S 2.491 Use of roles and security templates under Windows Server 2008

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

New features of Windows Server 2008

Regarding the use of roles and security templates, Windows Server 2008 includes some changes. Besides the change of the format of the administrative template files (see S 2.368 Handling of administrative templates under Windows Server 2003 and higher), further changes or supplements have been made, above all in the field of group policy objects and administration tools. In general, criteria on use of the templates for the corresponding systems must be defined.

Server Manager

The basic configuration of roles and functions is made using the central tool of the Server Manager. This is a significantly advanced tool as compared to the previous version. However, templates present as INF files or other templates (templates) cannot be processed via the Server Manager.

Security Configuration Wizard

Under Windows Server 2008 and higher, the Security Configuration Wizard (SCW) is an integral part of the system (see S 4.416 Use of Windows Server Core). However, the importance of this tool is decreasing due to introduction of the Server Manager, offering a central access to almost all configuration settings of the server. Moreover, the SCW does not offer or only limitedly offers possibilities for creation or administration of templates. In principle, XML files created with the SCW can be migrated to group policy objects; however, this process is complex. Correspondingly, SCW is more suitable for administration of stand-alone systems.

Starter Group Policy Objects (Starter GPOs)

Starter Group Policy Objects are a basis for further configuration templates. Under Windows Server 2008, they are an integral part of the group policy structure within the group policy administration. It must be taken into account that originally no starter objects are present in Windows Server 2008 R2 and Windows 7. These are only provided later by Microsoft.

Direct processing of a starter group policy object is not possible. To create a modifiable version of the template, the option New GPO from Starter GPO must be selected. This option copies the desired object within the Active Directory into the folder Group Policy Objects.

The new group policy object created from a Starter Group Policy Object includes all previously present policy settings for administrative templates as well as for the defined values.

All Starter Group Policy Objects present in a domain are stored on the Sysvol folder of the domain in the StarterGPOs directory.

Security Compliance Manager

The Microsoft Security Compliance Manager (SCM) is the central tool for administration of templates. It is a part of the freely available Security Solution Accelerators, provided by Microsoft.

The SCM consolidates the previously present tools such as the Security Compliance Management Toolkit and the GPOAccelerator. These tools will not be developed further and are not available any more.

Updated templates of the manufacturer Microsoft are provided via a web interface. Furthermore, templates of other manufacturers can be added.

The SCM is based on Starter GPOs. These are templates with standard settings for different use scenarios, distributed into two groups:

• Enterprise Client (EC)

These templates are intended for standard systems in the operational field of use and which are members of a domain. WS08R2 EC Member Server is the corresponding template for configuration of a member server.

• Specialized Security - Limited Functionality (SSLF)

These templates are intended for systems with higher security requirements with limitations of functions in order to increase security. WS08R2 SSLF Member Server is the corresponding template for server systems with higher security requirements.

Main tasks of the SCM:

• central storage of security settings in baselines,
• central administration of security settings for the domain,
• use of baselines of third-party manufacturers,
• possible exporting of baselines,

The following formats can be created and exported by the Security Compliance Manager:

• Desired Configuration Management (DCM) Packs
• Security Content Automation Protocol (SCAP)
• XLS (requires Excel 2007)
• Group Policy Objects (GPOs)

It must be taken into account that only copies of the templates should be processed. Furthermore, all security templates for the Windows Server 2008 must be administered and processed at a central location. The chosen security settings must be documented.

The previously missing baselines for Windows 7, Windows Server 2008 R2 or Microsoft Office 2010 were provided at the time of introduction of the SCM. Differentiation between the two templates EC and SSLF is still applicable for all systems and products.

Besides the installation of the Security Compliance Manager, the LocalGPO tool will also be provided. This is used for transformation of the local policies into a GPO backup. The backup can be used as basic configuration for other systems. Vice versa, the tool transforms GPO-backups into a local policy. If needed, the LocalGPO tool must be installed subsequently using a provided MSI package.

Review questions:

• Are all security templates for Windows Server 2008 administered and processed at a central location?
• Were criteria on use of the templates for the corresponding systems defined?
• Is there documentation of the chosen security settings of Windows Server 2008?