Windows Server 2008 and 2008R2 include a valuable tool called the Security Configuration Wizard (SCW). This tool can be used to simplify the task of hardening the base operating system in preparation for deploying a Forefront Threat Management Gateway (TMG) 2010 firewall. The SCW will create a policy that configures services, audit policies, and some registry settings based on the roles and features installed. In this article I will demonstrate how to use the SCW to configure and install a security policy on a TMG firewall system, and how to deploy this security policy using Active Directory Group Policy.
Forefront TMG Roles for SCW
By default, the SCW does not include support for the TMG 2010 role or the TMG Enterprise Management Server (EMS) role. To support these roles, download and install TMGRolesForSCW.exe included in the TMG 2010 Tools and Software Development Kit (SDK), available here.
Installing TMG Roles for SCW
To install the TMG roles for SCW, run the executable TMGRolesForSCW.exe.
Accept the terms of the license agreement.
Choose a location to save the files.
Choose Finish to complete the installation of the Forefront TMG Roles for SCW.
After completing the installation, the next step is to register these new roles with the SCW. To register these roles, navigate to the folder you chose to save the files to earlier and copy one of the following files to %systemroot%\security\msscw\kbs:
For TMG on Windows Server 2008 SP2, copy scw_tmg_w2k8_sp2.xml
For TMG on Windows Server 2008 R2, copy scw_tmg_w2k8r2_sp0.xml
For TMG EMS on Windows Server 2008 SP2, copy scw_tmgems_w2k8_sp2.xml
For TMG EMS on Windows Server 2008 R2, copy scw_tmgems_w2k8r2_sp0.xml
Open an elevated command prompt and navigate to the %systemroot%\security\msscw\kbs folder, then type one of the following commands:
For TMG on Windows Server 2008 SP2:
scwcmd register /kbname:TMG /kbfile:scw_tmg_w2k8_sp2.xml
For TMG EMS on Windows Server 2008 SP2:
scwcmd register /kbname:TMG /kbfile:scw_tmgems_w2k8_sp2.xml
For TMG on Windows Server 2008 R2:
scwcmd register /kbname:TMG /kbfile:scw_tmg_w2k8r2_sp0.xml
For TMG EMS on Windows Server 2008 R2:
scwcmd register /kbname:TMG /kbfile:scw_tmgems_w2k8r2_sp0.xml
Creating a Security Policy using SCW
Open the SCW by selecting Start/Administrative Tools and clicking the Security Configuration Wizard icon.
Select the action you wish to perform. For our purposes here we’ll select the option to Create a new security policy. Once we’ve finished creating a policy we can later edit, apply, or roll back the policy if necessary.
The SCW can be used on a local or remote machine. We’re going to configure the policy for the local machine, for which the host name is pre-populated.
The SCW will begin processing the Security Configuration Database.
Once complete, click the View Configuration Database to confirm that the Forefront Threat Management Gateway server role is included in the database.
You may receive the following Windows Security Warning. Click Yes to view the configuration database.
Click the arrow to expand Server Roles and confirm that Microsoft Forefront Threat Management Gateway (TMG) appears in the list. Once complete, close this window to return to the SCW.
Roles, Features, Options, and Services
The SCW will now begin role-based service configuration.
The SCW will configure a security policy based on the roles and features installed on the system. Several installed roles are selected by default. Click the arrow next to any role for additional information about that role. Confirm any roles selected, and then select the Microsoft Forefront Threat Management Gateway (TMG) role. If your TMG firewall is also providing VPN services, be sure to select the Remote access/VPN server role.
Several installed features are selected by default. Review the selected choices and make adjustments as required. For example, you may choose to disable the Microsoft Networking Client or enable the WINS client, depending on your specific security requirements.
Several installed options are selected by default. Once again, review the selected choices and make adjustments as necessary. Review the list carefully as the defaults include features that are not frequently used (e.g. Microsoft Fibre Channel Platform Registration Service). Note that if you want to connect to your TMG firewall using Remote Desktop Services (RDP), be sure to select the Remote Desktop role (it is not selected by default).
Review the list of additional services and make adjustments as required. Services listed here that are checked will be enabled; all other services will be disabled.
Define how the SCW will handle any unspecified services which are running on the selected system and were not included in the security configuration database. Select the option that best meets your requirements. Choose carefully, as selecting the option to disable services could have unintended consequences.
Review the list of changes made to services on the system. If you selected the option to disable unspecified services, be sure to examine this list carefully. Pay close attention to any service that the policy will disable whose current startup mode is automatic. You can sort this list by Current Startup Mode by clicking on the column header.
In this section the SCW will configure network security settings.
The SCW will configure key registry settings that control protocols used to communicate with other computers. Proceed cautiously, as choosing incorrect settings can have unintended consequences. If you are unsure which options to select, you can safely skip this section.
By default, the SCW makes assumptions about client operating systems and utilization on the TMG system. Review these options and confirm that they meet your requirements.
Select the outbound authentication method that meets your requirements.
When using domain accounts (highly recommended) confirm that all other computers with which the TMG system will communicate with are running a minimum of Windows NT 4.0 SP6A. If your clients synchronize their system clocks with this TMG system, you can select that option here. This option is not enabled by default, as most systems synchronize system time with an Active Directory domain controller.
Review the registry settings changes.
In this section the SCW will configure audit policy. If your audit policy is already configured to meet your requirements, you can safely skip this section.
Select an auditing option that meets your requirements.
Review the audit policy changes. Note that the option to include the SCWaudit.inf security template is enabled by default. This security template will set System Access Control Lists (SACLS) to facilitate file system access auditing. Proceed cautiously, as once SCWaudit.inf is applied it cannot be removed utilizing the SCW rollback option.
Saving the Security Policy
Next, we will save the security policy.
Specify a location to save the policy file and include a description (optional but recommended). You may also view the security policy or include additional security templates.
If you are configuring a single system you can choose the option to apply the security policy immediately. If you have multiple TMG firewalls, a better choice is to deploy the security policy using Active Directory Group Policy. The next section demonstrates how that is accomplished.
Deploying with Group Policy
One of the many advantages to deploying TMG as a domain member is the ability to manage security configuration using Group Policy. The SCW, however, is designed to configure and deploy a security policy to only one machine at a time (local or remote). Using the SCW command line tool scwcmd.exe we can convert this security policy to a Group Policy Object (GPO), and then deploy the policy to multiple machines using Active Directory Group Policy. The syntax for this command is:
scwcmd transform /p: PathandPolciyFileName /g: GPODisplayName
PathAndPolicyName is the policy created earlier, and GPODisplayName is the name of the Group Policy Object (GPO) as it will appear in the Group Policy Management Console (GPMC).
Following our example, open an elevated command prompt and execute the following command:
scwcmd transform /p:tmg_default.xml /g:”TMG Default”
Once the command has completed successfully, open the GMPC (Start/Administrative Tools/Group Policy Management) and expand the Domains node. Expand the domain that the TMG firewall is a member of, and then expand Group Policy Objects. There you will see the new Group Policy object created using the scwcmd tool.
You can now apply this GPO to the Organizational Unit (OU) that includes your TMG firewalls. Ideally this will be a separate OU exclusively for your TMG systems to minimize any potential conflicts that might arise from the application of other GPOs. To apply the GPO, simply highlight and drag the GPO to the appropriate OU.
Proper operating system configuration, service hardening and attack surface reduction are essential to the security and performance of the TMG firewall. Using the Security Configuration Wizard simplifies and automates this task, allowing the administrator to define security policies and apply them in a consistent manner using the SCW or Group Policy.