Windows Server 2012 is quite secure out-of-the-box, balancing usability and compatibility against security. For organizations that need to implement tight security or comply with strict regulatory codes, security needs to be managed beyond the default settings.
In this first part of a three-part series, I’ll explain how to work with security baseline templates using the built-in Windows Server 2012 Security Configuration and Analysis snap-in and its command-line equivalent, SecEdit.
Microsoft provides security templates for Windows Server and client operating systems, containing security configuration designed for different scenarios and server roles. There are some security templates that are part of the operating system and get applied during different operations, such as when promoting a server to a domain controller.
In Windows Server 2003, the default security templates are located in %systemroot%securitytemplates, and include templates such as Setup Security.inf and Compatws.inf.
Setup Security.inf is created when the operating system is installed and differs from device to device, depending on whether there was a clean installation or upgrade of Windows. The Compatws.inf template changes access control lists, including the Users group entry on files and registry keys, to relax security so programs that don’t adhere to the recommendations in the Windows Logo Program for Software will run without administrative privileges.
Other templates included out-of-the-box are:
In Windows Server 2008 and later versions, security templates are located in %systemroot%inf and are more limited than in Windows Server 2003. Templates include:
Templates that can be used to apply high security settings to domain controllers or to servers running other roles and applications used to be distributed as .inf files. These files could be imported into Group Policy Objects (GPOs) to secure multiple devices. Moreover, security templates can also be imported into security databases and used to configure individual servers where there is no Active Directory. Additional templates are now provided with the Security Compliance Manager (SCM) tool, which we will cover in part two.
Windows Server provides a hidden tool that can be used to compare the configuration settings in a security database with actual settings on a local computer, or apply settings from a security database, and is useful for checking compliance on individual servers.
Before you can analyze or configure security, a security database must be created.
Add the Windows Server 2012 security configuration and analysis tool snap-in. (Image: Russell Smith)
Although we have selected Open Database, we are actually going to create a new database, as we don’t have anything to work with at the moment.
After a few seconds, the settings from the .inf file should be imported into the new security database.
Comparing database and actual security settings on Windows Server. (Image: Russell Smith)
Now that we have a new database open in the tool with settings imported from the .inf file, we can compare the settings in the database with those configured on the local computer.
Assuming you are logged on to a standalone server and you haven’t changed the settings from the defaults, the database and computer settings read be the same.
Now that we can see how the database settings and server configuration compare, it’s possible to configure the settings in the database.
Configuring analyzed security policy settings. (Image: Russell Smith)
You can repeat this procedure for any policy setting in the security database.
Let’s configure the server using the settings in the security database now that there is a difference between the database policy settings and the server’s actual configuration.
After configuration you should re-analyze the server using the instructions above to check the settings have been applied.
Once you have the settings in the security database configured as desired, you can export the settings as an .inf file to use on other systems or to deploy with Group Policy.
You can later import an .inf file to a security database using the procedure described above, but instead by selecting Import Template from the menu.
The tasks that we completed above with the Security Configuration and Analysis tool can also be performed from the command line, along with a couple of other functions that aren’t accessible from the GUI. Before running the tool, make sure that you have closed the Security Configuration and Analysis MMC.
To analyze a server, open a command prompt and run the following command, replacing c:security.sdb and c:security.log with appropriate paths. The results will be written to the log file.
secedit /analyze /db c:security.sdb /log c:security.log
The above command assumes that security.sdb is already configured with settings from an .inf file. If you want to import settings from an .inf file at the same time run the following command:
secedit /analyze /db c:security.sdb /cfg c:security.inf /log c:security.log
Two functions not available in the Security Configuration and Analysis tool are the ability to validate .inf files and generate what are essentially ‘undo’ templates that can reverse applied settings.
To validate an .inf file, run the following command, replacing c:security.inf with the path to the .inf file you would like to validate.
secedit /validate c:security.inf
Additionally, secedit can be used to generate rollback templates for reversing applied settings, which is useful in a test environment but should never be relied upon in production. To generate a rollback template, you must specify an existing template against which an analysis of the local server is performed to generate a rollback template.
secedit /generaterollback /cfg c:security.inf /rbk c:rollback.inf
You’ll be warned that file and registry security settings cannot be rolled back. Type Y at the prompt and press ENTER. The rollback template will then be generated in the specified directory.
For more information on syntax and parameters that can be used with the secedit tool, type secedit -? and press ENTER at the command line.
In part two of this series, I’ll show you how to use Microsoft’s free Security Compliance Manager tool to manage security templates.