The Security Configuration Wizard (SCW), part of Windows Server 2003 Service Pack 1 and Windows Server 2003 R2, is an easy way to automate the rollout of a consistent file server security policy. The SCW supports what is, in effect, an auditing mode. It begins by examining a machine and reporting the roles assigned to it. You can go a few steps further with the active configuration mode, which allows you to simply tell the wizard what...
roles should be assigned to the server. The SCW will configure the server itself, turning services and ports on and off as needed.
Begin by following these steps:
- Open the Control Panel.
- Double-click Add/Remove Programs.
- Select Add/Remove Windows Components.
- Select the Security Configuration Wizard checkbox, and click Next.
- Click Finish when prompted.
To apply the settings from the SCW:
- Open the Security Configuration Wizard.
- The Select Server screen appears, asking you to select the server you want to analyze. Click Next after selecting the appropriate machine.
- The system will trundle for a bit. Then, when the processing is finished, you will be notified. Click Next.
- The Select Server Roles screen appears. Check the File Server role if it's not already selected, and click Next to proceed.
You can proceed through the remainder of the wizard, as some of the individual settings will vary depending on the structure of your environment.
Configure security settings manually
If you aren't running Windows Server 2003 Service Pack 1, then you won't have the option to use the Security Configuration Wizard. In this case, you won't go wrong with the following settings and options enabled to further secure your file server:
- Use NTFS. The only secure permissions model in Windows is the one based on NTFS volumes. You might as well assume FAT-formatted disks are wide open.
- Open only the required ports on your file server. You will want to open port 445 for basic file sharing for clients running Windows 2000 and later; and open ports 137-139 for clients running Windows 95, 98, Me or NT 4.0. If you just have a file server, you don't need any other service ports open -- having them enabled is simply inviting an attack.
- Enable Server Message Block (SMB) security signatures, and require them if possible. Enabling this option digitally signs all file and print traffic, which is useful for preventing man-in-the-middle attacks. You can enable them, and Windows Server 2003 will try to use signing in its communications but will default to not signing communications if it is talking with an older client (all operating systems before Windows 2000). If your user base is running Windows 2000 or anything newer, you can require the signing and leave Windows no choice but to talk securely. This option is enabled through a set of Registry keys available at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters.
- Enable auditing for object access and privilege use. This will allow you to keep track of exactly who is accessing what on your server, and what security permissions they are using when doing so. This creates a forensic trail that can be quite useful in certain scenarios. Enable Audit Policy through the Local Security Policy console, which is part of the Microsoft Management Console in the Administrative Tools section of the Start menu.
- Consider IPsec. IPsec locks down all communications between machines on a network. If you have ultra-sensitive data located on a file server, IPsec is something to look into, although it has significant overhead and configuration requirements.
Generate a security template
Again, if you don't have Service Pack 1, it's a good idea to manually create a security template so you can consistently apply the same security settings to multiple file servers that may reside within your organization. You can generate security templates and save them by putting the Security Templates add-in into any Microsoft Management Console window.
The Security Configuration Wizard has an option that exports all settings configured in or by the wizard to an .inf file. You can then roll out the settings to any number of machines across your enterprise via the SCW or some other method. This is a very convenient, automated way to achieve a unified security policy across any server, not just a file server.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.