Introducing the Local Policy Tool
When you install the SCM tool, another utility called the Local Policy Tool (LPT) becomes available. This tool is designed to assist you with two optional tasks:
Applying a security baseline to the local Group Policy of a computer.
Exporting the local Group Policy of a computer to a group policy backup file.
Updating the user interface of the Group Policy management tools.
You may want to apply the settings to the local Group Policy for stand-alone computers. You should update the user interface on the computers you will use to manage Group Policy so that you can view and manage the additional security settings discussed in this guide. The following sections discuss how to use the LPT to accomplish these tasks.
Modifying Local Group Policy
You can use the LPT to modify the local Group Policy of a computer by applying the security settings included in the GPOs described earlier. The LPT will apply the security setting values recommended in guide to modify the local policy. The tool does this by importing the settings from a GPO backup into the local Group Policy. Use the SCM tool to generate the GPO backup for the desired baseline.
To apply a GPO backup file to the local Group Policy
Log on as an administrator.
On the computer, click Start, click All Programs, and then click LocalGPO.
Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press ENTER.
At the command prompt, type cscript LocalGPO.wsf /Path:
and then press ENTER where
is the path to the GPO backup.
Completing this procedure modifies the local security policy settings using the values included in the GPO backup. You can use GPEdit.msc to review the configuration of the local Group Policy on your computer.
To restore local Group Policy to the default settings
Log on as an administrator.
On the computer, click Start, click All Programs, and then click LocalGPO.
Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press ENTER.
At the command prompt, type cscript LocalGPO.wsf /Restore, and then press ENTER.
Completing this procedure restores all local policy settings to their default values.
Exporting Local Group Policy to a GPO Backup
You can use LPT to export a computer’s local Group Policy to a GPO backup file, which you can than apply to the local Group Policy of other computers or import into Active Directory.
To export local Group Policy to a GPO backup file
Log on as an administrator.
On the computer, click Start, click All Programs, and then click LocalGPO.
Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press ENTER.
At the command prompt, type cscript LocalGPO.wsf /Path:
/Export and then press ENTER where
is the path to the GPO backup.
Completing this procedure exports all local security policy settings to a GPO backup.
Updating the Security Configuration Editor User Interface
The solution presented in this guidance uses GPO settings that do not display in the standard user interface (UI) for the GPMC or the Security Configuration Editor (SCE) tool. These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance.
For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the LPT automatically updates your computer while it creates the GPOs. Use the following procedure to update the SCE on the computers where you plan to manage the GPOs created with the SCM tool.
To modify the SCE to display MSS settings
Ensure that you have met the following prerequisites:
The computer is joined to the domain using Active Directory where you created the GPOs.
The SCM tool is installed.
Log on as an administrator.
On the computer, click Start, click All Programs, and then click LocalGPO.
Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press ENTER.
At the command prompt, type cscript LocalGPO.wsf /ConfigSCE and then press ENTER.
Note This script only modifies SCE to display MSS settings. This script does not create GPOs or OUs.
The following procedure removes the additional MSS security settings, and then resets the SCE tool to the default settings.
To reset the SCE tool to the default settings
Log on as an administrator.
On the computer, click Start, click All Programs, and then click LocalGPO.
Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press ENTER.
At the command prompt, type cscript LocalGPO.wsf /ResetSCE and then press ENTER.
Note Completing this procedure reverts the SCE on your computer to the default settings. Any settings added to the default SCE will be removed. This will only affect the ability to view the settings with the SCE. Configured Group Policy settings remain in place.
More Information
The following resources provide additional information about Windows Server 2008 security-related topics on Microsoft.com:
Administering Group Policy.
Enterprise Management with the Group Policy.
Loopback Processing of Group Policy.
Migrating GPOs Across Domains with GPMC.
Step-by-Step Guide for Microsoft Advanced Group Policy Management 3.0.
Step-by-Step Guide to Using the Delegation of Control Wizard.
Summary of New or Expanded Group Policy.
Tasks and Tools on the Update Management Center for managing updates.
Windows Server 2008 TechCenter.
Windows Server Group Policy.
Windows Vista Security Guide.
Chapter 2: Reducing the Attack Surface by Server Role
The concept of server roles is not new, but the ability to centralize server role management is a new feature that is at the core of Windows Server® 2008. Aside from basic network connectivity, a default installation of Windows Server 2008 does not provide any services to the network. The operating system's secure-by-default design requires administrators to enable all desired functionality as a part of any server deployment.
This chapter provides an overview of built-in tools that can help you quickly configure, maintain, and enforce all of the required functionality for the servers in your environment.
The "Securing Server Roles" section reviews how you can use the Server Manager Microsoft Management Console (MMC) snap-in to help reduce the attack surface of your servers by only configuring the functionality that each specific server role requires.
This section also introduces the Server Core feature of Windows Server 2008, which can help you further reduce the attack surface of the server roles in your organization.
This section also discusses how you can use the Security Configuration Wizard (SCW) to help maintain and enforce the configuration that you implemented using Server Manager.
The "Using SCW and Group Policy to Improve Security" section provides guidance about how to create and apply Group Policy objects (GPOs) to harden servers that run Windows Server 2008.
Securing Server Roles
The Server Manager MMC in Windows Server 2008 eases the task of managing and securing multiple server roles in an organization. Server Manager provides a single source for managing a server's identity and system information, displaying server status, identifying problems with server role configuration, and managing all roles installed on the server. After you establish a secure server configuration, you can use the SCW to help ensure that the servers remain configured as intended.
|
