How to use Security Configuration Wizard in Windows Server 2008 to lockdown a server with IIS

This article contains tips, tricks and steps to use Security Configuration wizard (SCW) included in Windows Server 2008.  I was recently working on locking down Windows Server 2008 with IIS.  By default, Windows Server 2008 is more locked down than any previous Microsoft server OS. (PS: So is IIS).  I wasn’t sure where to begin.  I have used SCW in previous operating systems; I figured that would be a good place to start.  I quickly discovered Microsoft has done an excellent job with SCW, it’s easy to use, creates xml files that can be edited for later use and / or turned into a GPO (Group Policy Object).   Probably the most flexible thing I discovered you can run SCW, save your settings and not apply the policy.  The GPO option really captured my attention!  You may wonder why the GPO option is so awesome?  You can setup your custom policy and then apply to OU’s containing targeted machines, such as internet-facing servers.  This technique provides a consistent policy across all your machines.  My post isn’t meant to cover group policy, for more information check out this article.

To get started, I created a model machine which included all the necessary IIS modules.  I executed the steps below, then used scwcmd (command line version of SCW) to ‘transform’ the XML file to a GPO.  One thing to be aware the user account that executes scwcmd needs to have permissions to create GPO’s, which are stored on an Active Directory (AD) domain controller.  I HIGHLY recommend doing this in a controlled / test environment before implementing in production.  Also, if you are not in control of your AD environment, get with your AD tech’s to have them grant permissions. 

A few tips I recommend, you perform this in a isolated environment using a virtual machine.  You can use Virtual PC, VMware Server or Hyper-V.  When I applied the policy, the Terminal Services service was disabled preventing me from accessing the machine remotely.  The first time I ran the process, “I said, what the heck”, I’ll apply the policy.  Luckily the machine was a VMware VM. :)  Other settings that were captured were firewall rules.  Things like the Server service (which was recently exploited and a patch was released) and blocking normal Microsoft ports (135,137,138,139,445).  For internet facing servers, I would think there aren’t too many reasons to have these ports open.  If you do need the ports open, you can set your Windows Firewall rules to only allow certain machines, for example your NAS / SAN connections where the content files reside.  In conclusion, Microsoft has provided a tool to help lockdown Windows Server 2008.  I hope you find this article useful.  Here are more articles that discuss using SCW. 

Here are the steps to run SCW.


 


























Cheers,


Steve Schofield
Microsoft MVP – IIS