Group Policy Settings (Part 3)
If you would like to read the other parts in this article series please go to:
Group Policy is big! There are so many settings that you can’t decrypt every setting for every need in an efficient manner. With over 5000 settings in a single GPO, the task for understanding, testing, and knowing what each setting will do allows administrators to quickly develop solutions without having to spend hours in research and setup. The tools have been developed by Microsoft and have been proven to save time and effort for the development of GPOs for a variety of solutions in a corporate setting. This article will help guide you through the tools that Microsoft has provided to get you from zero to configured quickly.
Threats and countermeasures
The first resource that you have to help create your security baselines within Group Policy are the “Threats and Countermeasures” from Microsoft. These documents and details provide an in depth, robust, extensive view of nearly all security settings that are available within a Group Policy Object.
There are different guides that you can download for the different operating systems. This is key, as different operating systems have different vulnerabilities, settings, configurations, locations of settings, etc. Here is a guide to each OS and where you can get the appropriate guide:
Windows 8: Not released yet
Windows Server 2003: http://www.microsoft.com/en-us/download/details.aspx?id=24696
Windows server 2008: http://www.microsoft.com/en-us/download/details.aspx?id=22548
Windows Server 2008 R2: http://www.microsoft.com/en-us/download/details.aspx?id=26137
Windows Server 2012: Not released yet
There are also online resources which help you wade through these guides. There are special Microsoft sites just for the security settings that are contained within the guides. The information is similar, but can be accessed via the Internet without having to download and review the documents. For each operating system, here is where you can go to read the information about the security settings contained within the guides:
Windows 8: Not yet available
Windows Server 2003: http://technet.microsoft.com/en-us/library/dd162275.aspx
Windows Server 2008: http://technet.microsoft.com/en-us/library/dd349791(v=ws.10).aspx
Windows Server 2008 R2: http://technet.microsoft.com/en-us/library/hh125921(WS.10).aspx
Windows Server 2012: Not yet available
Security Configuration Wizard (SCW)
SCW is a tool that Microsoft has been refining for years. The tool initially came out in the Windows Server 2003 era and has continued to be updated to meet the server operating system needs and changes. The tool is designed to only support Windows Server, as the tool aligns with the server roles that are now a key aspect to configuring Windows Server.
SCW is designed to work around the concept of Server Roles. These roles were developed by Microsoft to help administrators choose what function the server would serve, as well as configure the other key security and services required for the role to be completely configured.
SCW is based on a database, which is really nothing more than the definition of each role and function. You can see in Figure 1 that the database is broken down in different sections.
Figure 1: SCW security database.
Within the Roles area, you can clearly see there are the obvious roles that a Windows Server could be configured to control. Figure 2 illustrates some of these roles.
Figure 2: SCW Roles within security database.
After you start the SCW configuration portion of the wizard, it will take you through the different areas within the SCW controls that you want to configure. The following are the major areas that you will be required to configure in order to produce a SCW security policy.
- Role Based Service Configuration
- Network security
- Registry settings
- Audit policy
Within each of these sections there are many configurations that will allow you to control the firewall, services, functions, authentication protocols, anonymous, and much more. When the wizard finishes you end up with a security policy which can either be applied to another server using SCW or you can produce a Group Policy Object (GPO) which can be deployed to many servers using Active Directory.
Security Compliance Manager (SCM)
Security Compliance Manager (SCM) is a free security configuration tool from Microsoft. You can get the current version (2.5) or join the Beta version evaluation (3.0). You can get both versions from this link.
SCM is based on industry standard compliance regulations and security configurations. The tool is designed to help make security decisions based on client and server functions.
SCM provides pre-built baselines, which define hundreds of security settings for the operating systems by Microsoft. Figure 3 illustrates the baselines that come with SCM v2.5.
Figure 3: SCM baseline options.
SCM v3.0 includes Windows 8, Windows Server 2012 and more baselines.
The baselines that are provided can not be altered without first creating a copy of them. Once a copy is made, then the baseline can be altered to meet the requirements for your environment. SCM is extremely powerful and includes the ability to configure many aspects of the operating system.
SCM is designed to be a three-fold product solution. First, SCM is designed to help you document what each server/role security is to be set to. This is done via the configuration and storage of the baselines, both from Microsoft and custom baselines that you create. Second, SCM is designed to be a configuration enabling technology. SCM itself does not perform any configurations. Rather, SCM baselines can be converted into GPOs. Once the GPO is created it can be integrated into the Active Directory design and of course distributed in that manner. Third, SCM is an audit enabling technology. Again, SCM does not perform the audit, rather the baseline can generate a DCM pack. DCM is the desired configuration management for which these packs are used within SCCM (System Center Configuration Manager). The DCM pack is then compared against each computer which the GPO applied to… reporting on where there is drift from the original settings.
SCM also provides customization of settings that are stored in the Registry. The customization of the baselines, GPOs, and DCM packs allows for nearly any security setting to be included in the documentation, configuration, and auditing of Windows computers.
Group Policy and security of a Windows system can be a bit complex. Without a guide or tool, the configuration of these settings can be overwhelming. The goal of Group Policy is to provide a centralized technology to deploy settings to Windows computers. Every environment needs to use Group Policy! This is why Microsoft has developed solutions to help organizations more efficiently and completely use Group Policy to secure the computing environment. First, the threats and countermeasures guides can help in the understanding of what each security setting represents. Not only does each security setting have complexity, but if configured incorrectly a wrong configuration could cause communication or stability issues with the computer. Next, Microsoft provided SCW to help with the configuration of Windows Server security configurations. Microsoft introduced Roles and then incorporated Roles into SCW and the operating system itself. This tie between the two helps control firewall, security, Registry, auditing, and more settings. Finally, SCM is the best security configuration provided by Microsoft. This free tool allows an administrator to use industry standard security configurations, or custom security settings. No matter which technology you use to help with the deployment of security via Group Policy, please use something to help you secure your Windows environment!
If you would like to read the other parts in this article series please go to: