Microsoft makes server-hardening easier

18.02.2005
Von Oliver Rist

Hawaii isn"t as much fun when you"re cursing. Standing on a balcony for six and a half hours waiting for a network testing tool to work so you can test the 1.2 mile laser link that"s been up and running the entire time tends to make you cranky. Especially when it"s Saturday and you should be on the North Shore striking out with the wahines.

So it was with some trepidation that I crawled back into the lab on Valentine"s Day to play with Microsoft Corp. beta software. That"s a bit like begging for frustration. But maybe my biorhythms are better, because so far, Microsoft"s Windows Server 2003 SP1 RC2 is working like a charm.

If you"ve got the same thing running somewhere, I heartily recommend doing a thorough hands-on groping of SCW (Security Configuration Wizard). Redmond has a number of other server-hardening tools, but this newest item has some real time-saving smarts.

SCW takes a page out of MOM"s ( Microsoft Operations Manager"s) template-style management pack paradigm and applies it to Windows 2003 server hardening. It simply assigns basic policies on a role-style system, so if the server"s role is that of an Active Directory bridgehead, SCW can automatically assign AD-required features such as FRS (File Replication Service) and disable services such as IIS.

What"s especially neat about SCW is that it can implement these policies, allow administrators to tailor them for their specific needs, and then export the entire smorgasbord via XML so it can be interpreted as an AD group policy. Now you not only have your server"s security policy integrated into your directory structure, but you can even publish that policy to all other servers in the same role on the network.

Running the graphical version of SCW is as simple as selecting to install the software (it"s an optional component of SP1) and then running through an initial configuration wizard. For those whose noses turn skyward at the thought of a graphical user interface, SCW also has a command line version, appropriately called scwcmd.exe. This puppy has much the same functionality as its graphical sibling, but you"ll need to familiarize yourself with a whole bunch of command switches to get anything done.

SCW is a great step forward in Microsoft"s continuing quest to harden its operating system without doing a major revision of its existing code. Tools such as SCW, which take some of the hair-pulling out of security configuration, are great, but there"s still a bit more required.

For one thing, there are simply too many different tools required to maintain security state on a Windows server. SCW is one, Security Configuration Editor is another, and there are reams of documents on using a variety of GPO (Group Policy Objects) settings to achieve security as well. If Microsoft could put together a management pack for MOM that incorporated full security settings for specific servers, then update them automatically over time, things might become less Advil dependent.

In the end, however, to cover its ambitious product release schedule, I"m expecting Microsoft to add a whole new product platform devoted entirely to server security maintenance. Although there are a number of third-party products devoted to this task, most are aimed at specific server roles. Having a single console capable of hardening any role would be a true boon for most administrators. SCW is a step in this direction, but needs more work to cover all the bases.