Windows Server Baseline Security

Part One. Today and in my next posts, we want to take a closer look at the security settings of windows server. One good way to start is the “Security Configuration Wizard” later called as SCW. The wizard was patched in the operating system with SP1. In the release 2 of windows server 2003 you don’t need to patch – it’s from start up SP2.


To enable the feature just open the windows components dialog (“Add or Remove Programs” -> “Add/Remove Windows Components”) and mark the check box. Now you need to insert the windows disk. In the “Administrative imageTools” you will find a new program “Security Configuration Wizard”. Or just run “scw.exe” from the run. On the start up screen of the SCW is the first important notice. The message indicates that the wizard will detect inbound ports that are being used by this server. This requires that all applications that use inbound ports are running before you run the wizard and create the security policy. In my lab the server will work as file and print server. To make it a little harder, the lab Server runs also TeamSpeak witch is not an Microsoft Application . The teamspeak server imagewill listen on UDP Port¬† 8767. After Clicking next, the wizard asks to create a new policy. The next part is interesting – you are able to chose the Local or Remote server. My preferred option is to insta ll the SCW on each server and make local scans. Now we are able to check the version of the “Security DB”. If you need a special service on many servers, witch is not listed, edit the XML files in “%SystemRoot%\Security\msscw\policies%”. More info about the XML file are located on google. After Skipping the window we are able to choose the server roles. In the next dialog, we are able to choose the client features like DHCP client, wins client …. and may more. Now, microsoft wants us to choose the options to installed on the server. The SCW now detects non windows services. In my lab, it finds the VM Tool’s :-). Now we must approve the disabling of unused services. Please check the list very carefully. Now, the big magic continues with the approval of TCP/ IP ports. Please check the list very carefully. Now, one of the biggest image “lion’s den”. In the registry the SCW will change settings for “SMB Security Signatures”, “LDAP Signing”, “Outbound Authentication Protocols” and “Inbound Authentication Protocols”. with this settings enabled the server are harden to the most man-in-the-middle attacks an password cracking will be not so easy. The audit policy is a mixed blessing. Its very imported to find security issues in the logs. But study the logs will take much much time. So just enable the normal logging. Enter a description and save the Policy File. Then you are able to apply¬† the policy now or later. Applying the policy will force a restart of the server !!

After applying the policy, the TeamSpeak server stop’s working like excepted. But after editing the policy again to insert the port 8767, all services work fine.

My conclusion of the Microsoft Security Configuration Wizard is: The tool is very easy to use and brings many good changes in short time. The use of SCW should be carefully tested. But I strongly advise the use on all windows servers.

About the author

konrad.dambeck

Add comment

By konrad.dambeck

Recent Posts