Sunday, 1 February 2015

Security Configuration Manager in Windows 2008 R2


Security Configuration Manager is an attack surface reduction tool for Windows Server 2008 SP2.  It determines the minimum functionality required for a server’s role, and disables functionality that is not required.  SCW does the following:

 

·            Disables unneeded services

·            Blocks unused ports

·            Allows further address or security restrictions for ports that are left open

·            Prohibits unnecessary IIS web extensions, if applicable

·            Reduces protocol exposure to server message block (SMB), LanMan, and Lightweight Directory Access Protocol (LDAP)

 

NOTE: When using this procedure you must be aware that different options within ‘Security Configuration Manager’ will be required depending on the type of server you are building.  This procedure details the configuration for the OCS EDGE servers only.

 

·            To harden the server, the Security Configuration Wizard (SCW) needs to be run which allows you to create a security policy to be applied.

 

·            Logon to the OCS EDGE server with the local admin account and launch Security Configuration Wizard via Administration Tools.

 

clip_image002

 

·         Select Next (click OK on the Access denied prompt)

 

clip_image004

 

 

 

·         Select Create a new security policy and Next

 

clip_image006

 

 

 

·         Add the server name you are applying the Security policy to and click Next.

 

clip_image008

 

·         Next of the resulting screen.

 

clip_image010

·         Next again.

 

clip_image012

 

·         Ensure the following installed roles are selected and click Next.

 

clip_image014

 

clip_image016

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

·         Ensure the following installed features are selected and click Next.

 

clip_image018

 

clip_image020

 

·         Ensure the following installed options are selected and click Next.

 

 

clip_image022

 

clip_image024

 

 

clip_image026

 

clip_image028

 

·         Ensure the following additional services are selected and click Next

 

clip_image030

 

clip_image032

 

clip_image034

 

 

 

 

 

 

·         Take the default option handling unspecified services and click Next.

 

clip_image036

 

·         Review the following services as per the screenshots.  (DNS client is now enabled so will not appear)

 

 

 

 

clip_image038

 

clip_image040

 

clip_image042

 

clip_image044

 

clip_image046

 

 

clip_image048

 

 

clip_image050

 

·         Select Skip this section and Next.

 

clip_image052

 

·         On Registry setting click Next.

 

clip_image054

 

·         Deselect - It has surplus processor capacity etc and click Next.

 

clip_image056

 

 

·         Select Local Accounts on the remote computers option in addition to Domain Accounts and click Next.

clip_image058

·         Take the default option on the next four screens and click Next four times.

 

clip_image060

 

 

clip_image062

 

clip_image064

 

 

clip_image066

 

·         Select Audit successful and unsuccessful activities and click Next.

 

clip_image068

 

 

·         Deselect the option to include the SCWAudit.inf security template and click Next.

 

clip_image070

·         Click Next to save the policy.

 

clip_image072

·         Create the policy name OCS_Edge_SCW and click Next.

 

clip_image074

·         Click apply now and Next.

 

clip_image076

·         Click Next once the policy has been applied

 

clip_image078

 

·         Click Finish.

 

clip_image080

By -
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)