Security Configuration Wizard

1
Security Configuration Wizard

• James Leinweber
• Hygiene Lab / UW-MIST

2
about SCW

• an attack surface reduction tool
• makes it easy to turn off unwanted services, add
  firewall rules, tweak registry security settings,
  edit INI files, improve ACLs, etc.
• saves templates to apply to multiple servers
• compare bastille on Linux
• optional for server 2003 sp1, bundled for 2008
• not secret, but surprisingly unknown
• Microsoft requires SCW extensions for all its
  enterprise services!

3
SCW isnt

• not an installation tool.
• install all roles and features first
• not related to group policy in AD
• sufficiently generic templates may be convertible
  to GPOs
• SCW templates are applied once, by hand,
  post-install and pre-deployment

4
Why do we care?

• hardening servers is an important part of a
  defense in depth strategy
• its really hard to do, and really error prone to
  do it by hand
• even if you did it well, its hard to audit
  afterwards, and hard to replicate on new servers
• we need a tool with analysis and guidance
• security configuration wizard is that tool!

5
whats happening
6
OK, so try it

• Most changes can be rolled back, so feel free to
  experiment on test servers
• except auditing SACLs
• a good idea to run on any server
• a Really Good Idea to run on exposed and high
  value servers (DMZ, PCI DB, )
• Lets try it