

  • Selecting client roles. Each server performs several client roles, such as automatic update, DNS client, domain member, and others. Choose the client roles the server will fill.

  • Selecting administration and other options. Specify options the server will include, such as backup methods, specific services, optional applications, and specific tasks (see Figure 2-23). The wizard uses the selections you make to determine which ports should be opened and which services enabled. When you click Next, the wizard displays a list of any additional third-party services it found installed on the server to enable you to include or exclude those services from the security configuration.

    To view additional information about any item in the wizard, click the arrow button to the left of the item name (refer to Figure 2-23).

  • Determine handling of unspecified services. Choose how services not specified by the policy are handled. You can choose to have a service's startup modes set to Disabled or direct the wizard to ignore the services (not make a change to the startup mode).

  • Confirming service changes. The Confirm Service Changes page of the wizard (see Figure 2-24) simply displays the changes that will be made to individual services. If you need to modify the actions the wizard will take for a particular service, note the contents of the Used By column for that service. Then, click Back to reach the appropriate page where you can configure the role(s) identified in the Used By column. Make changes as needed, move forward through the wizard to reach the confirmation page, and verify that your change was applied.

    Figure 2.23. Select the options, services, and tasks required for the server.

    Figure 2.24. Confirm service changes before moving on and then adjust roles as needed.

  • Configuring network security settings. In this stage of the wizard, you specify which ports will be opened in the firewall and which ports will be blocked (see Figure 2-25). The wizard offers several view options to help you identify specific ports. You can also click Add to add additional open ports or allowed applications. The wizard displays a confirmation page to help you validate your choices before continuing.

    Figure 2.25. Specify ports to be opened on the server.

  • Configure registry settings. The wizard offers a handful of pages to obtain information about protocols used to communicate with other computers, authentication methods used, and minimum operating system requirements for other computers. The wizard uses the information gathered to modify selected registry settings to improve security and prevent specific exploits. It displays a confirmation page you can use to verify the target changes.

  • Configure system audit policy. This section of the wizard helps you specify an audit policy for the security policy set.

  • Configure Internet Information Services. If the Application Server role is selected, the wizard displays a set of pages to prompt for options for Web service extensions, virtual directories, and anonymous authentication for IIS. Use these pages to specify IIS configuration for the security policy.

At the completion of the wizard, you are prompted to specify a security policy filename under which the wizard will store the policy configuration (see Figure 2-26). The wizard stores the settings as an XML file. You can then use the file to apply the configuration to other servers.

Figure 2.26. Specify the name of an XML file in which to store the policy settings.

The Security Policy File Name page also provides two additional tasks you can perform. If you click View Security Policy, the wizard opens the SCW Viewer application (see Figure 2-27), which you use to view the settings specified in the policy.

You can also add security templates to the policy. These templates are located by default in %systemroot%\securit\templates as a set of INF files. You can view and modify these security templates (as well as create additional templates) with the Security Templates MMC snap-in. To add a template to a security policy in the Security Configuration Wizard, click Include Security Templates on the Security Policy File Name page to open the Include Security Templates dialog box. Here you can add and remove templates from the policy as needed.

Figure 2.27. The SCW Viewer page shows you policy settings.

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint