Security Configuration Wizard (SCW) & IIS 6.0 - Part I & II Webcast

In the past 2 weeks, I delivered a 2–part series on the usefulness, downsides of SCW, and overall usage of the tool.  In part I, I discussed more details on how the tool works from installation to the creation of policies as well as applying those policies.

In Part II, I focused my attention on the deployment of policies including many of the capabilities of SCWCMD.exe, the command-line functionality aspect of SCW.

SCW is a very useful tool that I think makes tremendous strides in helping our customers better locked down servers without endless hours of work.  In the past, administrators depended heavily on scattered and often rogue guidance on how to effectively reduce the attack surface of Windows.  In service pack 1, we shipped SCW and we did it right — bias’d opinion of course. 

As promised, the following was my demonstrations throughout the Part I & Part II webcasts:

PART I:

  1).  Install Security Configuration Wizard using Add\Remove Programs & Windows Components

  2).  Create a IIS Web Server SCW Policy and apply it using the User Interface for SCW

  3).  Test application (ASP.NET 1.1) and verify working

  4).  Edit the IIS Web Server Policy & tighten

  5).  Re-test the ASP.NET 1.1 application

Part II:

  1).  Install SCW automated with IIS 6.0 on a Windows Server 2003 Service Pack 1 system

   How:  sysocmgr.exe /i:sysoc.inf /u:[UnattendedFileName]

   Sample Unattend.txt used in Demonstrations (IIS 6.0 & SCW)

;   [SetupMgr]
;    DistFolder=d:\

;[Components]
;    aspnet=on
;    complusnetwork=on
;    dtcnetwork=on
;    bitsserverextensionisapi=off
;    iis_common=on
;    iis_ftp=off
;    fp_extensions=off
;    iis_inetmer=on
;    iis_nntp=off
;    iis_smtp=off
;    iis_asp=off
;    iis_internetdataconnector=off
;    sakit_web=off
;    tswebclient=off
;    iis_serversideincludes=off
;    iis_webdav=off
;    iis_www=on
;    appsrv_console=off
;   inetprint=off
;    SCW=On

;[InternetServer]
;    PathWWWRoot=c:\WebSites

   To start the install, after creating the Unattend file, do the following:

   sysocmgr.exe /i:sysoc.inf /u:Unattend.txt

  2).  Create a IIS Web Server Policy (IISPolicy.xml) using the SCW Wizard

  3).  Create a SQL Server Policy (SQLPolicy.xml) using the SCW Wizard

  4).  Review the SCWCMD verbs\switches avaiable

4a).  Apply the IISPolicy (Locally) & SQLPolicy (Remotely) –

How:  scwcmd configure /p:[PolicyFileName] /m:[MachineName}

scwcmd configure /p:IISPolicy.xml <— Locally run

scwcmd configure /p:SQLPolicy.xml /m:demo-sp1–sql

4c).  Rollback policy using SCWCMD -

How: 

scwcmd rollback /m:[MachineName]

scwcmd rollback /m:demo-sp1  <— demo web server

scwcmd rollback /m:demo-sp1–sql /u:scw.local\MyAdminUser

5).  Create a XML-based file to automate a one-2–many deployment of SCW policies using SCWCMD.exe

How: 

In this example, I used the template %windir%\security\msscw\kbs\SampleMachineList.xml

<?xml version="1.0" encoding="UTF-16"?>
<MachinePolicyMap>
    <Machine Name="demo-sp1" Policy="IISPolicy.xml"/>
    <Machine Name="demo-sp1-sql" Policy="SQLPolicy.xml"/> 
</MachinePolicyMap>

Then, to deploy this you use the following command:

scwcmd configure /i:Machines.xml

6).  Create\Review Organization Units for Web & SQL Servers in Active Directory

5a).  Move IIS & SQL Member Servers to the appropriate OU

7).  Covert IIS Policy (IISPolicy.xml) to a Group Policy Object (GPO) called Web Server Policies

How: 

scwcmd transform /p:[PolicyFileName] /g:[GroupPolicyObjectName]

scwcmd transform /p:IISPolicy.xml /g:“Web Server Policy”

7).  Link GPO to Web Server OU

8).  On Web Server, run GpUpdate.exe

How:    At the console, type Gpupdate.exe (should display refreshing policy)

Last, I promised during the presentation that I would post what was my original step-by-step of the above just in case folks need some assistance with doing this.  It is very straight-forward, and might make assumptions because this is just the “first” thing I do to understand and map out my demonstrations for my presentations.

a).  Deploy Service Pack 1 & SCW using an unattended file

   1).  Start --> Run
   2).  CMD
   3).  CD Scripts
   4).  sysocmgr.exe /i:sysoc.inf /u:Unattend.txt

** Make sure to delete c:\websites folder

b).  Deploy Policy using SCWCMD.exe 

   1).  Start -->  Run
   2).  CMD
   3).  scwcmd configure /p:IISPolicy.xml
   4).  scwcmd configure /i:Machines.xml

c).  Analyze a completed Policy File using SCWCMD

   1).  Start -->  Run
   2).  CMD
   3).  scwcmd analyze "c:\policies\DCPolicy.xml"

d).  Transform SCW Policy to GPO object and deploy to OU

   1).  Start -->  Run
   2).  CMD
   3).  scwcmd transform /i:"c:\policies\IISPolicy.xml" /g:"Web Server Policies"

e).  Verify that a server configuration hasn't changed

   1).  Open Group Policy Management Console on DC (where GPMC was installed)
   2).  Highlight the Group Policy Objects
   3).  Review the Group Policy Object for "Web Server Policies"
   4).  Highlight the Web Servers OU, and right-click and choose Link existing GPO
   5).  On Web Server, do GPUpdate

 

Thanks and enjoy!

~Chris