Hardening Servers With Security Templates

Because Windows systems are flexible and provide numerous features by default, they are less secure than they can be. When we tighten the security on a system so that it rigorously meets our security strategy and comany security policy, the server is "hardened". Hardening allows only the specifically defined services to run, only the access needed to use just those services, and access only by those users with a business need. Microsoft provides a means to configure security policies and options for Windows systems via templates and the MMC.

So what's in a Security Template? A Security Template can control almost any security option or setting on a server. Security Templates can control user rights, permissions, password policies, software policies, and so forth. Microsoft has an excellent set of security templates that are examples to start with, or to use as-is. You can customize the templates, create new ones, and so forth once you are familiar with them. You will almost always want to start with a template that is similar to what you want to achieve rather than creating one from scratch, since there are lots (hundreds) of options and parameters. If you start with a new Template, the default is "Not configured" for the possible options, so you would have to modify each one manually--not very efficient.

For Windows Server 2003, Microsoft provided predefined security templates including Default security (Setup security.inf), Domain controller default security (DC security.inf), Secure (Secure.inf), Highly Secure (hisec*.inf, files include, as expected, more secure templates for workstations, servers, and domain controllers), and others. In Windows Server 2008 you will find only a few default templates, and all but a couple of them shouldn't be applied manually. Instead you would want to proceed by building custom templates using the MMC, analyzing system security, then making changes and applying them.

First you will want to categorize your servers, and determine what services are really provided by each one. This process also helps identify servers that are being used for unanticipated or unintended file sharing, "orphaned" applications, or unneeded duplication of services. You may want to make a multiple column list or spreadsheet, listing server names, services, and the appropriate security template to apply.

You'll use the MMC (Start -> Run -> MMC). The go to File -> Add/Remove Snap-in, click Add, and choose Security Templates. Click Add, Close, and OK. The policies present will be listed. To customize one, right-click on it, click Save As, choose a unique name, and click OK. Review the settings and options for various objects, make your changes, and save the template. When you're ready, you can apply the template using the Security Configuration and Analysis Snap-in for the MMC.

In Windows Server 2008 you can generate a snapshot of the current settings using the secedit tool, and roll back to those settings if the new changes cause problems. You should always test your changes before keeping and applying modified and updated templates to your production servers.

Be careful! If you don't understand what you're doing, or what may happen as a result--get help! Microsoft has an excellent series of articles on TechNet.