Hardening Servers with Security Templates
Why you need to harden servers
In depth security has become a requirement for every company. Your network boundaries, firewalls, VPNs, mobile computers, desktops, servers, domain controllers, etc., all need to be considered when you are designing for a secure environment. It is important to know what you get out of the box, as well as what options you have at your disposal to secure these environments. When you consider a new installation of a Windows server, 2000 or Server 2003, you might not be getting the security settings that you anticipate. Both of these operating systems' security will not be configured to meet your expectations or company security requirements.
There are many reasons for the security of these servers to be set for weaker security. First, with so many other operating systems that might need to communicate with them, they need to be set for the "lowest common denominator" of security to ensure compatibility. The security options that come with Windows Server 2003 are not available on your Windows NT 4.0 Workstations, for example. Second, the servers might be running applications or services that can't run with the heightened security. Your financial servers might be running a third-party accounting application that can't handle encrypted network communication, for example. Third, it is my opinion that many network administrators and companies have been trained to use servers in this state and any form of heightened security at initial installation could render the server useless. I have seen more than my fair share of network administrators become confused when some computers have elevated security settings established, which stops communications with older operating systems.
What a security template can establish
Security templates have been around for a long time, since about Windows NT 4.0 Service Pack 4. Security templates have become a popular method for security not only for servers, but also desktops. The primary reason for their success is because they provide a wide range of security settings and they are very easy to implement.
Within a single security template you can configure a broad scope of security settings on a multitude of servers. To see a security template first hand, it is best to use the Security Template snap-in. To get to this snap-in, type MMC from the Start|Run menu option. Once you have the MMC console open, you will need to add in the Security Template snap-in. Different operating systems have different menu names, but for the most part you will go to the File menu, where you can select the Add Snap-in option. There, you can add any number of snap-ins to the console. The security template can be seen in Figure 1.
Figure 1: Security Template snap-in in the MMC console
Each security template comes with a core set of security setting options. The following is a list of the security areas that can be established within a security template.
- Password Policies - These settings allow you to control the length, complexity, and other parameters regarding a user account password.
- Account Lockout Policies - These settings allow you to control the behavior of what happens when a user forgets their password and their account can be locked out.
- Kerberos Policies - These settings control the behavior of the Kerberos ticketing service.
- Audit Policies - These settings control how the different areas of auditing will be set up, including whether success and/or failure events will be tracked.
- User Rights - These settings control all of the different user rights and which users and/or groups are assigned the specific user rights. User Rights are server specific and control the actions of what a user can perform on that server.
- Security settings - These settings include a multitude of different areas, including network security, authentication, devices, etc.
- Event Log settings - These settings allow you to configure the various aspects of each event log, such as size of the log and when to start to overwrite events in the log.
- Group membership - You can customize which group you want to control using this security setting. You can control local groups and groups that are contained within Active Directory.
- Services - Using these settings you can control all of the different services on a server to set the startup mode and security of the service.
- Registry permissions - Using these settings you can control the Access Control List (ACL) of Registry Keys.
- File and folder permissions - Using these settings you can control the ACLs of files and folders on the target server.
These are just the security settings that you can set in a standard default security template. Like almost everything else in a computer environment, you can also customize the settings. (Refer to article "Customizing Windows Security Templates" for details on how to accomplish this.) Customization can be made in the security template to modify Registry values.
Options for deploying security templates
Now that you have your security templates configured for your servers, they must be deployed to each server. There are three options that you can use to deploy a security template to a server. The first option is the manual method and is not very efficient. The second option is semi-automated, but still requires some hand holding of the security template to get it deployed. The third, and final, option is the desired method, as it allows for the automated deployment of the security templates.
For your first option, you can use the Security Configuration and Analysis snap-in within the MMC on the target server. This snap-in is loaded into the MMC identical to the Security Templates snap-in that we discussed earlier. Once the snap-in is loaded, you have the menu option to "Open Database", which is really adding the security template to the tool for analysis and deployment. Once you add in the security template to the tool, the option to "Configure Computer Now" becomes enabled. This will take the settings from the security template and set them on the server.
For your second option, you can create a script (or run a command from a command prompt window) that takes advantage of the Secedit.exe tool. This tool gives you a bit of flexibility in configuring and analyzing a computer with regard to the security templates. The command has many switches, but you will use the /configure switch that has the following parameters:
secedit /configure /db FileName [/cfg FileName ] [/overwrite][ /areas area1 area2...] [/log FileName] [/quiet]
The only required parameters are the /configure and /db settings. Everything else further specifies details of the security template if you need to be granular with the deployment of the security settings.
Your final option for deploying the security template is to use your existing Active Directory structure and rely on Group Policy. Group Policy has a default mechanism to import and deploy security templates. For example, you might have all of your Web servers in an organizational unit (OU) named WebServers. If you create and link a Group Policy Object (GPO) to WebServers OU, you can import the security template to the GPO. The tool to do the management of the GPO is the Group Policy Management Console (GPMC). To import the security template into the GPO, you will edit the GPO from within the GPMC initially. After you have the Group Policy Editor running, you will open the GPO to expose the Security Settings node, as shown in Figure 2.
Figure 2: Security Settings node in Group Policy Editor
By right-clicking on this node, you will have an option to "Import Policy". This menu option will give you a chance to import your security template into the GPO. Once the security template is in the GPO, it will automatically deploy to all servers that it is targeting (based on those in the OU) using default Group Policy processing. For servers, this processing occurs automatically every 90 minutes.
There are no default installed Windows servers that will meet your security needs completely. Therefore, you need to consider the most economical and efficient methods for configuring these servers. Since security is not a narrow set of configurations, you need to use some mechanism that can handle a wide variety of settings. The security templates provide a broad, yet deep, capability of configuring security settings for your servers. With the variety of security configurations that come standard with the security templates, coupled with the ability to customize them, you can get the majority of the security settings accomplished using only this one solution. Finally, by using any one of three methods to deploy your security templates, GPOs being the most efficient, you can have your servers functioning in a secure manner quickly.