Welcome to the second installment of Securing Your Windows Infrastructure. In the previous article, I talked about Domain and Server Isolation, a technique that can be used to isolate domain-joined systems from untrusted hosts and optionally to require encryption to and from systems containing more sensitive or confidential information. Today, I’ll be reviewing another low-effort, high-impact method that can dramatically increase the security of your Windows systems.
Microsoft’s Security Compliance Manager is a free download that can help you secure many Microsoft products, including all recent versions of Windows Server. For each product, there are pre-configured settings that combine both Microsoft’s best practices and industry standard settings that can be pushed out to systems using Group Policy, or to standalone (non-domain-joined) systems as of SCM version 3.
In addition to having support for Microsoft’s most popular products, Microsoft SCM includes baseline security configurations for the various roles a server may need to perform. For instance, there are multiple policies for Microsoft Exchange Server 2010 SP2, including CAS, Edge, Hub, Mailbox and UM services. For Windows Server 2012 R2, one will find specific policies for Domain Controller and Member Server compliance, as well as recommended values for account lockout and password configuration settings.
Once a product and role have been selected, an administrator is able to learn more about each of the security settings included in the policy. Along with each is a severity rating, a detailed description of the setting, a description of the vulnerability being addressed, and the potential impact that changing the setting could have on your environment. Using this information, each setting can be configured according to the security requirements of the individual server or enterprise.
After a suitable policy has been created, the easiest way to deploy it is using your Group Policy infrastructure, although other export formats exist including Excel (for documentation), SCCM and SCAP. Simply export the policy from SCM and import it into a new GPO. You will need to use caution when deploying a new security policy as the more restrictive settings may cause problems in your environment. A safe approach is to test a policy first in a QA environment, moving up to Dev and later to production. Another safe option is to deploy the policy only as new servers are deployed, so as to not break any systems in production.
For help avoiding common mistakes when using this tool in your environment, please contact our experienced team by using the form on the contact page of this website or by giving our office a call. Good luck, and stay secure.