Planning Server Role in Windows Server 2012

Contents

Server Role and Security Considerations

Using Security Configuration Wizard to Harden the Server

Using Server Manager to Add a New Role or Feature

Using Security Compliance Manager to Hardening Servers

Planning Before Hardening Your Server with SCM

Staying Up to Date with SCM

Administrator's Punch List

Summary

Chapter Points

 Server Roles and Security Considerations

 Using Server Manager to Add a new Role

 Using Security Compliance Manager to Hardening Servers

Server Role and Security Considerations

For many years, security professionals were very focused on hardening servers and workstations to reduce the attack surface. This is without doubt a very important item to be included on your checklist. However, before hardening the server, you need to understand the role of that server in your overall infrastructure. You should ask yourself the questions below before you start any implementation:

 What role will this server play on your network (e.g., file server or domain controller)?

 Who (groups, users) will have access to this server?

 Do you have a template for this type of server role?

 What are the services that must be running on this server?

 Which protocols and ports should be open on the firewall to support the server workloads?

Random hardening templates applied to servers without defining the server's role will cause more problems than benefits. While the server might be very secure because many services were disabled and permissions and privileges were removed; the server might not be capable of providing the services that the users need. When this happens, you just broke one of the three security pillars: availability.

The lack of server role planning and using the wrong approach to hardening the server can lead you to other problems also. You must verify if the hardening that you are doing on the server is supported by the vendor. You cannot just come up with a series of scripts that were found on the Internet, apply them to the server, and believe that is the right way to do things because there is something called a supportability statement. All vendors will have different supportability statements regarding how they support to have their product hardened.

Note

For a real example of a hardening that broke a system and was done in a nonsupported manner, read this post http://blogs.technet.com/b/yuridiogenes/archive/2008/09/11/hardening-isa-server-in-a-supported-manner.aspx.

In Windows Server 2012, the recommended way to harden a server is by either use Security Configuration Wizard or Security Compliance Manager. The Security Configuration Wizard (SCW) enables you to create, edit, apply, or roll back a security policy on a particular server. You can use Group Policy to apply the security policy to multiple target servers that perform the same role. Security Compliance Manager (SCM) will be presented later in this chapter.

Using Security Configuration Wizard to Harden the Server

To apply a security policy to a server using SCW follow, read the scenario below and follow the steps:

Scenario

Tom just received a request to prepare a new file server for EndtoEdge.com International. He noticed that the company does not have a template for this type of role yet, so he decided to use this new server to do that. He gathered all the necessary information regarding who will access the server, which services should be available for those users and he is ready to deploy the server. The core requirements are

 Clients must be able to access the files while working offline.

 This server belongs to an OU (Organizational Unit) that has policy to install applications remotely.

 Administrators must be able to access this server remotely using RDP.

 Administrators must be able to administer this server using remote administrative tools (including Windows Firewall administration and Event Viewer).

 It is on the roadmap to install a new Network Interface Card (NIC) on this server to enable NLB and administrators must be able to manage that remotely.

 All successfully activities must be audited.

Important

before running the Security Configuration Wizard to configure the server's role, you need to install the role first using Server Manager. SCW will not install a role automatically; it will only perform the necessary hardening process on top of the installed role.

Implementation steps: follow the steps below to create a new template and apply on the File Server.

1. In the Server Manager, click Tools and then click Security Configuration Wizard as shown in Figure 2.1.

Figure 2.1 Launching Security Configuration Wizard.

2. The Security Configuration Wizard will open, click Next on the Welcome to the Security Configuration Wizard page.

3. On the Configuration Action page, select the option Create a new security policy as shown in Figure 2.2 and click Next.

Figure 2.2 Creating a new security policy.

4. On the Select Server page, type the name of the server that will be used as baseline to create this security policy in the Server field as shown in Figure 2.3 (by default it will choose the local server's name) and click Next.

Figure 2.3 Selecting the server to be used as baseline for this security policy.

5. Depending on the configuration of the server, a gauge will appear in the Processing Security Configuration Database page for a moment. Once it is finished, it will allow you to view the configuration by selecting the option View Configuration Database. Click View Configuration Database to see more details. The SCW Viewer will appear, and a Windows Security Warning dialog box will ask if you want to enable the ActiveX Control, click Yes.

6. Expand Server Roles option and scroll down until you see File Server role. Expand it and read the description as shown in Figure 2.4.

Figure 2.4 Explanation of the role, the services required, and the firewall rules.

Note

The XML files used to build these pages are located at %Systemroot%\Security\Msscw\KBs.

7. This description allows you to have an idea about what services must be running and also which Firewall rules should be enabled in order to allow this role to work properly. After reviewing those details close this window. On the Processing Security Configuration Database page, click Next.

8. On the Role-Based Service Configuration page, click Next.

9. On the Select Server Roles page, review the role selection that was done automatically by the wizard. You may select additional roles or unselect roles that are not applicable for this server. For this particular example, the selections showed in Figure 2.5 are the ones applicable for a File Server. Once you finish reviewing the selection and making possible changes, click Next.

Figure 2.5 Selecting the roles that will be installed by this server.

10. On the Select Client Features page, review the feature selection that was done automatically by the wizard. You may select additional features or unselect features that are not applicable for this server. For this particular example, the selections showed in Figure 2.6 are the ones applicable for a File Server. Once you finish reviewing the selection and making possible changes, click Next.

Figure 2.6 Selecting the client features that will be used by this server.

11. On the Select Administration and Other Options page, you can select additional options that this server might be using. Here is the time where you should review your checklist to understand the server's requirement and if it needs one of those options enabled in order to work properly. The table below shows the requirements for this particular scenario and which options should be enabled on this page:

12. On the Select Administration and Other Options page, click the View drop down box and select the category (according to the table above). Once you select the correct category, make the correct selection according to the option column of the table able. Figure 2.7 shows the category Remote Administration and the selections according to the Options column. Once you finish...