Can software tools automate the server hardening process?

Michael Cobb explores the Windows Server 2003 Hardening Guide and how you can tighten the security on your servers.

I have been going through the Windows Server 2003 Hardening Guide and trying to apply policies on our servers....

How can I make the process easier? Are there software tools that can automate the server hardening process?

Some security practitioners will say that if you haven't built a system yourself, then it's not yours. There is some truth in this idea; without an incredible amount of detective work, you're not going to know what changes from the defaults have been made and why. Similar views are commonplace, too, when it comes to Microsoft's automatic updates. Like you, though, I don't like to spend time on repetitive tasks or build something from scratch if it already exists. I still want to sleep soundly at night, though, knowing I've followed best practices.

With that in mind, you're certainly on the right track when it comes to tightening the security of your servers by following the Windows Server 2003 Hardening Guide. It has all the information needed to determine which settings are most appropriate for the servers in your organization. It does say right at the beginning, though, that to gain the most benefit from the guide, it should be read it in its entirety. I agree and I'd also suggest reading the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.

I can hear you thinking that this sounds like a lot of work when what you're looking for is an easier way to secure your servers. Well, bear with me.

Securing a Windows 2003 system requires knowing what each service does and what happens if particular ones are enabled or disabled. I think that if you take the time to get a thorough understanding of the steps involved in hardening servers, it will make the job easier. Why? Because you will recognize and appreciate how different settings affect the operation of the server and how they affect its overall security. You'll then feel confident to make decisions on what needs locking down to achieve an appropriate security level. You'll also have a better understanding of any warnings or alerts that an audit tool generates.

A tool that will help make the hardening process easier is the Security Configuration Wizard (SCW), which was introduced in Windows Server 2003 Service Pack 1. (You will need to go to Add/Remove Windows Components to install it as it isn't installed automatically.) SCW has a database consisting of every service, feature and administration option from every server product produced by Microsoft. It can be used to disable unnecessary services, block unused ports, configure audit settings and lock down access to critical system files. It also provides lockdown settings that are fully supported by Microsoft's major product teams.

After completing the lockdown, you can then use tools such as Microsoft's Security Baseline Analyzer to audit the servers to confirm they are configured as intended. This is also a good time to verify that audit settings are operating as planned. Once you are satisfied with how the server is configured, SCW can automate the setup of other servers that will be providing the same services.

The wizard can apply your settings to other servers listed in Active Directory. SCW uses an XML configuration file, but the settings can also be saved as a set of Group Policy template files inside a Group Policy Object. Beware, though: SCW disables any services and ports not specifically tied to a defined role. For example, if you haven't installed a printer on your baseline server, SCW will create a configuration file that disables the spooler service. If you then apply the configuration file to another server that does have a printer, you'll disable its spooler.

SCW is most useful when used with racks of identical servers. If, however, each of your servers has a unique role in the organization, then only limited automation will be possible. The main idea to remember is not to have an ad hoc approach to hardening. You must develop a build process, logging and justifying all edits to default settings, as a small change can still cause a big problem. Finally, remember that security is an ongoing process, so have a patch management policy and process in place to ensure servers stay secure.

More on this topic


This was last published in October 2008

Dig Deeper on Network device security: Appliances, firewalls and switches